Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754764AbcKUPRQ (ORCPT ); Mon, 21 Nov 2016 10:17:16 -0500 Received: from mx1.redhat.com ([209.132.183.28]:57498 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753227AbcKUPRN (ORCPT ); Mon, 21 Nov 2016 10:17:13 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1479737095.2487.34.camel@linux.vnet.ibm.com> References: <1479737095.2487.34.camel@linux.vnet.ibm.com> <20161117064100.hmjmfw42ytm526yh@p310> <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <147931987366.16460.12891767069975068260.stgit@warthog.procyon.org.uk> <26349.1479376560@warthog.procyon.org.uk> To: Mimi Zohar Cc: dhowells@redhat.com, Petko Manolov , keyrings@vger.kernel.org, matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-ima-devel Subject: Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <18863.1479741430.1@warthog.procyon.org.uk> Date: Mon, 21 Nov 2016 15:17:10 +0000 Message-ID: <18864.1479741430@warthog.procyon.org.uk> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 21 Nov 2016 15:17:13 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 791 Lines: 19 Mimi Zohar wrote: > > > > This allows keys in the UEFI database to be added in secure boot mode > > > > for the purposes of module signing. > > > > > > The key import should not be automatic, it should be optional. > > > > You can argue this either way. There's a config option to allow you to > > turn this on or off. Arguably, this should be split in two: one for the > > whitelist (db, MokListRT) and one for the blacklist (dbx). > > By "config", you're not referring to a Kconfig option, but a UEFI db > option, making it hidden/unknown to someone building a kernel. If you > really want to add this support, make it clear and easily seen by > defining a "restrict_link_by_builtin_or_uefi" function. No: by "config" I *am* referring to Kconfig. David