Received: by 10.223.185.116 with SMTP id b49csp3851189wrg; Tue, 6 Mar 2018 06:07:45 -0800 (PST) X-Google-Smtp-Source: AG47ELtfzG32qPk+9jXy3o4b2Ctzr9wnyeQr4u1a8u91DuSX2AxTzpNpPWmnSqAkvhxMRYhUD3Xm X-Received: by 2002:a17:902:5a5:: with SMTP id f34-v6mr17158168plf.134.1520345265329; Tue, 06 Mar 2018 06:07:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520345265; cv=none; d=google.com; s=arc-20160816; b=vVa3kL3gNqnK2JMjxsMq628GZ/TlQ/Xf3ZM9t7nFGrsDNifzRfitGSpvsGLJGbaCqB pCc0MgZjouy5kFaCxlxRQDL3SkAZGujwe/ktyYzjUz6lRKw9LcOxpj/9DxvPULgFKQu5 srstu857STnmeKKz7E5qG9rQBZpuYvja9Xi4xlL6YAG7I+cFH4fkF3KIWlefqRXPQW/S oNAnwoqbmnZTXLuGyvjqGaTcYfTedkhZkmkLr5ettYjNAwDNv2Jnc7I10LegEHjinPCS BBo+KGtrVaNs1dBH32xWQNoCj4mVlARf4IPCOPvreoaqZswyB+Uf/I5GByZ3dStqj3W7 SLIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=BhXwuJry8HHgoMotIiZ6tL9v9edMTDCJTRl623Dzmhw=; b=UciF4Xk6jFcdtirOArsO3d9VWDRomF/RqD5CNiFl3Eei2rDCehUxHuvr9KV5LBk91n F/wrdJlqFhT2V7jGDZtQrk+0+dciBrlGekhjrkR2ZyqMdHi/sS867n+PE1e8XL0vj3yv yjihHkOY94v6DSsbUGJJtJXH0hL06bSTqLowPfLSRUauEH+DOfuZXstQOfUH/MlBg7bU RpkyRCeKOe0a+mUAYFWT0jB6XkTsI5iZ2D1vWvwCLQTl8f61Ab5PbhuHQO1DRUOfXFRG Uhv3ik1a9xAsMncEeQbS5bYxFRbVSa7zns1n1X8TR6pDafKUwkHBxza5oXgO6wTilv05 dulQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d4-v6si11051969plr.598.2018.03.06.06.07.30; Tue, 06 Mar 2018 06:07:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933013AbeCFOF4 (ORCPT + 99 others); Tue, 6 Mar 2018 09:05:56 -0500 Received: from mail-wr0-f180.google.com ([209.85.128.180]:37066 "EHLO mail-wr0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932537AbeCFOFy (ORCPT ); Tue, 6 Mar 2018 09:05:54 -0500 Received: by mail-wr0-f180.google.com with SMTP id z12so21068181wrg.4; Tue, 06 Mar 2018 06:05:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=BhXwuJry8HHgoMotIiZ6tL9v9edMTDCJTRl623Dzmhw=; b=UVwDr0Iy50+hPuoBVSspPQWfkTn3vzIxXLXJt9T7iy9sl53L5K4JFeMzYdWIVfpYmi CODZdgXT/jF/BVNpzniIyXJGXCv8JS6aodSbfqDuruq0cJE4zcuppdvfbrajCOLdoCcz 4ju1MBG1foAhwZzSTyawA/QsA89XOLB9NdT6p0aGOVsaEOSTAaTD6u7vtndHfzHX1n7b gP8cmVD+nipEtTP+iuuat+er+IW78D5qhVjNa8oGekubyqnqCK8Gj7IprwXLF4+Tm7Eo ma7O9XL0DQrqz1AgTueC2kcnELl0xif1EJNJvLzS49yb7CIiYwaWtAZQ6oHit9rRne0d TPIw== X-Gm-Message-State: AElRT7HbJeKNlytHa99PQuP8VxYln7vQPakjbWf5/dNJnHf056FM0dBu AGTrUecOJ8BSOiIeAVflTI/egQ== X-Received: by 10.223.136.164 with SMTP id f33mr2574861wrf.77.1520345152277; Tue, 06 Mar 2018 06:05:52 -0800 (PST) Received: from ?IPv6:2a01:4240:2e27:ad85:aaaa::19f? (f.9.1.0.0.0.0.0.0.0.0.0.a.a.a.a.5.8.d.a.7.2.e.2.0.4.2.4.1.0.a.2.v6.cust.nbox.cz. [2a01:4240:2e27:ad85:aaaa::19f]) by smtp.gmail.com with ESMTPSA id d5sm12086165wma.18.2018.03.06.06.05.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Mar 2018 06:05:51 -0800 (PST) Subject: Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load To: David Howells , keyrings@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> From: Jiri Slaby Message-ID: <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> Date: Tue, 6 Mar 2018 15:05:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/16/2016, 07:10 PM, David Howells wrote: > Here are two sets of patches. Firstly, the first three patches provide a > blacklist, making the following changes: ... > Secondly, the remaining patches allow the UEFI database to be used to load > the system keyrings: ... > Dave Howells (2): > efi: Add EFI signature data types > efi: Add an EFI signature blob parser > > David Howells (5): > KEYS: Add a system blacklist keyring > X.509: Allow X.509 certs to be blacklisted > PKCS#7: Handle blacklisted certificates > KEYS: Allow unrestricted boot-time addition of keys to secondary keyring > efi: Add SHIM and image security database GUID definitions > > Josh Boyer (2): > MODSIGN: Import certificates from UEFI Secure Boot > MODSIGN: Allow the "db" UEFI variable to be suppressed Hi, what's the status of this please? Distributors (I checked SUSE, RedHat and Ubuntu) have to carry these patches and every of them have to forward-port the patches to new kernels. So are you going to resend the PR to have this merged? thanks, -- js suse labs