Received: by 10.223.185.116 with SMTP id b49csp5294032wrg; Wed, 7 Mar 2018 09:20:47 -0800 (PST) X-Google-Smtp-Source: AG47ELsZAgA/7D53YklywynYW1Dudi+dX7+/Eud2R1/mcUIMyz4+ftMkyxpgh16eHGRO8QsaN4xQ X-Received: by 10.99.64.3 with SMTP id n3mr14646750pga.316.1520443247132; Wed, 07 Mar 2018 09:20:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520443247; cv=none; d=google.com; s=arc-20160816; b=c90T+BuZ07VyFVUFjYxUurKynPrE5Jawohg+kYrG3+cvsU3F7TPee9uIuY0URQEjXa veWfWpkBQN/6GhCD/IvRxv/dRo8l+DlLV0Idr8V/S8WBMw42PLiE/FU4KoTiscbwsL5+ X+oPQT+dvVeX3Q9xUnQTakPRF6A1wwCalxjz6DX7lh4gHLylgIVqFr/hHibDheWm5HMG kuOAWmgt+CX2HuXGCx6jn9CbjRB+eCnlLCx/wM8209+JPPwjn+czVGBDMqIuCzLkLo9U TeX2NiciGWUa4myHd4NnWkOnfogl25dDIemUEwPZ/op5iFVMjwlv1GcfYlDcbMDuJYPO Aq6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=YCSb+arQlZ91WNKh0InuktnaVUX83507uJA9RmhxqqE=; b=g330OJM7yJsYqAEBC1UCwUYcGNPD5sXhQn/SYpTyxAIq09lg//Aua8SdefFU3XdImY PARO8XkTdfUdoyCwxhbXEgyXwJm3RnXJUk/5aWJDIS/xAOha9VnjWJXHuVz4VAU7MZCt iNJeeInEq+RZS0O9SNzmObElAdj1IoDNAvg8KE/liF+ONAVM0ZdQGc9XNfXbZe3JUgEP BS7y8uxhSL33HQC+VarMcutohn6W/ZwUOATvwHc1giV9MSV43uArOqEZmqVth+OaWLpZ Tzqc5QzVnLEqOCx2iHX/2ozmQVAMXNxOrNLrPgeTJYYwTGqR8KCX+Rv9MusJRZlh5zJE /E7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=RYGwVxsS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 127si11684130pgd.561.2018.03.07.09.20.32; Wed, 07 Mar 2018 09:20:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=RYGwVxsS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933876AbeCGP2m (ORCPT + 99 others); Wed, 7 Mar 2018 10:28:42 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:49418 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933335AbeCGP2j (ORCPT ); Wed, 7 Mar 2018 10:28:39 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id EDA5B8EE180; Wed, 7 Mar 2018 07:28:38 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3DIYWl_FoKLu; Wed, 7 Mar 2018 07:28:38 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 464148EE0D3; Wed, 7 Mar 2018 07:28:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1520436518; bh=YCSb+arQlZ91WNKh0InuktnaVUX83507uJA9RmhxqqE=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=RYGwVxsSKtCT4Avd0kKPOAzhUofl9K9yN+OnXfF3W5XHZS8Evz8AbX5LVBIeh7Phb j8j+oZguh0ijT4oZje2lSRVyOW/KLAByoSHz9CzISdWzobl+njUGCo0rT5eZOzmyqy n+8ETtl2nGjtplZWmYqVFyE0Q5nHifKwGws0ZsO4= Message-ID: <1520436517.5558.2.camel@HansenPartnership.com> Subject: Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load From: James Bottomley To: Mimi Zohar , Jiri Slaby , David Howells , keyrings@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 07 Mar 2018 07:28:37 -0800 In-Reply-To: <1520428682.10396.445.camel@linux.vnet.ibm.com> References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> <1520428682.10396.445.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-03-07 at 08:18 -0500, Mimi Zohar wrote: > On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote: > > what's the status of this please? Distributors (I checked SUSE, > > RedHat and Ubuntu) have to carry these patches and every of them > > have to forward-port the patches to new kernels. So are you going > > to resend the PR to have this merged? [...] > Just because I trust the platform keys prior to booting the kernel, > doesn't mean that I *want* to trust those keys once booted.  There > are, however, places where we need access to those keys to verify a > signature (eg. kexec kernel image). Which is essentially the reason I always give when these patches come back > Nayna Jain's "certs: define a trusted platform keyring" patch set > introduces a new, separate keyring for these platform keys. Perhaps, to break the deadlock, we should ask Jiří what the reason is the distros want these keys to be trusted.  Apart from the Microsoft key, it will also give you an OEM key in your trusted keyring.  Is it something to do with OEM supplied modules? James