Received: by 10.192.165.148 with SMTP id m20csp52099imm;
        Thu, 3 May 2018 14:42:36 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpICdB7EMExMSGAz8rSF3PDKbSRip4yclKco2aB5ZtH5YVB/aoLXZsdBGoNt61qAPOBXHP4
X-Received: by 2002:a17:902:b216:: with SMTP id t22-v6mr2995141plr.105.1525383756195;
        Thu, 03 May 2018 14:42:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525383756; cv=none;
        d=google.com; s=arc-20160816;
        b=Sg7+f7iRmG6SzrL+IQ2H/vo4a6oSvbpcVAtDX092vsrIhASoQ09/wjZSqOXz3fUi66
         YEqyjjUX95ilkEu9BuqMUeB6VLeFThq9P9d2HghOWB68XCQXcCeYnywrKPzmkjG8WULQ
         Metr0yyiKfeAdGFhSYld944La5rcBQ8C+95RQZFRqS+0jUIAxBTEX0D7iOn6ca0pPERY
         v3niqELzErs5+7faL8linad9Q9V/dO/e6MljbWgIWDFM768gNGzPvV+4kU6AlISPZXog
         IL9OfMoIoYVqm+qFnBv5GSVWdRugJZh6F3JDi5etsviXsHWdDBZqCs2XCQjT/aBcidPt
         zabQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=jGISWSlbNX9oCFKcXQwjoRrKYqsyn6AZIN7Pfywgsd8=;
        b=p4OwzeQsT9im24TqcMUaXumMqagAEf26D05gB24XwrwvICtpqKUEZQXc5IGYmu5M70
         b2/NRbN6S5dsDGziz6wErdlUmW06LfxDUpekpeIi73s6jNOJwyG+MTbRvnKLHINndcOY
         zUUYQCUgEUoIlQb73Vscak9+VpEqJGx37qm6FFBmBEwsyskzzSmYkGjVece2UHZmpeUZ
         6gzwwo0EZ4ZdUXRProAmeMjzqftAXu2Xlp6mQUaFOwUDPqJA/3bSlGecmbghX/JRlNHF
         DsoBprF6uDuaYLd1/1T+bkdwxlSJNnXHDtmBpb+vefjwC8eLxfUUG30tfziSN/wNdfq/
         eRlg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h131si13582165pfc.206.2018.05.03.14.42.20;
        Thu, 03 May 2018 14:42:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751262AbeECVmM (ORCPT <rfc822;ereslibre@gmail.com> + 99 others);
        Thu, 3 May 2018 17:42:12 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:43802 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751195AbeECVmK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 May 2018 17:42:10 -0400
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w43LgAad095583
        for <linux-kernel@vger.kernel.org>; Thu, 3 May 2018 17:42:10 -0400
Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2hr6qhs44g-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 03 May 2018 17:42:09 -0400
Received: from localhost
        by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Thu, 3 May 2018 22:42:07 +0100
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Thu, 3 May 2018 22:42:03 +0100
Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w43Lg3Pi11927976;
        Thu, 3 May 2018 21:42:03 GMT
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id E347CAE04D;
        Thu,  3 May 2018 22:31:36 +0100 (BST)
Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 45541AE045;
        Thu,  3 May 2018 22:31:35 +0100 (BST)
Received: from localhost.localdomain (unknown [9.80.107.24])
        by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Thu,  3 May 2018 22:31:35 +0100 (BST)
Subject: Re: [PATCH v6 0/4] Certificate insertion support for x86 bzImages
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     James Morris <jmorris@namei.org>,
        Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Cc:     David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Keyrings <keyrings@vger.kernel.org>,
        Linux Integrity <linux-integrity@vger.kernel.org>,
        Linux Security <linux-security-module@vger.kernel.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        Stefan Berger <stefanb@linux.vnet.ibm.com>,
        George Wilson <gcwilson@us.ibm.com>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Patrick Callaghan <patrickc@us.ibm.com>
Date:   Thu, 03 May 2018 17:42:00 -0400
In-Reply-To: <alpine.LRH.2.21.1805040311050.12843@namei.org>
References: <20180502230811.2751-1-mkayaalp@linux.vnet.ibm.com>
         <alpine.LRH.2.21.1805040311050.12843@namei.org>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18050321-0008-0000-0000-000004F2B903
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18050321-0009-0000-0000-00001E86E241
Message-Id: <1525383720.3539.76.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-03_09:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805030187
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 2018-05-04 at 03:11 +1000, James Morris wrote:
> On Wed, 2 May 2018, Mehmet Kayaalp wrote:
> 
> > These patches add support for modifying the reserved space for extra
> > certificates in a compressed bzImage in x86. This allows separating the
> > system keyring certificate from the kernel build process. After the kernel
> > image is distributed, the insert-sys-cert script can be used to insert the
> > certificate for x86.
> 
> Can you provide more explanation of how this is useful and who would use 
> it?

I'm involved in a number projects that rely on a kernel build group to
actually build kernels for their systems.  Reserving memory for
additional public keys, allows product groups to insert public keys
post build.  Initially the product groups might insert development
keys, but eventually they would insert the product's public key.

Mimi