Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2458058rdb; Tue, 12 Sep 2023 02:27:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE3WtxVxLANp+pXk1XlGpYbKlwUfWmfzqrgSlQyso517Na05LiZtaqRbrYsyFFXaPqNUYlo X-Received: by 2002:a05:6808:13c8:b0:3a4:644:b482 with SMTP id d8-20020a05680813c800b003a40644b482mr14126344oiw.52.1694510849803; Tue, 12 Sep 2023 02:27:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694510849; cv=none; d=google.com; s=arc-20160816; b=Njva2dGT5hS45+PbwkKaJSWKCuOC6LvVzXHJ9DKFY8Jeid7RWhm4Ddfi7zXUufmQg1 DYx2qqPjRdTs4RJ+aKADPlCf24zG4AQBTd1Am3Ga4IByzQh/rpMAf8q/IU/Cw63Dx0OU oFcKEhWblk2aQ3LZ5+KROUEHI7qzhi7h2a+Ew4eUlHIZeFyURTZ0/FsQSxICiPmgQr+V OfuhsknoAGv2XPb6W8JkxIBHoMgXyvs2uc7jIpTK/cRsvt7bNtFBhNcJ9E5mOJimo2Mm sIpo9AIknc+tyQghjmOgGNlSacq7YtKJ9ly0w5GKWg5llpqXtiY3lV1iF46Sd+vK90+C xtqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=0olCWOM5/gMcD6jTiH5oaRY6kpX/DXzG5tdEGM5nfTw=; fh=OyLuxNsRtMkBqBFSNMDQ7AYBhjjWeETyRKdLPsW1emo=; b=plYlbTaq7q250HoVxBkYMsqz/kSLolTIP+xkvlRa6gxKltpHo9cMXAjkYRhbuMcg1Q EWPoh4EyKz/cYCXXm0+N2Ce/azuRXDNrqM1okctiR0u8ZG2n81NOtEZmEz89ObXFXxS7 mo3v2+Kv2yN333gaioXVj8mVXwhgr4a6rhppKJ+EnzlM8RsO4agZeKojGve99tCLNzq9 Oo3qv1tv3SV5Dertu9ffpY3b7qQsNQ9JY145qU5zIz0n5A/B6Fb9SXgU1Wn6hokrTQzT NMPl6JjdnEaXXJumPEFdb8l2Tj5Pn9Vov8yo3EjUJSv5GgQC7olr0mEjiHFT+Y1e4kwi zwFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=VbuILt1F; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id k25-20020a6568d9000000b00563d791d978si7368215pgt.750.2023.09.12.02.27.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 02:27:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=VbuILt1F; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 723AF822A48F; Tue, 12 Sep 2023 00:52:19 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.8 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231286AbjILHwL (ORCPT + 99 others); Tue, 12 Sep 2023 03:52:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232017AbjILHvo (ORCPT ); Tue, 12 Sep 2023 03:51:44 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2924B10F1; Tue, 12 Sep 2023 00:51:37 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id D252F21846; Tue, 12 Sep 2023 07:51:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1694505095; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0olCWOM5/gMcD6jTiH5oaRY6kpX/DXzG5tdEGM5nfTw=; b=VbuILt1FgF2htdXpzOR7bxovvC2X6qiPurQz3engfOUs+nizoiM7BlZ1n7MmJCjBK2Zxt7 sNhwgedkfpKkfnZfKeiL2XnYVggRudPOHkCdLRHQnFIuRS4OlMPS3aoQTc99wtmZ8vij/J HB6wOYYK0QBpkgk225ObRtHIHwnb8yQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1694505095; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0olCWOM5/gMcD6jTiH5oaRY6kpX/DXzG5tdEGM5nfTw=; b=kBRaaLQ9/yPtt2KT+z9Nv7fyhZ7POXqBNc1wdhkwQC/uLz5c9kHF+8jXBnbuzQILsZlcsG 19bRSfXryVXgwaBg== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id A2BC42C142; Tue, 12 Sep 2023 07:51:35 +0000 (UTC) Date: Tue, 12 Sep 2023 09:51:34 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Jarkko Sakkinen Cc: linux-integrity@vger.kernel.org, Mimi Zohar , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, joeyli Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING Message-ID: <20230912075134.GM8826@kitsune.suse.cz> References: <20230907165224.32256-1-msuchanek@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 12 Sep 2023 00:52:19 -0700 (PDT) X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote: > On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote: > > No other platform needs CA_MACHINE_KEYRING, either. > > > > This is policy that should be decided by the administrator, not Kconfig > > s/administrator/distributor/ ? It depends on the situation. Ideally the administrator would pick the distributor that provides a policy that is considered fitting for the purpose or roll their own. Unfortunately, they don't always have the choice. For the kerenel's part it should support wide range of policies for different use cases, and not force the hand of the administrator or distributor. > > > dependencies. > > > > cc: joeyli > > Signed-off-by: Michal Suchanek > > --- > > security/integrity/Kconfig | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig > > index 232191ee09e3..b6e074ac0227 100644 > > --- a/security/integrity/Kconfig > > +++ b/security/integrity/Kconfig > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING > > depends on INTEGRITY_ASYMMETRIC_KEYS > > depends on SYSTEM_BLACKLIST_KEYRING > > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS > > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS > > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS > > help > > If set, provide a keyring to which Machine Owner Keys (MOK) may > > be added. This keyring shall contain just MOK keys. Unlike keys > > -- > > 2.41.0 > > I'd suggest to add even fixes tag. Here it is Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement") Thanks Michal