Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp32875rdd; Mon, 8 Jan 2024 16:30:40 -0800 (PST) X-Google-Smtp-Source: AGHT+IGV/QDkjZ+ayjtQEB7Ect4tv9xPDrtP1wBigfOvTFA/YXY6jhBmlELkguL0VHJa65ZWUqHe X-Received: by 2002:aa7:8182:0:b0:6d9:9613:cb9e with SMTP id g2-20020aa78182000000b006d99613cb9emr4639503pfi.29.1704760240607; Mon, 08 Jan 2024 16:30:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704760240; cv=none; d=google.com; s=arc-20160816; b=anNKuswzOJoneXqomxx8x1CEMhFE+MOUxJYS/U/XG6czCSYtLwK1sE/vyF/gaiJ4Dj z6WcFI29ggW3DZNbZ/e9/nVzsRSt8O0dgPjuUs++5EmtrmeRt09r56J7tYGjiCP9mbRy SF9MSDzzSbR0qVGkjMe66npJNohEzp+vuG7lnQlNsOxt56j3pbpMqrgZjTZO5Br2jlqg 371HxIlrUgpJq7Rlg9AYQz/KTLM13cn5TkT/Ud2+ixJyr3iFwqMp/cTtz7kXgfjq1fU2 npoZ1pxVTCj9FVntwDQZaiEmYdzicw2OOzGhH4hE9e2rBIEDZiJRdiqTx6abU4UU3585 ABrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=w5k+ZXtVfG6u9Bw3T1Sa5a4COKTCSddmRJFEwTBvDNI=; fh=GEl5sVkwidyofUKh9F0bsVmBMYPwjOSVCi6OUU1CxK8=; b=JrcTCnql/b4yUyHt5D6f/LgqjdS0z1ae5nbnntce88vu3kVa6HEcp3E+09kLBxcjny fWZmkNPM1K+VgOoH9cgcm1bsP05AX9LTkeGvA7Izeu3Oju5euHMPPryiWZJMjoCD2wjv 9EYHf6YcFOpxn1ug1yhTX6EUyGCMV/Pq1kdyCC4XC0KLcIqrvv3jHZR6n4xvstMCQCLG GclVHUXs1obVHbpGXorWVXet144Pt6jyQgOftW5P/CkAIqQ0uc+t8ud9GKQ4OIfY+Tyk fwd/QiKTe783WD/Tm3uVXcHCbeSMfSq4BPw16HAGLlmnPEoynuV2Xhdp420EE4KCk2ca EadA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gCeq9nn2; spf=pass (google.com: domain of linux-kernel+bounces-20216-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-20216-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id e11-20020a63d94b000000b005ce16d1f0d1si571888pgj.459.2024.01.08.16.30.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 16:30:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-20216-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=gCeq9nn2; spf=pass (google.com: domain of linux-kernel+bounces-20216-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-20216-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 48EE428309F for ; Tue, 9 Jan 2024 00:30:40 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2E97823B1; Tue, 9 Jan 2024 00:30:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="gCeq9nn2" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4AEF15A4 for ; Tue, 9 Jan 2024 00:30:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1704760208; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=w5k+ZXtVfG6u9Bw3T1Sa5a4COKTCSddmRJFEwTBvDNI=; b=gCeq9nn2aypv0+VE1dkvzIjoyW+kVcGqmRmafiJ1fKWyuuiH4SQkWNR1x8zVErR8IL36TG +7enhepNDCYWH1vkhTWpmsPhfyEko07b0xdben0UPazp/nZvipsMJ2R+RSnM7XpdiUUd/f 9p3izZsqddWeHQ54MEqgqj0fqUZdiAk= Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-672-TZo_lc2OMdyQEgTl41qMjA-1; Mon, 08 Jan 2024 19:30:07 -0500 X-MC-Unique: TZo_lc2OMdyQEgTl41qMjA-1 Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-1d44c745bfcso26029175ad.2 for ; Mon, 08 Jan 2024 16:30:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704760206; x=1705365006; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=w5k+ZXtVfG6u9Bw3T1Sa5a4COKTCSddmRJFEwTBvDNI=; b=jXMzxcRsMrIGGzXtkhpGQNj1SRAKaM5WB+hIw5vWeSb0ARmL/ADnNdJnnpKsAhdtgT wsy3+ntVESN4ErV0rpCgrm7nFexBvB+NjopKIW5s6pxLAVJo0ZA4KcBdI5ovaAwKOwWx bJUCwOdiBpJNssHi3Wc6j9AtsnaLr04fz2R0xQAAw59usjuBgCOk6HjVj2XZAii47N3M VZNvGvoJaQtyTIuqUttB0YguSnTZDn4YflPQYPz8fgWBPmlz6bHfFXmTvaoKClYA9gCu akjBo9kPFBMIQHmSe0Y64ycxpmReIre1mAYJO+zP9NezoRm1RHpiyTC9bLAZKD+9z7bX EXuA== X-Gm-Message-State: AOJu0Yyz8pNM0EOI6wEmZ55Dx6tHWcbn2G6I2bM2CyTo9aiEZOjwfXUt PXEfx2Am/MEXY6DPpP251EuX4Goz+dj5ldONQpHQ84uijnrOTWOs8YIfkmpUs7p6zZWn0A/4Zu+ mPUrv2gihBUZ1eogunRmfJPsvfqMi7QSb X-Received: by 2002:a17:903:2344:b0:1d5:4c37:714f with SMTP id c4-20020a170903234400b001d54c37714fmr1278400plh.22.1704760206412; Mon, 08 Jan 2024 16:30:06 -0800 (PST) X-Received: by 2002:a17:903:2344:b0:1d5:4c37:714f with SMTP id c4-20020a170903234400b001d54c37714fmr1278384plh.22.1704760206123; Mon, 08 Jan 2024 16:30:06 -0800 (PST) Received: from localhost ([43.228.180.230]) by smtp.gmail.com with ESMTPSA id jf18-20020a170903269200b001d4abb685c7sm477815plb.22.2024.01.08.16.30.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Jan 2024 16:30:05 -0800 (PST) Date: Tue, 9 Jan 2024 08:27:06 +0800 From: Coiby Xu To: Jarkko Sakkinen Cc: linux-integrity@vger.kernel.org, itrymybest80@protonmail.com, Mimi Zohar , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , "open list:SECURITY SUBSYSTEM" , open list Subject: Re: Re: [PATCH] integrity: don't throw an error immediately when failed to add a cert to the .machine keyring Message-ID: References: <20231227044156.166009-1-coxu@redhat.com> <43dozoqfip7m6nglbwzwyzykx23fpzbp7d42pcqzudnzlfvfkb@yjvuo5a6suvv> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: On Fri, Jan 05, 2024 at 06:02:38PM +0200, Jarkko Sakkinen wrote: >On Fri Jan 5, 2024 at 3:20 PM EET, Coiby Xu wrote: >> On Wed, Jan 03, 2024 at 04:09:29PM +0200, Jarkko Sakkinen wrote: >> >On Wed Dec 27, 2023 at 6:41 AM EET, Coiby Xu wrote: >> >> Currently when the kernel fails to add a cert to the .machine keyring, >> >> it will throw an error immediately in the function integrity_add_key. >> >> >> >> Since the kernel will try adding to the .platform keyring next or throw >> >> an error (in the caller of integrity_add_key i.e. add_to_machine_keyring), >> >> so there is no need to throw an error immediately in integrity_add_key. >> >> >> >> Reported-by: itrymybest80@protonmail.com >> > >> >Missing "Firstname Lastname". >> >> Thanks for raising this concern! I've asked the reporter if he/she can >> share his/her name. > >Also, it is lacking fixes tag. Thanks for catching this issue! I've included the Fixes tag in v2. > >Fixes tag is mandatory, name part would be super nice to have :-) Since >this categories as a bug fix, getting them in is 1st priority and that >thus does not absolutely block applying the change. Thanks for going >trouble trying to query it, however. Thanks for the explanation! As I still get no reply from the reporter, so I guess we have to accept the name part for now. > >BR, Jarkko > -- Best regards, Coiby