Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp789575pxb; Wed, 25 Aug 2021 15:28:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwhG8TEnb3OjXzABJ7bZQ5Yv76WHBIOdL6bgl0lEay8hNZfXWySmKTN+zjf1g8KiQX+4kNg X-Received: by 2002:a17:906:184e:: with SMTP id w14mr906798eje.526.1629930511114; Wed, 25 Aug 2021 15:28:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629930511; cv=none; d=google.com; s=arc-20160816; b=fxkXfoqqE0mDj4l8/7ZlT8E0kBbCsJaYyHluXWITr+uHs9PG2jYAooVGXFpyLsFFzP gRjslRUVdA26GJtmjAz+Z6tNQ/8l4MhT32KTh/fa0x7sKqGd9U4FfFT3CXyXjkjJ0tui AF/KlC5vC+xe+UlSzlcF6Monxw5qkNiDJ9pK2I0Ph5CHF1x/g56dxhS03aviHIjatsv/ ZP9FPO6M90JyMqFDARpdk3pfyttdo3LW+6AsCBPMth3Kn3KqWRh6rKeJGaRYq9tOcYt4 2H4QzZBopkNMgjzpekQ3+B/AWW/4IKm+Vx6pauemAfwpLGXhCpgHfkL6lX4ANm1q0qee J2RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=8NnCvZeMpmZGXvcutOhCMI1rIEtUcgF5kT5Dh2K/5DQ=; b=Awu1oN9AXlGPqMJNE5hE7qi14+i36FO/ZbvJbWqLmzD1yZJdkun8uWsNHFmpsyZ3Ph y8UQAH1BHNF+TvB5ZEqv3Z3kcjoWttYjSSwVsEDGXR7sVF66a6nRS/M1k96PBYOrSgcx 2jRP8Iz0oohzgpCkH0zjtKgvvnABlSw8YwwGe1QW/w2palZ+LJGn9wHXl5lRPAFDxjwI WIBfmjs4IL/5xgYDUxdf0+SXkG/0kEGmSVlGfn6yYdmqwDOSmf79vOdurwGV+1jZTJDe xcyWJxtlih4oCUio7A3eRsSciWW50fk7MIlhLwe6CsmVWTEQhRCC215bF+ShXHWw26bm G14g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=K1i57Tmk; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=K1i57Tmk; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si1199226edb.551.2021.08.25.15.28.07; Wed, 25 Aug 2021 15:28:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=K1i57Tmk; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=K1i57Tmk; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232030AbhHYW2H (ORCPT + 99 others); Wed, 25 Aug 2021 18:28:07 -0400 Received: from bedivere.hansenpartnership.com ([96.44.175.130]:33404 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231860AbhHYW2H (ORCPT ); Wed, 25 Aug 2021 18:28:07 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id B4ADB128068E; Wed, 25 Aug 2021 15:27:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1629930440; bh=oQYEQOogMz5Gfo91atBBq4LHIkEOCquaBh2axi4crBw=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=K1i57TmkoGJRAi6MVpAWAAJXtz1y4xeEBhZkD3QJPv+Z0SOW9YUJ3RxDvKjmSTLhH M1DCAO8uV86YCgUtblcoBNW4O1oVzfiI4CsabxTSyRqmuC+pSNHnOyVojMVla8s/0/ WQZAOf8q7Uk0RsESHO8ZWblwLLN4Zh+Ygj/si3VM= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pF26J98Wob8H; Wed, 25 Aug 2021 15:27:20 -0700 (PDT) Received: from jarvis.int.hansenpartnership.com (unknown [IPv6:2601:600:8280:66d1::527]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 58704128068C; Wed, 25 Aug 2021 15:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1629930440; bh=oQYEQOogMz5Gfo91atBBq4LHIkEOCquaBh2axi4crBw=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=K1i57TmkoGJRAi6MVpAWAAJXtz1y4xeEBhZkD3QJPv+Z0SOW9YUJ3RxDvKjmSTLhH M1DCAO8uV86YCgUtblcoBNW4O1oVzfiI4CsabxTSyRqmuC+pSNHnOyVojMVla8s/0/ WQZAOf8q7Uk0RsESHO8ZWblwLLN4Zh+Ygj/si3VM= Message-ID: Subject: Re: [PATCH v4 00/12] Enroll kernel keys thru MOK From: James Bottomley To: Jarkko Sakkinen , Mimi Zohar , Nayna , Eric Snowberg , David Howells Cc: keyrings@vger.kernel.org, linux-integrity , David Woodhouse , Herbert Xu , "David S . Miller" , James Morris , "Serge E . Hallyn" , keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, Lakshmi Ramasubramanian , lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, pjones@redhat.com, "konrad.wilk@oracle.com" , Patrick Uiterwijk Date: Wed, 25 Aug 2021 15:27:18 -0700 In-Reply-To: <9067ff7142d097698b827f3c1630a751898a76bf.camel@kernel.org> References: <20210819002109.534600-1-eric.snowberg@oracle.com> <91B1FE51-C6FC-4ADF-B05A-B1E59E20132E@oracle.com> <9526a4e0be9579a9e52064dd590a78c6496ee025.camel@linux.ibm.com> <9067ff7142d097698b827f3c1630a751898a76bf.camel@kernel.org> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 2021-08-26 at 01:21 +0300, Jarkko Sakkinen wrote: > On Tue, 2021-08-24 at 10:34 -0400, Mimi Zohar wrote: > > > > > Jarkko, I think the emphasis should not be on "machine" from > > > > > Machine Owner Key (MOK), but on "owner". Whereas Nayna is > > > > > focusing more on the "_ca" aspect of the name. Perhaps > > > > > consider naming it "system_owner_ca" or something along those > > > > > lines. > > > > What do you gain such overly long identifier? Makes no sense. > > > > What is "ca aspect of the name" anyway? > > > > > > As I mentioned previously, the main usage of this new keyring is > > > that it should contain only CA keys which can be later used to > > > vouch for user keys loaded onto secondary or IMA keyring at > > > runtime. Having ca in the name like .xxxx_ca, would make the > > > keyring name self-describing. Since you preferred .system, we can > > > call it .system_ca. > > > > Sounds good to me. Jarkko? > > > > thanks, > > > > Mimi > > I just wonder what you exactly gain with "_ca"? Remember, a CA cert is a self signed cert with the CA:TRUE basic constraint. Pretty much no secure boot key satisfies this (secure boot chose deliberately NOT to use CA certificates, so they're all some type of intermediate or leaf), so the design seems to be only to pick out the CA certificates you put in the MOK keyring. Adding the _ca suffix may deflect some of the "why aren't all my MOK certificates in the keyring" emails ... James