Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp622666rwb; Wed, 9 Nov 2022 06:52:46 -0800 (PST) X-Google-Smtp-Source: AMsMyM7Vk0iPiNqrgQOncWuYQ6nxQEjobRvPwWm8vfFSAYUd99JnXyLDPSgMsHVioagn/bhBp8oK X-Received: by 2002:a17:902:aa8b:b0:178:8f1d:6936 with SMTP id d11-20020a170902aa8b00b001788f1d6936mr61201749plr.168.1668005566192; Wed, 09 Nov 2022 06:52:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1668005566; cv=pass; d=google.com; s=arc-20160816; b=humuxrMo1ec0pB/X56S4v3eOlmCGEJ+Qz2BCE7YqZ+nq07u6cqOzyGZPb2fulpzzF1 RErNX0ilEEOZ5gvBjvgISdebqupUu3jy5f9Tku63N4D03bOpcqkPZrFCuRp18+98DJCg l7sv+gJHR128nyuxbuCxwmdWu7oCfvhcYjKnXGjGSg9Y5oKIoP6JqRqtvj/NR4TKnkHk iVVGcGzbCmThIaXj6Z36wosuUwcYE/x0pXSxEoquZJT8m7tg2QNMY+JycsRRZVQMDshV 2jmDtV+fwi+olDqQmZm6itapBcRK5WsR6XbqDMxoJDK/t05z7+Ekg0OcMB2N3Cfv+OU4 hamA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature:dkim-signature; bh=ayokGMLphMXnEwDGhQNM+ugF7/upOLMZV8v6ltKu1yk=; b=u5tO8+Bu7vNjrQKfEHIZEooaZaUXimI5uUavHgUTFY+bRSL3jY6lNLWiWIGuc56+CW C2moE+JFYv+YhocDJ2P29S2fazidXPTmsUzTm60iMOCmLPT2JpDHvnKRb4dIM3+H2rLV Y9/idj+yfz53uqnqkTvXlSSUrcdzvd+osuErVFHV50BFX8s7unwoz1k6WtE0VzP0REpC InfsHJNEE/Cq9xLK8h/gB4scOXhDdtDwjc6ISjcnMs5ER8Lb08QDVFDmokylxF9tl/6Z MqsIgzYdFXvyBbp5JqncYj+EUzN22RO45otDVH8cTXtIsGhrtIlsgDBiYhBzx+1ykz1o m52g== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="Bq8eRlj/"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=oHi7c2nk; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w12-20020a17090a8a0c00b00205daac38absi1446012pjn.59.2022.11.09.06.52.25; Wed, 09 Nov 2022 06:52:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b="Bq8eRlj/"; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=oHi7c2nk; arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com); spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231535AbiKIOcY (ORCPT + 99 others); Wed, 9 Nov 2022 09:32:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45618 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231449AbiKIOcV (ORCPT ); Wed, 9 Nov 2022 09:32:21 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20EB110D2; Wed, 9 Nov 2022 06:32:20 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2A9ETdYR004307; Wed, 9 Nov 2022 14:30:51 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=corp-2022-7-12; bh=ayokGMLphMXnEwDGhQNM+ugF7/upOLMZV8v6ltKu1yk=; b=Bq8eRlj/LhqRd5b9jmf6KuW2Xpce5F6P91tvvNoGbecP+u6uoN0THI8YpCBiKOKwRLZC 3WENovmts0cmLni555JNuR8CtiE2ba+lR2p0MCvfTpz8HUyIhHAheVKqmZsSzFdjNHpQ hQmS9KdtAbeQmkxLwM3oKzzK4SjbPdybjfpsSavFmkxyQYCr/krsATDoI0H8xU+BcDHW K1rki1ZwCADe0qqxac6ar1Dw0TOaYndARPoq3JISq6tWaZ1leC8dDaIzlZJ6Cn5fp+/R 6wHuYLP6yPAhusQGuUIxnzgLg2VstyVGpkHiOYw0+6kXghZ7m0IouEdaYpE2Isl+lwHw oQ== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3krddar578-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 09 Nov 2022 14:30:50 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 2A9CZ97w040275; Wed, 9 Nov 2022 14:25:11 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3kpcqhhrjw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 09 Nov 2022 14:25:11 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i6lnblsJQ8sb0AP7z4hQ1ReFX+3wu8ViiG2s0SpGmfVAubgTo71KgQrZOXs2N4Z6660H+jbR7irkCHrNpQ7IVJzZFlxJTEUCJkGeG17VAzysZbHzOIGM7UjL37eFGl5BnbkstK2GPAYrho8fYoup9ttRSdNBZZ9wassW7pSvChe8AlTPeiijBl7h6WsCKKLm0522SD+BpgCZtZQ+SYgAU9THaFO9WMPIVDeBnsSzwSLzs7KgT8OB8G0tu+m+na1lqdFLRhqxuZ9YHusy4ylA5iN/c+qMdSdO+TcCmhE4aS1FVe16U8xaw+V7q7gD94gYbLMrHMiGErLHTz5I1EwaDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ayokGMLphMXnEwDGhQNM+ugF7/upOLMZV8v6ltKu1yk=; b=ed4jdkwEf+AC2QkRYv2srC7Tccw/TTXzqc2eYErA44TUnmI+//irbVkQiLHzhI8Q9Fotej7wR1NFOW5Fl80h1cVYLtqmLyNY7IarvTLEMXhGYwX+Xo3eMF8O60oeSO6szU49z9ytSnUJ7oh7zOyCN6heFpMDbgXqUyvY/KDEw/1TCLd4hcrePRIhBFbQxqT4E1G6fErCG9rBt85zosydmMWf7lKM1tQTWYX2r9EZQCWqd++aWdU557dbCB6aZj46lLvXpxK5YSelohDRyYY7nc6GROOMxvJ4Q9lRa66ZehVAldIhr0oL7rG1w+4AKjmuLqzXC1HJnzBhv4Wde/ITlw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ayokGMLphMXnEwDGhQNM+ugF7/upOLMZV8v6ltKu1yk=; b=oHi7c2nk9rPzE4cekw+BGbCwzaxLIaLOO/TVtNdv7UaG8YOGEBSLbcMjsw+swKu1iTNfDMQtQBS3Nufm3ns0al4jqlBl+Hf0616Ux1JetJYgpz1x2T1wyQD4lpfcGFQPBMl3EFM+/5CMJtDJLOnDNncCFBVBNuAuI3H/Cu/23Uc= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by IA0PR10MB6891.namprd10.prod.outlook.com (2603:10b6:208:431::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.27; Wed, 9 Nov 2022 14:25:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::f006:f411:9056:63a4%5]) with mapi id 15.20.5813.012; Wed, 9 Nov 2022 14:25:08 +0000 From: Eric Snowberg To: jarkko Sakkinen , Mimi Zohar , Elaine Palmer CC: Coiby Xu , "davem@davemloft.net" , David Howells , "dmitry.kasatkin@gmail.com" , "dwmw2@infradead.org" , "herbert@gondor.apana.org.au" , "jmorris@namei.org" , Konrad Wilk , Kanth Ghatraju , "keyrings@vger.kernel.org" , "linux-crypto@vger.kernel.org" , "linux-integrity@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-security-module@vger.kernel.org" , Lakshmi Ramasubramanian , "pvorel@suse.cz" , Roberto Sassu , "serge@hallyn.com" , "tiwai@suse.de" , Mimi Zohar , "erpalmer@linux.ibm.com" Subject: Re: [PATCH 0/7] Add CA enforcement keyring restrictions Thread-Topic: [PATCH 0/7] Add CA enforcement keyring restrictions Thread-Index: AQHYSVko0FaTAwO/wkyht4hUdft6wK4wDb+AgAcTfACAANo0gA== Date: Wed, 9 Nov 2022 14:25:08 +0000 Message-ID: <82E1339C-629A-48F5-99B0-179251BBC708@oracle.com> References: <20221104132035.rmavewmeo6ceyjou@Rk> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3696.120.41.1.1) x-ms-publictraffictype: Email x-ms-traffictypediagnostic: CH2PR10MB4150:EE_|IA0PR10MB6891:EE_ x-ms-office365-filtering-correlation-id: c4964cbc-5d92-417a-ba3b-08dac25e3412 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 6R6CeH+DqbXM91qfQdkf/QcxnntKOQR/f4iIeKqC1Z5HLTEuy5sCHwVs0X1QjXBcb9M07NaUZ9+jiurBBQDulD5cRxO2Zd+yUBfftRadOlNoUw4laKs3KOIlWI6Av5poxqpHGqQ39y8A9JuupfkXlcjTLAn5GWOnVccjQh7ymE/clR81SRZQi1AtLx9FmKE9zqe7dR5OJi/Fn+4cZlreKyUFbLUt4RyhoJHNowZnX1KYfRMne51PLVGxrS1Wux1fFXKpNl+3RBEdGHi0q6dMHDUJxohFx+coFSpYIEWoMrwjDcIlrn074qLb7wSx1Yedbupee3m+988jwzKHWn6e9CdE4Z2hq5LYtfGrLLM7BCSkCCaZCcRMX9yunqZkiAtlwHmTi9Ft2UHWTSHfHi6pte+vR+FXdszy0/Gv3H7N4Bm0czgi/bZG9ob6rFoxZg4WlNqM7OiNYr4I0QVx9qqDaVjxu9ZJPB/VFbxNoVmIfAG9QXnFWrfMFBZYJJNYERIy3T/DiXxiGMbWOVc1UYG+slzlW6CSLEk2euanYbafyMWkotIfrJ9PwEsqnwWP6xy0M2DTtWyE3qozV4X0ZY2Lvo7XUdksEUMjHx3FFdKT6QoYgs2a4LM96QJXiTEVbOlIDyiytoUQrOPr4yz50aHh83dgQwLCxQ+wPrWUz57gQQYtenTpV/+4yRdk6LGhqZUGnK638TuBShGOncCGRU1+PxH3r+1Ir1mziBdSK6uwmS5rYKgHwiCru2EwLXTNPII12A7ABJxL4G8GZLWau5ZWHrUd2mm7+yXSxijY+lh5wiE= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(136003)(39860400002)(346002)(366004)(376002)(451199015)(33656002)(36756003)(83380400001)(186003)(53546011)(2616005)(6512007)(6506007)(26005)(122000001)(38070700005)(38100700002)(7416002)(2906002)(5660300002)(86362001)(54906003)(110136005)(71200400001)(316002)(478600001)(6486002)(41300700001)(8936002)(66946007)(8676002)(4326008)(91956017)(66476007)(64756008)(66446008)(76116006)(66556008)(44832011)(45980500001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?sUAZw6HDK3Sc2aThlKQ1qcF/uVI9fhvjf3hsUCI5w1FvsKRTNRozdH6m4Spr?= =?us-ascii?Q?HsZugfHks9qsAlBqdFVLnCCNbPuhYW+3E12VlkLcDNJnVTfvxyFK0BRB5S3u?= =?us-ascii?Q?NG+ZkXrctpPu1S8MxdoEd4/gw1MCFbrF8xLLOPb7eGJ/nAJSX2Of8sGme40Q?= =?us-ascii?Q?l2E3iXuXDiEomc2hfs5eqUssebRV8qkfl4dg3gGyUug0LztlorW4DXu/ppR7?= =?us-ascii?Q?RIb/3RzrMTqYrMnioAP+tipjeWlbgMoI5s8ojmfHE2bM5UpRrWDONfgPPupy?= =?us-ascii?Q?2zT4nu21+xvBggDGxQEfHpEcHpNw56NMDV5UeNLxouftR2I6Vc+1vDKwVeRk?= =?us-ascii?Q?eciq3d+ONKPPui6jgCxrMtXlNkLlcZmrtQ/dLK4YaO6nutT0a3RuhZYw4OVk?= =?us-ascii?Q?e1FkScyUBXLP1Kjp5StOpXioTF9dUtrOqPRDIq+lfD8DRt58RNidjZgSe5Jb?= =?us-ascii?Q?joGLkdKPEt0WMWoW7QFYxBeDYWihmlAKMbaHzVmlzxT8Op7KCSoHWBFLsZeo?= =?us-ascii?Q?r7ZwRCcJHRSNGJQ5JwX77CGanzf2qQZ/0QT8FCir2AWEzGeY2p3SKlsLuNQY?= =?us-ascii?Q?AnoqUF0SzTWCZAJHjNXlqg1vHRX5RHVXCo+1Sz68Fs70eSA0R46RgZJMbyrm?= =?us-ascii?Q?QIYYfTBg5+k5PQfyIVNgGJPG1A3MLA2vxnIh0c2UadYtSntlI0WiIENT39vA?= =?us-ascii?Q?nepn0PQodwmpzNVPe8h5PJ4Dbj6fxH439GQ7rngdag4S0mg65qmV/7fp7HTe?= =?us-ascii?Q?gnb4qMxCqtRfwiMqOzF81AUtrvFDfR2JUsDXC2hqeRepIqcqyDCLDKeUEdUd?= =?us-ascii?Q?AGuMJN2WsVszghd7Bpfx9XDrM9CZLiZel+JpK8iKkvWtOouwiVolbPO6NaIK?= =?us-ascii?Q?wnB1dxtK4km0wuFbxI/SZe7NjjtE+LbxPAFlINtW3RLr0Crd4OrQtGVzZcbM?= =?us-ascii?Q?CsR9jgdr03xD7XEE4zsYpB0RuJddJyS3Z23T3M877wt5RGMDpgdRAhxHPWSU?= =?us-ascii?Q?ZVDLwhuIMpuk9KUkNYDBCgVB0y52q5npOvpOk12VZaSJIyUNT6nelJWnm5WM?= =?us-ascii?Q?FO3DVrCGTFu56UArVTlJTLjec2nRxTGAIJqCk4N84QIHzIsY3+kINbml2i8T?= =?us-ascii?Q?l1bNLEUWKiVX13j6XjUbn4W5qs2aWe/mWuBsyb175My7TxJu/4pIHjASBZmI?= =?us-ascii?Q?EUvCU2Ax9nzbPP+vvNOEYWage0Uj5fmP4FWWPRBILaAYyDThRW4WKsPW22n6?= =?us-ascii?Q?yMGl5E5PUKui8Vo1mK6FZpnXaSRZseEM0KrzlM7Qrwff8V2/e8nJYGxmGZfW?= =?us-ascii?Q?3UvL8BQtNjy8VmrWwSW00cSuQA3s2gbK8Clvs/Lt0xmjuKJZi88fni9xzQGp?= =?us-ascii?Q?CYxBvGCXcCQFTWSY5tHFRTiGNyaa79wC44aCW7L7XSWNKJyJ48YeUXvxa73i?= =?us-ascii?Q?lzZqEmhpCKebzvvtUQg4ReMbgyV+MYJrrfWfRPpFqPSxoqzSGVSITSnHe7wU?= =?us-ascii?Q?5ieflFLw3YOlE8m/zqM8A2ePYgmmnuuUdjdzJCGvOQZSqZ9j7bpBC7caOtQX?= =?us-ascii?Q?vat3QT/v6A34Dwz1BPcgY3ov6ZbOn4XVy8IFs7wue4a6Ibe0VZk3VFJY//CJ?= =?us-ascii?Q?xA=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-ID: <673C1B12C9174D41B38B284AEC400DFC@namprd10.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c4964cbc-5d92-417a-ba3b-08dac25e3412 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2022 14:25:08.1922 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: w0c1XlqLYj3vnWprxBIkFuKH1lpXzOHTgXSeq6UyYvml3KxtqaEsdsOIEc7dEu1/S7FZtPFMoqmP2btRWenOiulMeneUqehpQc7mCrqMVys= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR10MB6891 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-09_06,2022-11-09_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 mlxscore=0 suspectscore=0 spamscore=0 malwarescore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211090109 X-Proofpoint-GUID: 9NcdyLlx8fyxS9OG2QM5Zie64_0qqpk7 X-Proofpoint-ORIG-GUID: 9NcdyLlx8fyxS9OG2QM5Zie64_0qqpk7 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org > On Nov 8, 2022, at 6:24 PM, Elaine Palmer wrote: >=20 >=20 >=20 > On 2022/11/04 9:20 AM, Coiby Xu wrote: >> Hi Eric, >>=20 >> I wonder if there is any update on this work? I would be glad to do >> anything that may be helpful including testing a new version of code. >>=20 > Hi Coiby, >=20 > Yes, this discussion got stuck when we couldn't agree on one of the > following options: >=20 > (A) Filter which keys from MOK (or a management system) are loaded > onto the .machine keyring. Specifically, load only keys with > CA+keyCertSign attributes. >=20 > (B) Load all keys from MOK (or a management system) onto the > .machine keyring. Then, subsequently filter those to restrict > which ones can be loaded onto the .ima keyring specifically. >=20 > The objection to (A) was that distros would have to go through > two steps instead of one to load keys. The one-step method of > loading keys was supported by an out-of-tree patch and then by > the addition of the .machine keyring. >=20 > The objection to (B) was that, because the .machine keyring is now > linked to the .secondary keyring, it expands the scope of what the > kernel has trusted in the past. The effect is that keys in MOK > have the same broad scope as keys previously restricted to > .builtin and .secondary. It doesn't affect just IMA, but the rest > of the kernel as well. >=20 > I would suggest that we can get unstuck by considering: >=20 > (C) Defining a systemd (or dracut module) to load keys onto the > .secondary keyring >=20 > (D) Using a configuration option to specify what types of > .machine keys should be allowed to pass through to the > .secondary keyring. > =20 > The distro could choose (A) by allowing only > CA+keyCertSign keys. >=20 > The distro could choose (B) by allowing any kind > of key. >=20 > We all seemed to agree that enforcing key usage should be > implemented and that a useful future effort is to add policies > to keys and keyrings, like, "This key can only be used for > verifying kernel modules." >=20 > I hope we can come to an agreement so work can proceed and IMA > can be re-enabled. I would be open to making the changes necessary to support both (A and B)=20 options. What type of configuration option would be considered? Would thi= s=20 be a compile time Kconfig, a Linux boot command line parameter, or another= =20 MOK variable?