diff for duplicates of <1520428682.10396.445.camel@linux.vnet.ibm.com> diff --git a/a/content_digest b/N1/content_digest index 5c0b4c1..a6b9ec0 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,7 +2,7 @@ "ref\06eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Subject\0Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load\0" - "Date\0Wed, 07 Mar 2018 13:18:02 +0000\0" + "Date\0Wed, 07 Mar 2018 08:18:02 -0500\0" "To\0Jiri Slaby <jslaby@suse.cz>" David Howells <dhowells@redhat.com> " keyrings@vger.kernel.org\0" @@ -68,4 +68,4 @@ "\n" Mimi -daf832881af464377da08e3e242e1d0fe4ed4a79ce8268494ed95f0d832f0bfc +8346b657a60ec47481fb2aa7950fdf039d85ab1d915a2d22daf8cc4760001779
diff --git a/a/1.txt b/N2/1.txt index ac32353..ebb8b06 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -35,17 +35,17 @@ builtin_trusted_keys (builtin). Enabling the secondary_builtin_keys (secondary) allows keys signed by a key on the builtin keyring to be added to the secondary keyring. - Any key, signed by a key on either the builtin or secondary keyring, +?Any key, signed by a key on either the builtin or secondary keyring, can be added to the IMA trusted keyring. The "KEYS: Allow unrestricted boot-time addition of keys to secondary keyring" patch loads the platform keys directly onto the secondary keyring, without requiring them to be signed by a key on the builtin -or secondary keyring. With this change, any key signed by a platfrom +or secondary keyring. ?With this change, any key signed by a platfrom key on the secondary, can be loaded onto the .ima trusted keyring. Just because I trust the platform keys prior to booting the kernel, -doesn't mean that I *want* to trust those keys once booted. There +doesn't mean that I *want* to trust those keys once booted. ?There are, however, places where we need access to those keys to verify a signature (eg. kexec kernel image). @@ -53,3 +53,8 @@ Nayna Jain's "certs: define a trusted platform keyring" patch set introduces a new, separate keyring for these platform keys. Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index 5c0b4c1..3261bc7 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,15 +1,9 @@ "ref\0147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk\0" "ref\06eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load\0" - "Date\0Wed, 07 Mar 2018 13:18:02 +0000\0" - "To\0Jiri Slaby <jslaby@suse.cz>" - David Howells <dhowells@redhat.com> - " keyrings@vger.kernel.org\0" - "Cc\0matthew.garrett@nebula.com" - linux-security-module@vger.kernel.org - linux-efi@vger.kernel.org - " linux-kernel@vger.kernel.org\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH 0/9] KEYS: Blacklisting & UEFI database load\0" + "Date\0Wed, 07 Mar 2018 08:18:02 -0500\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote:\n" @@ -49,23 +43,28 @@ "\n" "Enabling the secondary_builtin_keys (secondary) allows keys signed by\n" "a key on the builtin keyring to be added to the secondary keyring.\n" - "\302\240Any key, signed by a key on either the builtin or secondary keyring,\n" + "?Any key, signed by a key on either the builtin or secondary keyring,\n" "can be added to the IMA trusted keyring.\n" "\n" "The \"KEYS: Allow unrestricted boot-time addition of keys to secondary\n" "keyring\" patch loads the platform keys directly onto the secondary\n" "keyring, without requiring them to be signed by a key on the builtin\n" - "or secondary keyring. \302\240With this change, any key signed by a platfrom\n" + "or secondary keyring. ?With this change, any key signed by a platfrom\n" "key on the secondary, can be loaded onto the .ima trusted keyring.\n" "\n" "Just because I trust the platform keys prior to booting the kernel,\n" - "doesn't mean that I *want* to trust those keys once booted. \302\240There\n" + "doesn't mean that I *want* to trust those keys once booted. ?There\n" "are, however, places where we need access to those keys to verify a\n" "signature (eg. kexec kernel image).\n" "\n" "Nayna Jain's \"certs: define a trusted platform keyring\" patch set\n" "introduces a new, separate keyring for these platform keys.\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -daf832881af464377da08e3e242e1d0fe4ed4a79ce8268494ed95f0d832f0bfc +a4b1ae86c2978fc169ff0557f18ade861b946322dbe3845b849d2f2a062e5b92
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.