diff for duplicates of <20180311032022.GA31059@linux-l9pv.suse> diff --git a/a/1.txt b/N1/1.txt index d083e08..a77ca61 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -18,7 +18,7 @@ On Wed, Mar 07, 2018 at 07:28:37AM -0800, James Bottomley wrote: Josh Boyer's "MODSIGN: Allow the "db" UEFI variable to be suppressed" patch checks MokIgnoreDB variable to ignore db: -https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id|395b30a33a617c5cc2cdd419300af71277b79a +https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id=7c395b30a33a617c5cc2cdd419300af71277b79a I think that we can consider to use MokAllowDB. Which means that kernel ignores DB by default. diff --git a/a/content_digest b/N1/content_digest index bf32708..21970ef 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -4,7 +4,7 @@ "ref\01520436517.5558.2.camel@HansenPartnership.com\0" "From\0joeyli <jlee@suse.com>\0" "Subject\0Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load\0" - "Date\0Sun, 11 Mar 2018 03:20:22 +0000\0" + "Date\0Sun, 11 Mar 2018 11:20:22 +0800\0" "To\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" "Cc\0Mimi Zohar <zohar@linux.vnet.ibm.com>" Jiri Slaby <jslaby@suse.cz> @@ -36,7 +36,7 @@ "Josh Boyer's \"MODSIGN: Allow the \"db\" UEFI variable to be suppressed\"\n" "patch checks MokIgnoreDB variable to ignore db:\n" "\n" - "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id|395b30a33a617c5cc2cdd419300af71277b79a\n" + "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id=7c395b30a33a617c5cc2cdd419300af71277b79a\n" "\n" "I think that we can consider to use MokAllowDB. Which means that kernel\n" "ignores DB by default.\n" @@ -77,4 +77,4 @@ "Thanks a lot!\n" Joey Lee -c7dc11b8daddfb0fc3cc923255ab0db5d514a2b6f833e00e04c08108a82e6eee +25ec9cf58a764e1aa3d88b6c70d15ffe5fe57bba1104742bd3e4621169922722
diff --git a/a/1.txt b/N2/1.txt index d083e08..24c348a 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -7,7 +7,7 @@ On Wed, Mar 07, 2018 at 07:28:37AM -0800, James Bottomley wrote: > > > to resend the PR to have this merged? > [...] > > Just because I trust the platform keys prior to booting the kernel, -> > doesn't mean that I *want* to trust those keys once booted. There +> > doesn't mean that I *want* to trust those keys once booted. ?There > > are, however, places where we need access to those keys to verify a > > signature (eg. kexec kernel image). > @@ -18,7 +18,7 @@ On Wed, Mar 07, 2018 at 07:28:37AM -0800, James Bottomley wrote: Josh Boyer's "MODSIGN: Allow the "db" UEFI variable to be suppressed" patch checks MokIgnoreDB variable to ignore db: -https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id|395b30a33a617c5cc2cdd419300af71277b79a +https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id=7c395b30a33a617c5cc2cdd419300af71277b79a I think that we can consider to use MokAllowDB. Which means that kernel ignores DB by default. @@ -26,9 +26,9 @@ ignores DB by default. > > Nayna Jain's "certs: define a trusted platform keyring" patch set > > introduces a new, separate keyring for these platform keys. > -> Perhaps, to break the deadlock, we should ask Jiří what the reason is -> the distros want these keys to be trusted. Apart from the Microsoft -> key, it will also give you an OEM key in your trusted keyring. Is it +> Perhaps, to break the deadlock, we should ask Ji?? what the reason is +> the distros want these keys to be trusted. ?Apart from the Microsoft +> key, it will also give you an OEM key in your trusted keyring. ?Is it > something to do with OEM supplied modules? > @@ -58,3 +58,7 @@ in db by default. Thanks a lot! Joey Lee +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index bf32708..f2163d5 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -2,18 +2,10 @@ "ref\06eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz\0" "ref\01520428682.10396.445.camel@linux.vnet.ibm.com\0" "ref\01520436517.5558.2.camel@HansenPartnership.com\0" - "From\0joeyli <jlee@suse.com>\0" - "Subject\0Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load\0" - "Date\0Sun, 11 Mar 2018 03:20:22 +0000\0" - "To\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" - "Cc\0Mimi Zohar <zohar@linux.vnet.ibm.com>" - Jiri Slaby <jslaby@suse.cz> - David Howells <dhowells@redhat.com> - keyrings@vger.kernel.org - matthew.garrett@nebula.com - linux-security-module@vger.kernel.org - linux-efi@vger.kernel.org - " linux-kernel@vger.kernel.org\0" + "From\0jlee@suse.com (joeyli)\0" + "Subject\0[PATCH 0/9] KEYS: Blacklisting & UEFI database load\0" + "Date\0Sun, 11 Mar 2018 11:20:22 +0800\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Wed, Mar 07, 2018 at 07:28:37AM -0800, James Bottomley wrote:\n" @@ -25,7 +17,7 @@ "> > > to resend the PR to have this merged?\n" "> [...]\n" "> > Just because I trust the platform keys prior to booting the kernel,\n" - "> > doesn't mean that I *want* to trust those keys once booted. \302\240There\n" + "> > doesn't mean that I *want* to trust those keys once booted. ?There\n" "> > are, however, places where we need access to those keys to verify a\n" "> > signature (eg. kexec kernel image).\n" "> \n" @@ -36,7 +28,7 @@ "Josh Boyer's \"MODSIGN: Allow the \"db\" UEFI variable to be suppressed\"\n" "patch checks MokIgnoreDB variable to ignore db:\n" "\n" - "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id|395b30a33a617c5cc2cdd419300af71277b79a\n" + "https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-uefi&id=7c395b30a33a617c5cc2cdd419300af71277b79a\n" "\n" "I think that we can consider to use MokAllowDB. Which means that kernel\n" "ignores DB by default.\n" @@ -44,9 +36,9 @@ "> > Nayna Jain's \"certs: define a trusted platform keyring\" patch set\n" "> > introduces a new, separate keyring for these platform keys.\n" "> \n" - "> Perhaps, to break the deadlock, we should ask Ji\305\231\303\255 what the reason is\n" - "> the distros want these keys to be trusted. \302\240Apart from the Microsoft\n" - "> key, it will also give you an OEM key in your trusted keyring. \302\240Is it\n" + "> Perhaps, to break the deadlock, we should ask Ji?? what the reason is\n" + "> the distros want these keys to be trusted. ?Apart from the Microsoft\n" + "> key, it will also give you an OEM key in your trusted keyring. ?Is it\n" "> something to do with OEM supplied modules?\n" ">\n" "\n" @@ -75,6 +67,10 @@ "in db by default.\n" "\n" "Thanks a lot!\n" - Joey Lee + "Joey Lee\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -c7dc11b8daddfb0fc3cc923255ab0db5d514a2b6f833e00e04c08108a82e6eee +40fd7c471df0ca8882af4ae90383e4406020539a853689b78d6f310370b8cbb4
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.