From: nayna <nayna@linux.vnet.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: jwboyer@fedoraproject.org, Kairui Song <kasong@redhat.com>,
ebiggers@google.com, nayna@linux.ibm.com,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Mimi Zohar <zohar@linux.ibm.com>,
jmorris@namei.org, dhowells@redhat.com, keyrings@vger.kernel.org,
linux-integrity@vger.kernel.org, dwmw2@infradead.org,
bauerman@linux.ibm.com, serge@hallyn.com
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify
Date: Tue, 15 Jan 2019 10:17:13 -0500 [thread overview]
Message-ID: <3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com> (raw)
In-Reply-To: <20190115024243.GA9199@dhcp-128-65.nay.redhat.com>
On 2019-01-14 21:42, Dave Young wrote:
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
>> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
>> > Hi,
>> >
>> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
>> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
>> > > [snip]
>> > >
>> > > > Personally I would like to see platform key separated from integrity.
>> > > > But for the kexec_file part I think it is good at least it works with
>> > > > this fix.
>> > > >
>> > > > Acked-by: Dave Young <dyoung@redhat.com>
>> > >
>> > > The original "platform" keyring patches that Nayna posted multiple
>> > > times were in the certs directory, but nobody commented/responded. So
>> > > she reworked the patches, moving them to the integrity directory and
>> > > posted them (cc'ing the kexec mailing list). It's a bit late to be
>> > > asking to move it, isn't it?
>> >
>> > Hmm, apologize for being late, I did not get chance to have a look the
>> > old series. Since we have the needs now, it should be still fine
>> >
>> > Maybe Kairui can check Nayna's old series, see if he can do something
>> > again?
>>
>> Whether the platform keyring is defined in certs/ or in integrity/ the
>> keyring id needs to be accessible to the other, without making the
>> keyring id global. Moving where the platform keyring is defined is
>> not the problem.
>
> Agreed, but just feel kexec depends on IMA sounds not good.
The platform keyring is not dependent on IMA, it is dependent on
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING,
CONFIG_EFI.
Thanks & Regards,
- Nayna
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: nayna <nayna@linux.vnet.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>, Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
dwmw2@infradead.org, jwboyer@fedoraproject.org,
keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com,
bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify
Date: Tue, 15 Jan 2019 15:17:13 +0000 [thread overview]
Message-ID: <3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com> (raw)
In-Reply-To: <20190115024243.GA9199@dhcp-128-65.nay.redhat.com>
On 2019-01-14 21:42, Dave Young wrote:
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
>> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
>> > Hi,
>> >
>> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
>> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
>> > > [snip]
>> > >
>> > > > Personally I would like to see platform key separated from integrity.
>> > > > But for the kexec_file part I think it is good at least it works with
>> > > > this fix.
>> > > >
>> > > > Acked-by: Dave Young <dyoung@redhat.com>
>> > >
>> > > The original "platform" keyring patches that Nayna posted multiple
>> > > times were in the certs directory, but nobody commented/responded. So
>> > > she reworked the patches, moving them to the integrity directory and
>> > > posted them (cc'ing the kexec mailing list). It's a bit late to be
>> > > asking to move it, isn't it?
>> >
>> > Hmm, apologize for being late, I did not get chance to have a look the
>> > old series. Since we have the needs now, it should be still fine
>> >
>> > Maybe Kairui can check Nayna's old series, see if he can do something
>> > again?
>>
>> Whether the platform keyring is defined in certs/ or in integrity/ the
>> keyring id needs to be accessible to the other, without making the
>> keyring id global. Moving where the platform keyring is defined is
>> not the problem.
>
> Agreed, but just feel kexec depends on IMA sounds not good.
The platform keyring is not dependent on IMA, it is dependent on
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING,
CONFIG_EFI.
Thanks & Regards,
- Nayna
WARNING: multiple messages have this Message-ID (diff)
From: nayna <nayna@linux.vnet.ibm.com>
To: Dave Young <dyoung@redhat.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>, Kairui Song <kasong@redhat.com>,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
dwmw2@infradead.org, jwboyer@fedoraproject.org,
keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com,
bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify
Date: Tue, 15 Jan 2019 10:17:13 -0500 [thread overview]
Message-ID: <3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com> (raw)
In-Reply-To: <20190115024243.GA9199@dhcp-128-65.nay.redhat.com>
On 2019-01-14 21:42, Dave Young wrote:
> On 01/14/19 at 11:10am, Mimi Zohar wrote:
>> On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
>> > Hi,
>> >
>> > On 01/11/19 at 11:13am, Mimi Zohar wrote:
>> > > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
>> > > [snip]
>> > >
>> > > > Personally I would like to see platform key separated from integrity.
>> > > > But for the kexec_file part I think it is good at least it works with
>> > > > this fix.
>> > > >
>> > > > Acked-by: Dave Young <dyoung@redhat.com>
>> > >
>> > > The original "platform" keyring patches that Nayna posted multiple
>> > > times were in the certs directory, but nobody commented/responded. So
>> > > she reworked the patches, moving them to the integrity directory and
>> > > posted them (cc'ing the kexec mailing list). It's a bit late to be
>> > > asking to move it, isn't it?
>> >
>> > Hmm, apologize for being late, I did not get chance to have a look the
>> > old series. Since we have the needs now, it should be still fine
>> >
>> > Maybe Kairui can check Nayna's old series, see if he can do something
>> > again?
>>
>> Whether the platform keyring is defined in certs/ or in integrity/ the
>> keyring id needs to be accessible to the other, without making the
>> keyring id global. Moving where the platform keyring is defined is
>> not the problem.
>
> Agreed, but just feel kexec depends on IMA sounds not good.
The platform keyring is not dependent on IMA, it is dependent on
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING,
CONFIG_EFI.
Thanks & Regards,
- Nayna
next prev parent reply other threads:[~2019-01-15 15:11 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 16:48 [RFC PATCH 0/2] let kexec_file_load use platform keyring to verify the kernel image Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` [RFC PATCH 1/2] integrity, KEYS: add a reference to platform keyring Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 19:21 ` Mimi Zohar
2019-01-09 19:21 ` Mimi Zohar
2019-01-09 19:21 ` Mimi Zohar
2019-01-09 16:48 ` [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-09 16:48 ` Kairui Song
2019-01-11 13:43 ` Dave Young
2019-01-11 13:43 ` Dave Young
2019-01-11 13:43 ` Dave Young
2019-01-11 16:13 ` Mimi Zohar
2019-01-11 16:13 ` Mimi Zohar
2019-01-11 16:13 ` Mimi Zohar
2019-01-13 1:39 ` Dave Young
2019-01-13 1:39 ` Dave Young
2019-01-13 1:39 ` Dave Young
2019-01-14 3:28 ` Kairui Song
2019-01-14 3:28 ` Kairui Song
2019-01-14 3:28 ` Kairui Song
2019-01-14 16:10 ` Mimi Zohar
2019-01-14 16:10 ` Mimi Zohar
2019-01-14 16:10 ` Mimi Zohar
2019-01-15 2:42 ` Dave Young
2019-01-15 2:42 ` Dave Young
2019-01-15 2:42 ` Dave Young
2019-01-15 3:10 ` Kairui Song
2019-01-15 3:10 ` Kairui Song
2019-01-15 3:10 ` Kairui Song
2019-01-15 15:17 ` nayna [this message]
2019-01-15 15:17 ` nayna
2019-01-15 15:17 ` nayna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3c80c88c90ead96cea9a4f13af41fc5b@linux.vnet.ibm.com \
--to=nayna@linux.vnet.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=dyoung@redhat.com \
--cc=ebiggers@google.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=kasong@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.