From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934056AbcALCoq (ORCPT <rfc822;w@1wt.eu>);
	Mon, 11 Jan 2016 21:44:46 -0500
Received: from e23smtp06.au.ibm.com ([202.81.31.148]:36509 "EHLO
	e23smtp06.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933537AbcALCon (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 11 Jan 2016 21:44:43 -0500
X-IBM-Helo: d23dlp03.au.ibm.com
X-IBM-MailFrom: zohar@linux.vnet.ibm.com
X-IBM-RcptTo: keyrings@vger.kernel.org;linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org
Message-ID: <1452566626.4776.37.camel@linux.vnet.ibm.com>
Subject: Re: [RFC PATCH 00/15] KEYS: Restrict additions to 'trusted' keyrings
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
        petkan@mip-labs.com, linux-kernel@vger.kernel.org
Date: Mon, 11 Jan 2016 21:43:46 -0500
In-Reply-To: <26351.1452559103@warthog.procyon.org.uk>
References: <1452280713.2651.12.camel@linux.vnet.ibm.com>
	 <20160108183319.25960.49807.stgit@warthog.procyon.org.uk>
	 <1452279264.2651.7.camel@linux.vnet.ibm.com>
	 <26351.1452559103@warthog.procyon.org.uk>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 16011202-0021-0000-0000-0000027C6D73
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2016-01-12 at 00:38 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > Back in November, Mehmet Kayaalp posted a patch for safely adding
> > additional keys to the system keyring post build and a tool for
> > re-signing the kernel.
> > 
> > https://www.mail-archive.com/linux-security-module@vger.kernel.org/msg03679.html
> 
> That's irrelevant to this particular discussion.

Not really.  The discussion centers around the system keyring and the
origin of the keys on it.  These patches safely allow additional keys to
be added post-build to the system keyring.

> And, yes, I should deal with
> his patch.

Thank you.

Mimi