Comment # 16 on bug 1209006 from 
(In reply to Martin Wilck from comment #15)
> (In reply to Joey Lee from comment #9)

> > Base on v6.2 kernel, keys in .machine keyring still must be trusted(signed)
> > by key in built-in/secondary keyring. It applies restrict_link_to_ima and
> > depends on CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
> 
> [...]
> 
> So keys could be added from the machine keyring to the secondary keyring
> without being trusted by the secondary keyring beforehand, but such keys
> could never have been added to the machine keyring in the first place.
> 
> That looks like an upstream bug to me.

Sorry, no. I was wrong.

https://elixir.bootlin.com/linux/v6.2/source/security/integrity/digsig.c#L134
shows that there is no restriction at all for keys in the machine and platform
key rings.

But now I fail to see why MoK keys don't make it into the secondary keyring...

You are receiving this mail because: