http://bugzilla.opensuse.org/show_bug.cgi?id=1209006
http://bugzilla.opensuse.org/show_bug.cgi?id=1209006#c21
Joey Lee changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(jlee@suse.com) |
--- Comment #21 from Joey Lee ---
For reference, kernel upstream's plan of .platform and .machine keyrings is
here:
keyrings, key usage, and trust models
https://lore.kernel.org/all/20220928055900.GT4909@linux-l9pv.suse/t/#m3ce7e4...
And, a PDF slides. Those pictures may be useful:
https://static.sched.com/hosted_files/lssna2022/18/LSS%202022%20trust%20and%...
Newest patch set:
[PATCH v5 0/6] Add CA enforcement keyring restrictions
https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com...
Per my understood, "keys in UEFI db" only be trusted to verify booting/kexec.
And MOKs also can be used to verify booting/kexec. CA MOKs can be used to
verify keys for .ima keyring.
--
You are receiving this mail because:
You are on the CC list for the bug.