[Bug 1205447] New: machine keyring is not enabled
https://bugzilla.suse.com/show_bug.cgi?id=1205447 Bug ID: 1205447 Summary: machine keyring is not enabled Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: msuchanek@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- machine keyring is the upstream solution for making MOK available to the kernel. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205447
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1205447
https://bugzilla.suse.com/show_bug.cgi?id=1205447#c1
--- Comment #1 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1205447
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1205447
https://bugzilla.suse.com/show_bug.cgi?id=1205447#c2
Jiri Slaby
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=n
This was set to =y in bug 1075517 intentionally. See adding needinfo to Joey if this is OK. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1205447
https://bugzilla.suse.com/show_bug.cgi?id=1205447#c3
--- Comment #3 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1205447
https://bugzilla.suse.com/show_bug.cgi?id=1205447#c4
Joey Lee
https://bugzilla.suse.com/show_bug.cgi?id=1205447
https://bugzilla.suse.com/show_bug.cgi?id=1205447#c5
--- Comment #5 from Michal Suchanek
In the future, only CA MOK can be used to verify keys in secondary keying and kernel modules. Which means that those non-CA MOK will be blocked if the propose be accepted.
Which means that we should oppose this change upstream or revert it if it happens regardless. Not every key ever used is issued by CA, and there is no reason every key should be. This is push to embed superfluous policy into the kernel. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com