https://bugzilla.suse.com/show_bug.cgi?id=1205447 https://bugzilla.suse.com/show_bug.cgi?id=1205447#c1 --- Comment #1 from Michal Suchanek --- INTEGRITY_MACHINE_KEYRING=y IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=n -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205447 https://bugzilla.suse.com/show_bug.cgi?id=1205447#c2 Jiri Slaby changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jslaby@suse.com Flags| |needinfo?(jlee@suse.com) --- Comment #2 from Jiri Slaby --- (In reply to Michal Suchanek from comment #1)

IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=n

This was set to =y in bug 1075517 intentionally. See adding needinfo to Joey if this is OK. -- You are receiving this mail because: You are the assignee for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1205447 https://bugzilla.suse.com/show_bug.cgi?id=1205447#c4 Joey Lee changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jlee@suse.com) | --- Comment #4 from Joey Lee --- About the machine keyring INTEGRITY_MACHINE_KEYRING, my suggestion is that we keep it disabled until everything is ready. Please reference: https://lore.kernel.org/all/de0b6e61-2f6e-c215-65a9-428c3bf1bfb8@gmail.com/ https://static.sched.com/hosted_files/lssna2022/18/LSS%202022%20trust%20and%... In the page 23 and page 26 in the above slides: Current status (starting Linux 5.18, page 23): When INTEGRITY_MACHINE_KEYRING=y be set, the IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY will be auto disabled because IMA doesn't want to use non-CA MOK. Which also means that the non-CA MOK can be used to verify keys in secondary keyring and kernel modules. But in the future (proposed post Linux 5.18, page 26) In the future, only CA MOK can be used to verify keys in secondary keying and kernel modules. Which means that those non-CA MOK will be blocked if the propose be accepted. So, if we enable INTEGRITY_MACHINE_KEYRING=y now, user may use non-CA MOK to verify keys in secondary keyring and also kernel modules. But this approach will be blocked in the future. On the other hand, IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=n will cause the user of self-sign kernel can not use their built-in or secondary key in IMA. They need to disable INTEGRITY_MACHINE_KEYRING by them self when building kernel. I suggest that do not enable INTEGRITY_MACHINE_KEYRING until the behavior of this keyring is clear. Thanks! -- You are receiving this mail because: You are the assignee for the bug.