Hi David, New keys can be added to the keyring by signing them with existing ones, and existing ones come from UEFI or are compiled into the kernel. With this patch, we can add the "compiled in" ones without recompiling the kernel. The scenario is, a key is inserted into a stock kernel and the resulting kernel image is re-signed to create a custom image for secure boot that can trust that key. Instead of giving away the signing key, we can give the inserted key to the user of the image.
Does this make sense? Mehmet > On Nov 26, 2015, at 10:00 AM, David Howells <dhowe...@redhat.com> wrote: > > Mehmet Kayaalp <mkaya...@linux.vnet.ibm.com> wrote: > >> Place a system_extra_cert buffer of configurable size, right after the >> system_certificate_list, so that inserted keys can be readily processed by >> the existing mechanism. > > Do you have a particular use case for this? > > David > -- > To unsubscribe from this list: send the line "unsubscribe keyrings" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html