Re: [RFC PATCH v2 1/2] integrity, KEYS: add a reference to platform keyring

On Tue, 2019-01-15 at 23:47 +0800, Kairui Song wrote: > On Tue, Jan 15, 2019 at 11:34 PM Mimi Zohar wrote: > > > > On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote: > > [snip] > > > > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > > > index

Re: [RFC PATCH v2 1/2] integrity, KEYS: add a reference to platform keyring

On Tue, Jan 15, 2019 at 11:34 PM Mimi Zohar wrote: > > On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote: > [snip] > > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > > index f45d6edecf99..bfabc2a8111d 100644 > > --- a/security/integrity/digsig.c > > +++

Re: [RFC PATCH v2 1/2] integrity, KEYS: add a reference to platform keyring

On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote: [snip] > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index f45d6edecf99..bfabc2a8111d 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -89,6 +89,12 @@ static int

[RFC PATCH v2 1/2] integrity, KEYS: add a reference to platform keyring

Currently when loading new kernel via kexec_file_load syscall, it is able to verify the signed PE bzimage against .builtin_trusted_keys or .secondary_trusted_keys. But the image could be signed with third part keys which will be provided by platform or firmware as EFI variable (eg. stored in