Conversation
jarkko

Jarkko Sakkinen

Anyone interested on keyring:

https://web.git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?h=keys-graveyard

If this would work out then possibly also radiate to /proc/keys.

I.e. it could also similarly "knock for reference" but that is not within scope of this patch.

#linux #kernel #keyring
1
0
0
jarkko

Jarkko Sakkinen

Reply to @jarkko
In the case of procfs I'll check if this strategy would allow to relax locking requirements for /proc/keys.
1
0
0
Conan_Kudo@fosstodon.org

Neal Gompa (ニール・ゴンパ) fedora

Reply to @jarkko

@jarkko Semi-related, but I wish it were possible to have a kernel-level keyring for kernel module signing certificates so that loading into firmware isn't required for user-produced kernel modules. 😦

1
0
1
jarkko

Jarkko Sakkinen

Reply to @Conan_Kudo@fosstodon.org
@Conan_Kudo This work is for key_put() :-) How to make it less sensitive overall.
1
0
0
jarkko

Jarkko Sakkinen

Reply to @jarkko
@Conan_Kudo There's this irony in shared data (in general) that even if your blob lives for the whole power cycle, it must be prepared for sudden death that could happen in the next time quantum :-)
1
0
0
jarkko

Jarkko Sakkinen

Reply to @jarkko
@Conan_Kudo BTW, so we do have machine keyring and MOK keys. What is the problem?
1
0
0
Conan_Kudo@fosstodon.org

Neal Gompa (ニール・ゴンパ) fedora

Reply to @jarkko

@jarkko Those have to be uploaded into UEFI firmware, and that is an unreliable situation. In addition to lacking standardized automation (hilariously you can do this with servers but not desktops), the available memory for certificates is laughably small on most systems.

It's kind of crazy that we can't do this on Linux when Windows has allowed this since they started requiring signed drivers with Windows Vista.

0
0
0
About social.kernel.org

Terms of service

  1. Please do not use this service in violation of the Linux Kernel Code of Conduct. Doing so will result in your account suspension with the referral of the matter to the CoC committee.

  2. "Repeating"/"boosting" someone else's status on this platform will be treated as endorsement and will fall under rule #1.

  3. You are encouraged to use this platform to promote your work on the Linux Kernel, but there is no restriction on permitted topics (with the exception of anything covered by #1 above).

  4. There is no requirement to post in English, but it should be considered the primary language of communication on this platform.

Privacy notice

The admins of this service have access to all posted statuses. They aren't looking, but if it's something they shouldn't know about, then you should not post it on this platform.

Please see the Linux Foundation Privacy Policy, which applies to this platform as well.

Getting your own account

If you would like an account on this instance, please check that the following applies to you:

  • You are listed in MAINTAINERS or CREDITS

  • OR: You have a kernel.org account or email address

  • OR: You have a long and established history of involvement with the Linux Kernel

If the above is true and you agree with the Terms of Service and Privacy Notice listed above, please use these instructions to request an account: