| Message ID | 41707c7dd9705b8bb04a6d56aee349ff17c4af50.camel@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [GIT,PULL] integrity subsystem updates for v5.17 | expand |
On Mon, Jan 10, 2022 at 2:02 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > > git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17 Side note: I can't find the key you're using for the tag signing anywhere. This isn't new, and I've seen this key before, and I suspect it's just another new key update that the complete breakdown of all the pgp keyservers makes hard to get out. You used to use RSA key 8D2302082EFE723A379ECCD26B792466B03E715A, which I have, the last few pulls you've been using EDDSA key 1D5D554518DE57A8AAF51E3ECBC19CD1B02AE7E5 that I can't actually find. It also isn't in the kernel.org pgpkeys repo. You could try submitting it there: https://korg.docs.kernel.org/pgpkeys.html#submitting-keys-to-the-keyring Oh, how I hate pgp. I thought that having git wrap all the key verification would make it usable (counter-example: the incredible garbage that is pgp signed email), but then the keyservers stopped working, and so the keys themselves end up being a problem. Linus
The pull request you sent on Mon, 10 Jan 2022 17:02:02 -0500:
> git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/84bfcc0b6994057905cf98d2c5cedef48b3322b5
Thank you!
On Tue, 2022-01-11 at 13:21 -0800, Linus Torvalds wrote: > On Mon, Jan 10, 2022 at 2:02 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17 > > Side note: I can't find the key you're using for the tag signing anywhere. > > This isn't new, and I've seen this key before, and I suspect it's just > another new key update that the complete breakdown of all the pgp > keyservers makes hard to get out. > > You used to use RSA key 8D2302082EFE723A379ECCD26B792466B03E715A, > which I have, the last few pulls you've been using EDDSA key > 1D5D554518DE57A8AAF51E3ECBC19CD1B02AE7E5 that I can't actually find. Yes, I received the Nitrokey Start and followed the maintainer-pgp- guide (and Nitrokey) directions at the time. It was hard finding a working gpg server, but I finally found one, at least I thought I found one. > > It also isn't in the kernel.org pgpkeys repo. > > You could try submitting it there: > > https://korg.docs.kernel.org/pgpkeys.html#submitting-keys-to-the-keyring > > Oh, how I hate pgp. I thought that having git wrap all the key > verification would make it usable (counter-example: the incredible > garbage that is pgp signed email), but then the keyservers stopped > working, and so the keys themselves end up being a problem. Submitted. Mimi
On Tue, Jan 11, 2022 at 2:55 PM Mimi Zohar <zohar@linux.ibm.com> wrote: > > Yes, I received the Nitrokey Start and followed the maintainer-pgp- > guide (and Nitrokey) directions at the time. It was hard finding a > working gpg server, but I finally found one, at least I thought I found > one. You probably _did_ find a working pgp server, but with all the pgp poisoning, the replication of the keys doesn't tend to work very well any more. So if I don't then happen to use the same server, I won't get the key updates. Oh well. It's not like pgp wasn't always a UI disaster. It's just that key replication _used_ to work fairly well. Linus
Hi Linus, The few changes are all kexec related: - The MOK keys are loaded onto the .platform keyring in order to verify the kexec kernel image signature. However, the MOK keys should only be trusted when secure boot is enable. Before loading the MOK keys onto the .platform keyring, make sure the system is booted in secure boot mode. - When carrying the IMA measurement list across kexec, limit dumping the measurement list to when dynamic debug or CONFIG_DEBUG is enabled. - kselftest: add kexec_file_load selftest support for PowerNV and other cleanup. thanks, Mimi The following changes since commit 136057256686de39cc3a07c2e39ef6bc43003ff6: Linux 5.16-rc2 (2021-11-21 13:47:39 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17 for you to fetch changes up to 65e38e32a959dbbb0bf5cf1ae699789f81759be6: selftests/kexec: Enable secureboot tests for PowerPC (2022-01-05 11:44:57 -0500) ---------------------------------------------------------------- integrity-v5.17 ---------------------------------------------------------------- Bruno Meneguele (1): ima: silence measurement list hexdump during kexec Lee, Chun-Yi (1): integrity: Do not load MOK and MOKx when secure boot be disabled Mimi Zohar (2): selftest/kexec: fix "ignored null byte in input" warning selftests/kexec: update searching for the Kconfig Nageswara R Sastry (1): selftests/kexec: Enable secureboot tests for PowerPC Takashi Iwai (1): ima: Fix undefined arch_ima_get_secureboot() and co include/linux/ima.h | 30 ++++++------- security/integrity/ima/ima_kexec.c | 6 +-- security/integrity/platform_certs/load_uefi.c | 5 +++ tools/testing/selftests/kexec/Makefile | 2 +- tools/testing/selftests/kexec/kexec_common_lib.sh | 51 +++++++++++++++++----- .../selftests/kexec/test_kexec_file_load.sh | 13 ++++-- 6 files changed, 74 insertions(+), 33 deletions(-)