lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 7 Feb 2013 00:18:23 +0200
From:	"Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>
To:	David Howells <dhowells@...hat.com>
Cc:	zohar@...ux.vnet.ibm.com, linux-kernel@...r.kernel.org,
	keyrings@...ux-nfs.org, linux-security-module@...r.kernel.org,
	linux-crypto@...r.kernel.org
Subject: Re: [PATCH 3/3] KEYS: Add a 'trusted' flag and a 'trusted only' flag

On Wed, Jan 30, 2013 at 12:32 PM, David Howells <dhowells@...hat.com> wrote:
> Kasatkin, Dmitry <dmitry.kasatkin@...el.com> wrote:
>
>> What about the case when running from integrity protected initramfs?
>> Either embedded into the signed kernel, or verified by the boot loader.
>> In such case it is possible to assume that all keys which are added by
>> user space are implicitly trusted.
>> Later on, before continuing booting normal rootfs, set the key
>> subsystem state (trust-lock),
>> so that trusted keyrings accept only explicitly trusted keys...
>>
>> Does it make sense?
>
> I'm not sure it does.  Initramfs is (re-)fabricated on the machine on which it
> runs any time you update one of a set of rpms (such as the kernel rpm) because
> it has machine-specific data and drivers in it.
>

Based on my latest post on signed initramfs it might make sense.
But it seems to be that it would be behavior anyway, because "first"
key added is implicitly should be assumed trusted.

- Dmitry

> David
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ