| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jun 2014 16:20:55 +0100 From: Matthew Garrett <mjg59@...f.ucam.org> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Josh Boyer <jwboyer@...hat.com>, David Howells <dhowells@...hat.com>, Dmitry Kasatkin <d.kasatkin@...sung.com>, keyrings <keyrings@...ux-nfs.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, linux-security-module <linux-security-module@...r.kernel.org> Subject: Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only On Wed, Jun 11, 2014 at 08:30:20AM -0400, Mimi Zohar wrote: > On Wed, 2014-06-11 at 04:23 +0100, Matthew Garrett wrote: > > Yes. Wouldn't having a mechanism to allow userspace to drop keys that > > have otherwise been imported be a generally useful solution to the issue > > you have with that? > > There are issues removing a key from both the local system(eg. cache, > running apps) and the attestation server (eg. ima-sig template > verification) perspectives. We would need to address these concerns > before supporting key removal. For your use-case you'd want to do this before running any significant quantity of userspace. The firmware keys are going to be hashed into PCR 7, so they're already part of your attestation. -- Matthew Garrett | mjg59@...f.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists