| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160113180129.GA7826@localhost> Date: Wed, 13 Jan 2016 20:01:29 +0200 From: Petko Manolov <petkan@...-labs.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: David Howells <dhowells@...hat.com>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, mdb@...iper.net Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring On 16-01-13 12:51:36, Mimi Zohar wrote: > On Wed, 2016-01-13 at 18:31 +0200, Petko Manolov wrote: > > > > I am not opposed to everything what you suggest. Since we did that work in > > parallel (your stuff and the IMA keyring additions) with no communication > > between us, we ended up with broken IMA model. I see three possibilities: > > > > - dump the IMA changes for this release (not happy about it); > > > > - try to quickly adapt the IMA system to your changes (not sure if it can be > > done easily and/or quickly) and do it properly for 4.6; > > > > - elevate .ima_mok/blacklist to system wide RW keyrings (we may miss the merge > > window); > > I beg to differ. The IMA model is not broken with the current patches being > upstreamed. The basic concepts developed will continue to be used, perhaps > not directly by IMA. > > David's proposal is a major redesign of keyrings and the system keyring in > particular. It looks promising, but will need to be reviewed. Due to time limitations i was not able to study David's changes in detail. I only commented on what (i thought) i understood. :) I assume a wider discussion will clean out the details. Petko
Powered by blists - more mailing lists