lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 13 Jan 2016 20:35:19 +0200
From:	Petko Manolov <petkan@...-labs.com>
To:	David Howells <dhowells@...hat.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	James Morris <jmorris@...ei.org>,
	linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
	linux-kernel@...r.kernel.org, mdb@...iper.net
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against
 IMA MOK keyring

On 16-01-13 18:19:10, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> 
> > I beg to differ.  The IMA model is not broken with the current patches
> > being upstreamed.  The basic concepts developed will continue to be
> > used, perhaps not directly by IMA.
> 
> I still object to the change to x509_key_preparse() and still want it 
> reverting or removing.  It affects module signing too.

The only problem i see with the code is that in case .ima_mok is not configured 
x509_validate_trust() returns NULL, which falsely set the key as trusted.  This 
could easily be fixed.

Some users do want to be able to load kernel modules signed by other trusted 
parties.  Think of .ima_mok as system wide keyring in this case.  It is 
semantically broken, but it does the right thing.


		Petko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ