| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1452711399.2683.43.camel@linux.vnet.ibm.com> Date: Wed, 13 Jan 2016 13:56:39 -0500 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: Petko Manolov <petkan@...-labs.com> Cc: David Howells <dhowells@...hat.com>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, mdb@...iper.net Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote: > On 16-01-13 18:19:10, David Howells wrote: > > Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > > > > > I beg to differ. The IMA model is not broken with the current patches > > > being upstreamed. The basic concepts developed will continue to be > > > used, perhaps not directly by IMA. > > > > I still object to the change to x509_key_preparse() and still want it > > reverting or removing. It affects module signing too. > > The only problem i see with the code is that in case .ima_mok is not configured > x509_validate_trust() returns NULL, which falsely set the key as trusted. This > could easily be fixed. When IMA_MOK_KEYRING is not enabled, get_ima_mok_keyring() will return NULL. x509_validate_trust() will return -EOPNOTSUPP. The code is fine. Mimi > Some users do want to be able to load kernel modules signed by other trusted > parties. Think of .ima_mok as system wide keyring in this case. It is > semantically broken, but it does the right thing. > > > Petko
Powered by blists - more mailing lists