| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160113191900.GG7826@localhost> Date: Wed, 13 Jan 2016 21:19:01 +0200 From: Petko Manolov <petkan@...-labs.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: David Howells <dhowells@...hat.com>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, mdb@...iper.net Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring On 16-01-13 13:56:39, Mimi Zohar wrote: > On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote: > > On 16-01-13 18:19:10, David Howells wrote: > > > Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > > > > > > > I beg to differ. The IMA model is not broken with the current patches > > > > being upstreamed. The basic concepts developed will continue to be > > > > used, perhaps not directly by IMA. > > > > > > I still object to the change to x509_key_preparse() and still want it > > > reverting or removing. It affects module signing too. > > > > The only problem i see with the code is that in case .ima_mok is not configured > > x509_validate_trust() returns NULL, which falsely set the key as trusted. This > > could easily be fixed. > > When IMA_MOK_KEYRING is not enabled, get_ima_mok_keyring() will return NULL. > x509_validate_trust() will return -EOPNOTSUPP. > > The code is fine. Oops, my bad. It's been a while since i wrote that code... :) Petko
Powered by blists - more mailing lists