| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1457402735.5321.14.camel@linux.vnet.ibm.com> Date: Mon, 07 Mar 2016 21:05:35 -0500 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: David Howells <dhowells@...hat.com> Cc: linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2] On Fri, 2016-03-04 at 15:01 +0000, David Howells wrote: > Add a secondary system keyring that can be added to by root whilst the > system is running - provided the key being added is vouched for by a key > built into the kernel or already added to the secondary keyring. > > Rename .system_keyring to .builtin_trusted_keys to distinguish it more > obviously from the new keyring (called .secondary_trusted_keys). Renaming of the system_trusted_keyring to builtin_trusted_keys is fine, but we're left with a lot of references to "system_trusted" (eg. restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING, the subsequent patch description and Kconfig use "system trusted keyrings", etc). Without changing these references, I'm not convinced this is an improvement. Mimi > The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING. > > If the secondary keyring is enabled, a link is created from that to > .builtin_trusted_keys so that the the latter will automatically be searched > too if the secondary keyring is searched. > > Signed-off-by: David Howells <dhowells@...hat.com>
Powered by blists - more mailing lists