Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

[Mimi Zohar]

On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote:
> On 16-01-13 18:19:10, David Howells wrote:
> > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > 
> > > I beg to differ.  The IMA model is not broken with the current patches
> > > being upstreamed.  The basic concepts developed will continue to be
> > > used, perhaps not directly by IMA.
> > 
> > I still object to the change to x509_key_preparse() and still want it 
> > reverting or removing.  It affects module signing too.
> 
> The only problem i see with the code is that in case .ima_mok is not configured 
> x509_validate_trust() returns NULL, which falsely set the key as trusted.  This 
> could easily be fixed.

When IMA_MOK_KEYRING  is not enabled, get_ima_mok_keyring() will return
NULL.  x509_validate_trust() will return -EOPNOTSUPP.

The code is fine.

Mimi

> Some users do want to be able to load kernel modules signed by other trusted 
> parties.  Think of .ima_mok as system wide keyring in this case.  It is 
> semantically broken, but it does the right thing.
> 
> 
> 		Petko