Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]

From: David Howells
Date: Fri Apr 01 2016 - 10:33:38 EST

Next message: Philipp Zabel: "Re: [PATCH 0/2] reset: Add support for Oxford Semiconductor Reset"
Previous message: Jens Axboe: "Re: [PATCHSET v3][RFC] Make background writeback not suck"
In reply to: Mimi Zohar: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Next in thread: Mimi Zohar: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> The only place where "KEY_ALLOC_BYPASS_RESTRICTION" is specified is in
> load_system_certificate_list(), when adding keys to
> the .builtin_trusted_keys keyring. There is no other set of keys
> builtin and added to the IMA keyring.

Are the keys loaded by integrity_load_x509() required to be validly signed by
the builtin/secondary keys? Or is that unnecessary given that they are loaded
and thus protected through integrity_read_file()?

David

Next message: Philipp Zabel: "Re: [PATCH 0/2] reset: Add support for Oxford Semiconductor Reset"
Previous message: Jens Axboe: "Re: [PATCHSET v3][RFC] Make background writeback not suck"
In reply to: Mimi Zohar: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Next in thread: Mimi Zohar: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]