Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]

From: Mimi Zohar
Date: Fri Apr 01 2016 - 13:08:36 EST

Next message: Laurent Pinchart: "Re: [PATCH 1/3 v2] drm/i2c/adv7511: Add audio support"
Previous message: Holger HoffstÃtte: "Re: [PATCHSET v3][RFC] Make background writeback not suck"
In reply to: David Howells: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Next in thread: David Howells: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2016-04-01 at 15:06 +0100, David Howells wrote:
> David Howells <dhowells@xxxxxxxxxx> wrote:
>
> > The three choice options I implemented don't exactly provide new features.
> > Firstly:
> >
> > config IMA_LOAD_X509
> >
> > allow keys to be loaded in at compile time,
>
> Ah - I think I'm labouring under a slight misapprehension here. IMA_LOAD_X509
> doesn't load keys at compile time, but rather the kernel loads a file by name
> when booting, right?

Right, all certificates must be signed by a key on the builtin (or
secondary keyring) before being added to the IMA keyring. Similarly,
dracut (modules/98integrity/ and systemd (ima-setup.c) have support for
loading signed certificates on the IMA keyring.

Mimi

Next message: Laurent Pinchart: "Re: [PATCH 1/3 v2] drm/i2c/adv7511: Add audio support"
Previous message: Holger HoffstÃtte: "Re: [PATCHSET v3][RFC] Make background writeback not suck"
In reply to: David Howells: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Next in thread: David Howells: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]