Mimi Zohar wrote:
> The x509_validate_trust() was originally added for IMA to ensure, on a
> secure boot system, a certificate chain of trust rooted in hardware.
> The IMA MOK keyring extends this certificate chain of trust to the
> running system.
The problem is that
On Wed, 2016-01-06 at 13:21 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > The x509_validate_trust() was originally added for IMA to ensure, on a
> > secure boot system, a certificate chain of trust rooted in hardware.
> > The IMA MOK keyring extends this
Mimi Zohar wrote:
> Once the builtin keys are loaded onto the system keyring, isn't the
> system keyring locked?
No.
David
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More
On Tue, 2016-01-05 at 16:39 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > You're missing Petko's patch:
> > 41c89b6 IMA: create machine owner and blacklist keyrings
>
> Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK
> keyring
On 16-01-06 13:21:27, David Howells wrote:
> Mimi Zohar wrote:
>
> > The x509_validate_trust() was originally added for IMA to ensure, on a
> > secure boot system, a certificate chain of trust rooted in hardware. The
> > IMA
> > MOK keyring extends this certificate
Mimi Zohar wrote:
> You're missing Petko's patch:
> 41c89b6 IMA: create machine owner and blacklist keyrings
It should also be cc'd to the keyrings mailing list.
David
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of
On 16-01-05 16:40:31, David Howells wrote:
> Mimi Zohar wrote:
>
> > You're missing Petko's patch:
> > 41c89b6 IMA: create machine owner and blacklist keyrings
>
> It should also be cc'd to the keyrings mailing list.
Right.
If i am not terribly mistaken there's no
On Tue, 2016-01-05 at 15:47 +, David Howells wrote:
> If a certificate is self-signed, don't bother checking the validity of the
> signature. The cert cannot be checked by validation against the next one
> in the chain as this is the root of the chain. Trust for this certificate
> can only
Mimi Zohar wrote:
> You're missing Petko's patch:
> 41c89b6 IMA: create machine owner and blacklist keyrings
Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK
keyring under all circumstances.
David
--
To unsubscribe from this list: send the
David Howells wrote:
> If a certificate is self-signed, don't bother checking the validity of the
> signature. The cert cannot be checked by validation against the next one
> in the chain as this is the root of the chain. Trust for this certificate
> can only be determined
If a certificate is self-signed, don't bother checking the validity of the
signature. The cert cannot be checked by validation against the next one
in the chain as this is the root of the chain. Trust for this certificate
can only be determined by whether we obtained it from a trusted location
11 matches
Mail list logo