subject:"\\\[PATCH\\\] X.509\\\: Partially revert patch to add validation against IMA MOK keyring"

[PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

2016-01-06 Thread David Howells

Partially revert commit 41c89b64d7184a780f12f2cccdabe65cb2408893:

Author: Petko Manolov 
Date:   Wed Dec 2 17:47:55 2015 +0200
IMA: create machine owner and blacklist keyrings

The problem is that prep->trusted is a simple boolean and the additional
x509_validate_trust() call doesn't therefore distinguish levels of
trustedness, but is just OR'd with the result of validation against the
system trusted keyring.

However, setting the trusted flag means that this key may be added to *any*
trusted-only keyring - including the system trusted keyring.

Whilst I appreciate what the patch is trying to do, I don't think this is
quite the right solution.

Signed-off-by: David Howells 
cc: Petko Manolov 
cc: Mimi Zohar 
cc: keyri...@vger.kernel.org
---

 crypto/asymmetric_keys/x509_public_key.c |2 --
 1 file changed, 2 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_public_key.c 
b/crypto/asymmetric_keys/x509_public_key.c
index 9e9e5a6a9ed6..2a44b3752471 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -321,8 +321,6 @@ static int x509_key_preparse(struct key_preparsed_payload 
*prep)
goto error_free_cert;
} else if (!prep->trusted) {
ret = x509_validate_trust(cert, get_system_trusted_keyring());
-   if (ret)
-   ret = x509_validate_trust(cert, get_ima_mok_keyring());
if (!ret)
prep->trusted = 1;
}

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

2016-01-06 Thread David Howells

David Howells  wrote:

> Partially revert commit 41c89b64d7184a780f12f2cccdabe65cb2408893:
> 
>   Author: Petko Manolov 
>   Date:   Wed Dec 2 17:47:55 2015 +0200
>   IMA: create machine owner and blacklist keyrings
> 
> The problem is that prep->trusted is a simple boolean and the additional
> x509_validate_trust() call doesn't therefore distinguish levels of
> trustedness, but is just OR'd with the result of validation against the
> system trusted keyring.
> 
> However, setting the trusted flag means that this key may be added to *any*
> trusted-only keyring - including the system trusted keyring.
> 
> Whilst I appreciate what the patch is trying to do, I don't think this is
> quite the right solution.

Please apply this to security/next.

Thanks,
David
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

2016-01-06 Thread Mimi Zohar

On Thu, 2016-01-07 at 00:34 +, David Howells wrote:
> David Howells  wrote:
> 
> > Partially revert commit 41c89b64d7184a780f12f2cccdabe65cb2408893:
> > 
> > Author: Petko Manolov 
> > Date:   Wed Dec 2 17:47:55 2015 +0200
> > IMA: create machine owner and blacklist keyrings
> > 
> > The problem is that prep->trusted is a simple boolean and the additional
> > x509_validate_trust() call doesn't therefore distinguish levels of
> > trustedness, but is just OR'd with the result of validation against the
> > system trusted keyring.
> > 
> > However, setting the trusted flag means that this key may be added to *any*
> > trusted-only keyring - including the system trusted keyring.

Hm, I'm not able to add a key to the system keyring that is signed by a
key on either the system or the IMA MOK keyrings.  The system keyring
seems to be "locked".  A key that is signed by either a key on the
system or the IMA MOK keyring can be added to the IMA keyring.

keyctl show %keyring:.system_keyring
Keyring
 973688077 ---lswrv  0 0  keyring: .system_keyring

evmctl import m1-cert-signed.der 973688077
add_key failed
errno: Permission denied (13)

Mimi

> > Whilst I appreciate what the patch is trying to do, I don't think this is
> > quite the right solution.

> Please apply this to security/next.
> 
> Thanks,
> David


--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

3 matches

Site Navigation

Mail list logo

Footer information