Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-06 Thread David Howells
Mimi Zohar wrote: > The x509_validate_trust() was originally added for IMA to ensure, on a > secure boot system, a certificate chain of trust rooted in hardware. > The IMA MOK keyring extends this certificate chain of trust to the > running system. The problem is that

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-06 Thread Mimi Zohar
On Wed, 2016-01-06 at 13:21 +, David Howells wrote: > Mimi Zohar wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. > > The IMA MOK keyring extends this

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-06 Thread David Howells
Mimi Zohar wrote: > Once the builtin keys are loaded onto the system keyring, isn't the > system keyring locked? No. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-06 Thread Mimi Zohar
On Tue, 2016-01-05 at 16:39 +, David Howells wrote: > Mimi Zohar wrote: > > > You're missing Petko's patch: > > 41c89b6 IMA: create machine owner and blacklist keyrings > > Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK > keyring

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-06 Thread Petko Manolov
On 16-01-06 13:21:27, David Howells wrote: > Mimi Zohar wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. The > > IMA > > MOK keyring extends this certificate

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-05 Thread David Howells
Mimi Zohar wrote: > You're missing Petko's patch: > 41c89b6 IMA: create machine owner and blacklist keyrings It should also be cc'd to the keyrings mailing list. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-05 Thread Petko Manolov
On 16-01-05 16:40:31, David Howells wrote: > Mimi Zohar wrote: > > > You're missing Petko's patch: > > 41c89b6 IMA: create machine owner and blacklist keyrings > > It should also be cc'd to the keyrings mailing list. Right. If i am not terribly mistaken there's no

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-05 Thread Mimi Zohar
On Tue, 2016-01-05 at 15:47 +, David Howells wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-05 Thread David Howells
Mimi Zohar wrote: > You're missing Petko's patch: > 41c89b6 IMA: create machine owner and blacklist keyrings Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK keyring under all circumstances. David -- To unsubscribe from this list: send the

Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]

2016-01-05 Thread David Howells
David Howells wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only be determined