Mimi Zohar wrote:
> The x509_validate_trust() was originally added for IMA to ensure, on a
> secure boot system, a certificate chain of trust rooted in hardware.
> The IMA MOK keyring extends this certificate chain of trust to the
> running system.
The problem is that
On Wed, 2016-01-06 at 13:21 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > The x509_validate_trust() was originally added for IMA to ensure, on a
> > secure boot system, a certificate chain of trust rooted in hardware.
> > The IMA MOK keyring extends this
Mimi Zohar wrote:
> Once the builtin keys are loaded onto the system keyring, isn't the
> system keyring locked?
No.
David
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More
On Tue, 2016-01-05 at 16:39 +, David Howells wrote:
> Mimi Zohar wrote:
>
> > You're missing Petko's patch:
> > 41c89b6 IMA: create machine owner and blacklist keyrings
>
> Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK
> keyring
On 16-01-06 13:21:27, David Howells wrote:
> Mimi Zohar wrote:
>
> > The x509_validate_trust() was originally added for IMA to ensure, on a
> > secure boot system, a certificate chain of trust rooted in hardware. The
> > IMA
> > MOK keyring extends this certificate
Mimi Zohar wrote:
> You're missing Petko's patch:
> 41c89b6 IMA: create machine owner and blacklist keyrings
It should also be cc'd to the keyrings mailing list.
David
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of
On 16-01-05 16:40:31, David Howells wrote:
> Mimi Zohar wrote:
>
> > You're missing Petko's patch:
> > 41c89b6 IMA: create machine owner and blacklist keyrings
>
> It should also be cc'd to the keyrings mailing list.
Right.
If i am not terribly mistaken there's no
On Tue, 2016-01-05 at 15:47 +, David Howells wrote:
> If a certificate is self-signed, don't bother checking the validity of the
> signature. The cert cannot be checked by validation against the next one
> in the chain as this is the root of the chain. Trust for this certificate
> can only
Mimi Zohar wrote:
> You're missing Petko's patch:
> 41c89b6 IMA: create machine owner and blacklist keyrings
Hmmm... This is wrong. x509_key_preparse() shouldn't be polling the IMA MOK
keyring under all circumstances.
David
--
To unsubscribe from this list: send the
David Howells wrote:
> If a certificate is self-signed, don't bother checking the validity of the
> signature. The cert cannot be checked by validation against the next one
> in the chain as this is the root of the chain. Trust for this certificate
> can only be determined
10 matches
Mail list logo