Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > The x509_validate_trust() was originally added for IMA to ensure, on a > secure boot system, a certificate chain of trust rooted in hardware. > The IMA MOK keyring extends this certificate chain of trust to the > running system.
The problem is that because 'trusted' is a boolean, a key in the IMA MOK keyring will permit addition to the system keyring. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html