Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]

From: Mimi Zohar
Date: Wed Apr 06 2016 - 12:47:52 EST

Next message: Jacob Pan: "Re: [PATCH] thermal/intel_powerclamp: convert to smpboot thread"
Previous message: Dmitry Safonov: "[PATCH 1/2] x86/arch_prctl: add ARCH_SET_{COMPAT,NATIVE} to change compatible mode"
In reply to: David Howells: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2016-04-06 at 17:13 +0100, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
> > FYI, restrict_link_by_ima_mok() allows keys to be added to the IMA
> > keyring signed by a key on the .ima_mok keyring, but
> > restrict_link_by_builtin_and_secondary_trusted() results in "errno:
> > Required key not available (126)".
>
> Is that fixed by fixing restrict_link_by_builtin_and_secondary_trusted() to
> check the right keyring?

Yes

Next message: Jacob Pan: "Re: [PATCH] thermal/intel_powerclamp: convert to smpboot thread"
Previous message: Dmitry Safonov: "[PATCH 1/2] x86/arch_prctl: add ARCH_SET_{COMPAT,NATIVE} to change compatible mode"
In reply to: David Howells: "Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]