Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

From: Mimi Zohar
Date: Sun Jan 10 2016 - 18:56:11 EST


On Sun, 2016-01-10 at 20:33 +0000, David Howells wrote:
> David Howells <dhowells@xxxxxxxxxx> wrote:

> (4) Marcel asked to have user-based 'trusted' keyrings - where userspace
> can load a keyring up and then mark it as 'trusted' thereby limiting
> further additions - for the use with kernel-based TLS.
>
> These would *not* depend on the .system keyring. Unless we're willing
> to store the root CA certificate for the world in the kernel, we can't
> really do that.

Is this the primary use case scenario for your patches? Unfortunately,
your posted patches would break the existing IMA trust model. Let's
identify the different use case scenarios and work together to meet the
different requirements.

Mimi