Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring
From: Mimi Zohar
Date: Wed Jan 13 2016 - 13:57:58 EST
On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote:
> On 16-01-13 18:19:10, David Howells wrote:
> > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> >
> > > I beg to differ. The IMA model is not broken with the current patches
> > > being upstreamed. The basic concepts developed will continue to be
> > > used, perhaps not directly by IMA.
> >
> > I still object to the change to x509_key_preparse() and still want it
> > reverting or removing. It affects module signing too.
>
> The only problem i see with the code is that in case .ima_mok is not configured
> x509_validate_trust() returns NULL, which falsely set the key as trusted. This
> could easily be fixed.
When IMA_MOK_KEYRING is not enabled, get_ima_mok_keyring() will return
NULL. x509_validate_trust() will return -EOPNOTSUPP.
The code is fine.
Mimi
> Some users do want to be able to load kernel modules signed by other trusted
> parties. Think of .ima_mok as system wide keyring in this case. It is
> semantically broken, but it does the right thing.
>
>
> Petko