Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring

From: Petko Manolov
Date: Wed Jan 13 2016 - 14:19:55 EST


On 16-01-13 13:56:39, Mimi Zohar wrote:
> On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote:
> > On 16-01-13 18:19:10, David Howells wrote:
> > > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > > I beg to differ. The IMA model is not broken with the current patches
> > > > being upstreamed. The basic concepts developed will continue to be
> > > > used, perhaps not directly by IMA.
> > >
> > > I still object to the change to x509_key_preparse() and still want it
> > > reverting or removing. It affects module signing too.
> >
> > The only problem i see with the code is that in case .ima_mok is not configured
> > x509_validate_trust() returns NULL, which falsely set the key as trusted. This
> > could easily be fixed.
>
> When IMA_MOK_KEYRING is not enabled, get_ima_mok_keyring() will return NULL.
> x509_validate_trust() will return -EOPNOTSUPP.
>
> The code is fine.

Oops, my bad. It's been a while since i wrote that code... :)


Petko