From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petko Manolov <petkan@mip-labs.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Subject: Re: [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring
Date: Fri, 23 Oct 2015 14:43:53 -0400 [thread overview]
Message-ID: <1445625833.2459.360.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20151023130450.GL5224@localhost>
On Fri, 2015-10-23 at 16:05 +0300, Petko Manolov wrote:
> On 15-10-22 21:49:25, Dmitry Kasatkin wrote:
> > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > index df30334..a292b88 100644
> > --- a/security/integrity/ima/Kconfig
> > +++ b/security/integrity/ima/Kconfig
> > @@ -123,14 +123,17 @@ config IMA_APPRAISE
> > If unsure, say N.
> >
> > config IMA_TRUSTED_KEYRING
> > - bool "Require all keys on the .ima keyring be signed"
> > + bool "Require all keys on the .ima keyring be signed (deprecated)"
> > depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
> > depends on INTEGRITY_ASYMMETRIC_KEYS
> > + select INTEGRITY_TRUSTED_KEYRING
> > default y
> > help
> > This option requires that all keys added to the .ima
> > keyring be signed by a key on the system trusted keyring.
> >
> > + This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
> > +
> > config IMA_LOAD_X509
> > bool "Load X509 certificate onto the '.ima' trusted keyring"
> > depends on IMA_TRUSTED_KEYRING
>
>
> I guess we may as well remove this switch. Otherwise somebody have to remember
> to post a patch that does so a few kernel releases after this one goes mainline.
There's no harm in leaving the "IMA_TRUSTED_KEYRING" Kconfig option for
a couple of releases (or perhaps until it is enabled in a long term
release), so that the INTEGRITY_TRUSTED_KEYRING Kconfig option is
enabled automatically.
Mimi
next prev parent reply other threads:[~2015-10-23 19:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 18:49 [PATCHv3 0/6] integrity: few EVM patches Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring Dmitry Kasatkin
2015-10-23 13:05 ` Petko Manolov
2015-10-23 13:40 ` Dmitry Kasatkin
2015-10-23 18:43 ` Mimi Zohar [this message]
2015-10-24 9:35 ` Petko Manolov
2015-10-22 18:49 ` [PATCHv3 2/6] evm: load x509 certificate from the kernel Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded Dmitry Kasatkin
2015-10-23 18:31 ` Mimi Zohar
2015-10-26 19:18 ` Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 4/6] evm: provide a function to set EVM key from the kernel Dmitry Kasatkin
2015-10-23 18:30 ` Mimi Zohar
2015-10-26 19:18 ` Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 5/6] evm: define EVM key max and min sizes Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 6/6] evm: reset EVM status when file attributes changes Dmitry Kasatkin
2015-11-05 18:35 ` [PATCHv3 0/6] integrity: few EVM patches Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445625833.2459.360.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=petkan@mip-labs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).