From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753483AbbJWTQ3 (ORCPT ); Fri, 23 Oct 2015 15:16:29 -0400 Received: from e28smtp05.in.ibm.com ([122.248.162.5]:37238 "EHLO e28smtp05.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753841AbbJWSoD (ORCPT ); Fri, 23 Oct 2015 14:44:03 -0400 X-Helo: d28dlp01.in.ibm.com X-MailFrom: zohar@linux.vnet.ibm.com X-RcptTo: linux-security-module@vger.kernel.org Message-ID: <1445625833.2459.360.camel@linux.vnet.ibm.com> Subject: Re: [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring From: Mimi Zohar To: Petko Manolov Cc: Dmitry Kasatkin , linux-ima-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Dmitry Kasatkin Date: Fri, 23 Oct 2015 14:43:53 -0400 In-Reply-To: <20151023130450.GL5224@localhost> References: <20151023130450.GL5224@localhost> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15102318-0017-0000-0000-000007F88C92 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2015-10-23 at 16:05 +0300, Petko Manolov wrote: > On 15-10-22 21:49:25, Dmitry Kasatkin wrote: > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > > index df30334..a292b88 100644 > > --- a/security/integrity/ima/Kconfig > > +++ b/security/integrity/ima/Kconfig > > @@ -123,14 +123,17 @@ config IMA_APPRAISE > > If unsure, say N. > > > > config IMA_TRUSTED_KEYRING > > - bool "Require all keys on the .ima keyring be signed" > > + bool "Require all keys on the .ima keyring be signed (deprecated)" > > depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING > > depends on INTEGRITY_ASYMMETRIC_KEYS > > + select INTEGRITY_TRUSTED_KEYRING > > default y > > help > > This option requires that all keys added to the .ima > > keyring be signed by a key on the system trusted keyring. > > > > + This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING > > + > > config IMA_LOAD_X509 > > bool "Load X509 certificate onto the '.ima' trusted keyring" > > depends on IMA_TRUSTED_KEYRING > > > I guess we may as well remove this switch. Otherwise somebody have to remember > to post a patch that does so a few kernel releases after this one goes mainline. There's no harm in leaving the "IMA_TRUSTED_KEYRING" Kconfig option for a couple of releases (or perhaps until it is enabled in a long term release), so that the INTEGRITY_TRUSTED_KEYRING Kconfig option is enabled automatically. Mimi