From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757066AbcAMS5s (ORCPT <rfc822;w@1wt.eu>);
	Wed, 13 Jan 2016 13:57:48 -0500
Received: from e23smtp08.au.ibm.com ([202.81.31.141]:33752 "EHLO
	e23smtp08.au.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1757096AbcAMS5n (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 13 Jan 2016 13:57:43 -0500
X-IBM-Helo: d23dlp03.au.ibm.com
X-IBM-MailFrom: zohar@linux.vnet.ibm.com
X-IBM-RcptTo: keyrings@vger.kernel.org;linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org
Message-ID: <1452711399.2683.43.camel@linux.vnet.ibm.com>
Subject: Re: [PATCH] X.509: Partially revert patch to add validation against
 IMA MOK keyring
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Petko Manolov <petkan@mip-labs.com>
Cc: David Howells <dhowells@redhat.com>, James Morris <jmorris@namei.org>,
        linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
        linux-kernel@vger.kernel.org, mdb@juniper.net
Date: Wed, 13 Jan 2016 13:56:39 -0500
In-Reply-To: <20160113183519.GC7826@localhost>
References: <1452432410.2651.40.camel@linux.vnet.ibm.com>
	 <20160106134525.15633.73582.stgit@warthog.procyon.org.uk>
	 <24185.1452126854@warthog.procyon.org.uk>
	 <1452180676.2890.21.camel@linux.vnet.ibm.com>
	 <alpine.LRH.2.20.1601102135470.6161@namei.org>
	 <2033.1452447990@warthog.procyon.org.uk>
	 <30355.1452562693@warthog.procyon.org.uk>
	 <30974.1452618524@warthog.procyon.org.uk>
	 <20160113163148.GA32533@bender.nucleusys.com>
	 <28539.1452709150@warthog.procyon.org.uk> <20160113183519.GC7826@localhost>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 16011318-0029-0000-0000-000002C55452
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote:
> On 16-01-13 18:19:10, David Howells wrote:
> > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > 
> > > I beg to differ.  The IMA model is not broken with the current patches
> > > being upstreamed.  The basic concepts developed will continue to be
> > > used, perhaps not directly by IMA.
> > 
> > I still object to the change to x509_key_preparse() and still want it 
> > reverting or removing.  It affects module signing too.
> 
> The only problem i see with the code is that in case .ima_mok is not configured 
> x509_validate_trust() returns NULL, which falsely set the key as trusted.  This 
> could easily be fixed.

When IMA_MOK_KEYRING  is not enabled, get_ima_mok_keyring() will return
NULL.  x509_validate_trust() will return -EOPNOTSUPP.

The code is fine.

Mimi

> Some users do want to be able to load kernel modules signed by other trusted 
> parties.  Think of .ima_mok as system wide keyring in this case.  It is 
> semantically broken, but it does the right thing.
> 
> 
> 		Petko