From: Petko Manolov <petkan@mip-labs.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Subject: Re: [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring
Date: Sat, 24 Oct 2015 12:35:49 +0300 [thread overview]
Message-ID: <20151024091016.GA10998@localhost> (raw)
In-Reply-To: <1445625833.2459.360.camel@linux.vnet.ibm.com>
On 15-10-23 14:43:53, Mimi Zohar wrote:
> On Fri, 2015-10-23 at 16:05 +0300, Petko Manolov wrote:
> > On 15-10-22 21:49:25, Dmitry Kasatkin wrote:
>
> > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > > index df30334..a292b88 100644
> > > --- a/security/integrity/ima/Kconfig
> > > +++ b/security/integrity/ima/Kconfig
> > > @@ -123,14 +123,17 @@ config IMA_APPRAISE
> > > If unsure, say N.
> > >
> > > config IMA_TRUSTED_KEYRING
> > > - bool "Require all keys on the .ima keyring be signed"
> > > + bool "Require all keys on the .ima keyring be signed (deprecated)"
> > > depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
> > > depends on INTEGRITY_ASYMMETRIC_KEYS
> > > + select INTEGRITY_TRUSTED_KEYRING
> > > default y
> > > help
> > > This option requires that all keys added to the .ima
> > > keyring be signed by a key on the system trusted keyring.
> > >
> > > + This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
> > > +
> > > config IMA_LOAD_X509
> > > bool "Load X509 certificate onto the '.ima' trusted keyring"
> > > depends on IMA_TRUSTED_KEYRING
> >
> >
> > I guess we may as well remove this switch. Otherwise somebody have to remember
> > to post a patch that does so a few kernel releases after this one goes mainline.
>
> There's no harm in leaving the "IMA_TRUSTED_KEYRING" Kconfig option for a
> couple of releases (or perhaps until it is enabled in a long term release), so
> that the INTEGRITY_TRUSTED_KEYRING Kconfig option is enabled automatically.
I have no strong opinion either way. Just saying. Let it be for the moment.
Petko
next prev parent reply other threads:[~2015-10-24 9:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 18:49 [PATCHv3 0/6] integrity: few EVM patches Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 1/6] integrity: define '.evm' as a builtin 'trusted' keyring Dmitry Kasatkin
2015-10-23 13:05 ` Petko Manolov
2015-10-23 13:40 ` Dmitry Kasatkin
2015-10-23 18:43 ` Mimi Zohar
2015-10-24 9:35 ` Petko Manolov [this message]
2015-10-22 18:49 ` [PATCHv3 2/6] evm: load x509 certificate from the kernel Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 3/6] evm: enable EVM when X509 certificate is loaded Dmitry Kasatkin
2015-10-23 18:31 ` Mimi Zohar
2015-10-26 19:18 ` Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 4/6] evm: provide a function to set EVM key from the kernel Dmitry Kasatkin
2015-10-23 18:30 ` Mimi Zohar
2015-10-26 19:18 ` Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 5/6] evm: define EVM key max and min sizes Dmitry Kasatkin
2015-10-22 18:49 ` [PATCHv3 6/6] evm: reset EVM status when file attributes changes Dmitry Kasatkin
2015-11-05 18:35 ` [PATCHv3 0/6] integrity: few EVM patches Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151024091016.GA10998@localhost \
--to=petkan@mip-labs.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.kasatkin@huawei.com \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).