From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752165AbcAFRA0 (ORCPT ); Wed, 6 Jan 2016 12:00:26 -0500 Received: from lan.nucleusys.com ([92.247.61.126]:54116 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751708AbcAFRAX (ORCPT ); Wed, 6 Jan 2016 12:00:23 -0500 Date: Wed, 6 Jan 2016 19:00:08 +0200 From: Petko Manolov To: David Howells Cc: Mimi Zohar , dwmw2@infradead.org, David Woodhouse , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org Subject: Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2] Message-ID: <20160106170008.GF4603@localhost> Mail-Followup-To: David Howells , Mimi Zohar , dwmw2@infradead.org, David Woodhouse , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org References: <1452082979.2772.205.camel@linux.vnet.ibm.com> <1452010098.2772.169.camel@linux.vnet.ibm.com> <20160105154703.31650.95150.stgit@warthog.procyon.org.uk> <2615.1452011971@warthog.procyon.org.uk> <9026.1452086487@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9026.1452086487@warthog.procyon.org.uk> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 16-01-06 13:21:27, David Howells wrote: > Mimi Zohar wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. The IMA > > MOK keyring extends this certificate chain of trust to the running system. > > The problem is that because 'trusted' is a boolean, a key in the IMA MOK > keyring will permit addition to the system keyring. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16-01-06 13:21:27, David Howells wrote: > Mimi Zohar wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. The IMA > > MOK keyring extends this certificate chain of trust to the running system. > > The problem is that because 'trusted' is a boolean, a key in the IMA MOK > keyring will permit addition to the system keyring. If this is true the i am clearly doing the wrong thing. The CA hierarchy should run top-bottom, not the other way around. IMA MOK was introduced mainly because .system keyring was static at the time. Assuming i have my root certificate in .system how can i add more keys to this keyring? The new keys have been signed by my root CA? Is this possible since your October patch-set or i've been missing something this whole time? Petko