From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757821AbcAMTTx (ORCPT ); Wed, 13 Jan 2016 14:19:53 -0500 Received: from lan.nucleusys.com ([92.247.61.126]:55356 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753273AbcAMTTE (ORCPT ); Wed, 13 Jan 2016 14:19:04 -0500 Date: Wed, 13 Jan 2016 21:19:01 +0200 From: Petko Manolov To: Mimi Zohar Cc: David Howells , James Morris , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, mdb@juniper.net Subject: Re: [PATCH] X.509: Partially revert patch to add validation against IMA MOK keyring Message-ID: <20160113191900.GG7826@localhost> Mail-Followup-To: Mimi Zohar , David Howells , James Morris , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, mdb@juniper.net References: <24185.1452126854@warthog.procyon.org.uk> <1452180676.2890.21.camel@linux.vnet.ibm.com> <2033.1452447990@warthog.procyon.org.uk> <30355.1452562693@warthog.procyon.org.uk> <30974.1452618524@warthog.procyon.org.uk> <20160113163148.GA32533@bender.nucleusys.com> <28539.1452709150@warthog.procyon.org.uk> <20160113183519.GC7826@localhost> <1452711399.2683.43.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1452711399.2683.43.camel@linux.vnet.ibm.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 16-01-13 13:56:39, Mimi Zohar wrote: > On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote: > > On 16-01-13 18:19:10, David Howells wrote: > > > Mimi Zohar wrote: > > > > > > > I beg to differ. The IMA model is not broken with the current patches > > > > being upstreamed. The basic concepts developed will continue to be > > > > used, perhaps not directly by IMA. > > > > > > I still object to the change to x509_key_preparse() and still want it > > > reverting or removing. It affects module signing too. > > > > The only problem i see with the code is that in case .ima_mok is not configured > > x509_validate_trust() returns NULL, which falsely set the key as trusted. This > > could easily be fixed. > > When IMA_MOK_KEYRING is not enabled, get_ima_mok_keyring() will return NULL. > x509_validate_trust() will return -EOPNOTSUPP. > > The code is fine. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16-01-13 13:56:39, Mimi Zohar wrote: > On Wed, 2016-01-13 at 20:35 +0200, Petko Manolov wrote: > > On 16-01-13 18:19:10, David Howells wrote: > > > Mimi Zohar wrote: > > > > > > > I beg to differ. The IMA model is not broken with the current patches > > > > being upstreamed. The basic concepts developed will continue to be > > > > used, perhaps not directly by IMA. > > > > > > I still object to the change to x509_key_preparse() and still want it > > > reverting or removing. It affects module signing too. > > > > The only problem i see with the code is that in case .ima_mok is not configured > > x509_validate_trust() returns NULL, which falsely set the key as trusted. This > > could easily be fixed. > > When IMA_MOK_KEYRING is not enabled, get_ima_mok_keyring() will return NULL. > x509_validate_trust() will return -EOPNOTSUPP. > > The code is fine. Oops, my bad. It's been a while since i wrote that code... :) Petko