From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751809AbcAFNVc (ORCPT ); Wed, 6 Jan 2016 08:21:32 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59971 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751777AbcAFNV3 (ORCPT ); Wed, 6 Jan 2016 08:21:29 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1452082979.2772.205.camel@linux.vnet.ibm.com> References: <1452082979.2772.205.camel@linux.vnet.ibm.com> <1452010098.2772.169.camel@linux.vnet.ibm.com> <20160105154703.31650.95150.stgit@warthog.procyon.org.uk> <2615.1452011971@warthog.procyon.org.uk> To: Mimi Zohar Cc: dhowells@redhat.com, dwmw2@infradead.org, David Woodhouse , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, Petko Manolov Subject: Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <9025.1452086487.1@warthog.procyon.org.uk> Date: Wed, 06 Jan 2016 13:21:27 +0000 Message-ID: <9026.1452086487@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Mimi Zohar wrote: > The x509_validate_trust() was originally added for IMA to ensure, on a > secure boot system, a certificate chain of trust rooted in hardware. > The IMA MOK keyring extends this certificate chain of trust to the > running system. The problem is that because 'trusted' is a boolean, a key in the IMA MOK keyring will permit addition to the system keyring. David