Mimi Zohar wrote:
> Lets assume accepting built in keys should is acceptable for all use
> cases. Adding additional keys from userspace is probably not acceptable
> for all use cases. Those keys should be added to specific 'trusted'
> keyrings.
>
> EVM and IMA-appraisal have separate keyrings
On Thu, 2013-01-17 at 18:04 +, David Howells wrote:
> Separate the kernel signature checking keyring from module signing so that it
> can be used by code other than the module-signing code.
>
> Signed-off-by: David Howells
Sounds good, but comment below...
> ---
>
> init/Kconfig
On Thu, 2013-01-17 at 18:03 +, David Howells wrote:
> Load all the files matching the pattern "*.x509" that are to be found in
> kernel
> base source dir and base build dir into the module signing keyring.
Do we really want certificates cluttering up the base source tree? Any
reason not to de
Separate the kernel signature checking keyring from module signing so that it
can be used by code other than the module-signing code.
Signed-off-by: David Howells
---
init/Kconfig | 13 +
kernel/Makefile | 17 ---
kernel/modsign_certificate.S | 18
Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source
or had a cryptographic signature chain that led back to a trusted key the
kernel already possessed.
Add KEY_FLAGS_TRUSTED_ONLY to indicate that a keyring will only accept links to
keys marked with KEY_FLAGS_TRUSTED.
Si
Load all the files matching the pattern "*.x509" that are to be found in kernel
base source dir and base build dir into the module signing keyring.
The "extra_certificates" file is then redundant.
Signed-off-by: David Howells
---
kernel/Makefile | 33 +++-
Mimi Zohar wrote:
> David, are you ok with how support for asymmetric keys is being added to
> EVM/IMA-appraisal for verifying signatures? Any comments?
I would also like to have a look at altering your trusted key type[*] to be a
subtype of asymmetric keys so that the asymmetric key type can c
On Thu, Jan 17, 2013 at 7:52 PM, David Howells wrote:
>
> Looks reasonable, I think, so you can add:
>
> Acked-by: David Howells
>
> David
Thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majo
Looks reasonable, I think, so you can add:
Acked-by: David Howells
David
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
