On Wed, 2016-01-06 at 13:21 +0000, David Howells wrote: > Mimi Zohar <[email protected]> wrote: > > > The x509_validate_trust() was originally added for IMA to ensure, on a > > secure boot system, a certificate chain of trust rooted in hardware. > > The IMA MOK keyring extends this certificate chain of trust to the > > running system. > > The problem is that because 'trusted' is a boolean, a key in the IMA MOK > keyring will permit addition to the system keyring.
Once the builtin keys are loaded onto the system keyring, isn't the system keyring locked? Or is this the only mechanism used for locking? Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
