Mimi Zohar <[email protected]> wrote: > > You can link from any key you have LINK permission on. Further, add_key() > > can add directly. > > Oh, for some reason I thought the system blacklist keyring was limited > to the new key type with just a description. I was able to add, but > also remove a key from the system blacklist. I guess the KEY_FLAG_KEEP > is not set on the system blacklist.
With patch 18 you can. Prior to that it's not possible to modify it from userspace at all. > The keys being added to the IMA keyring are signed x509 certs (eg. > openssl ca -ss_cert). It would be nice to be able to include the skid > in the description, without a payload, and sign that. I have no idea if > that Is possible or if it makes sense. I'm open to suggestions. I think we need a new keyctl or syscall for this. We need to run through the X.509 parser, but we don't actually want to keep any of the payload - and, in fact, we don't even necessarily want to create an asymmetric-type key, though it's not a complete loss if we do that and create one with a blacklist subtype. The blacklist subtype would just return an error from all operation points, but would otherwise be handled as normal. David
