On Tue, 2015-10-20 at 21:42 +0300, Petko Manolov wrote:
> On 15-10-20 14:32:10, Mimi Zohar wrote:
> > On Tue, 2015-10-20 at 18:33 +0300, Petko Manolov wrote:
> > > 
> > > As far as i know there is no concept of write-once to a keyring in the 
> > > kernel.  David will correct me if i am wrong.  I wonder how hard would it 
> > > be 
> > > to add such functionality, in case it is missing?
> > > 
> > > Ideally a revoked key should stay in .blacklist until it expire or the 
> > > system is rebooted.
> > 
> > Keys currently revoked return -EKEYREVOKED for a certain amount of time, 
> > before being garbage collected.  Perhaps for trusted keys we could piggy 
> > back 
> > on this option, returning -EKEYREVOKED, but prevent them from being garbage 
> > collected?
> 
> I need to think about this.  Should -EKEYREVOKED be the same as -ENOKEY in 
> this 
> case?  I guess the end result is pretty much the same from IMA view point, 
> but 
> there may be a requirement to list all revoked keys...

When checking the blacklist, getting -EKEYREVOKED is definitely
different than -ENOKEY.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to