On 15-10-21 11:52:04, David Howells wrote: > Petko Manolov <pet...@mip-labs.com> wrote: > > > As far as i know there is no concept of write-once to a keyring in the > > kernel. David will correct me if i am wrong. I wonder how hard would it > > be > > to add such functionality, in case it is missing? > > Not hard, particularly if it's only an attribute that the kernel can set.
Definitely kernel-only. The other way does not appeal to me in terms of security. > > Ideally a revoked key should stay in .blacklist until it expire or the > > system is rebooted. > > That's not quite sufficient. Search would also need to be modified otherwise > the revoked key would be skipped. OK, let's see if this is going to be a problem or not. cheers, Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
