Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended... | linux-security-module

[RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
[RFC PATCH 2/2] ima: Change default secure_boot policy to include appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
[RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Lakshmi Ramasubramanian <hidden> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-06
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Nayna <hidden> · 2020-02-06
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-06
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-07
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-08
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Mimi Zohar <zohar@linux.ibm.com> · 2020-02-10
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-11
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Nayna <hidden> · 2020-02-12
Re: [RFC PATCH 0/2] ima: uncompressed module appraisal support · Eric Snowberg <eric.snowberg@oracle.com> · 2020-02-13

Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures

From: Lakshmi Ramasubramanian <hidden>
Date: 2020-02-06 17:07:07
Also in: linux-integrity, lkml

On 2/6/2020 8:42 AM, Eric Snowberg wrote:

quoted hunk ↗ jump to hunk

@@ -31,6 +32,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
  	".ima",
  #endif
  	".platform",
+	".builtin_trusted_keys",
  };
  
  #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -45,8 +47,11 @@ static struct key *integrity_keyring_from_id(const unsigned int id)
  		return ERR_PTR(-EINVAL);
  
  	if (!keyring[id]) {
-		keyring[id] =
-			request_key(&key_type_keyring, keyring_name[id], NULL);
+		if (id == INTEGRITY_KEYRING_KERNEL)
+			keyring[id] = VERIFY_USE_SECONDARY_KEYRING;

Since "Built-In Trusted Keyring" or "Secondary Trusted Keyring" is used, 
would it be more appropriate to name this identifier 
INTEGRITY_KEYRING_BUILTIN_OR_SECONDARY?

quoted hunk ↗ jump to hunk

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 73fc286834d7..63f0e6bff0e0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h

@@ -145,7 +145,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
  #define INTEGRITY_KEYRING_EVM		0
  #define INTEGRITY_KEYRING_IMA		1
  #define INTEGRITY_KEYRING_PLATFORM	2
-#define INTEGRITY_KEYRING_MAX		3
+#define INTEGRITY_KEYRING_KERNEL	3
+#define INTEGRITY_KEYRING_MAX		4


  -lakshmi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help