On Tue, 2016-03-08 at 15:32 +0000, David Howells wrote: > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > > The problem boils down to a difficulty in concocting a name that > > > describes a > > > complex situation that may change depending on the configuration. I can > > > make > > > it "restrict_link_by_any_system_trusted" if you'd prefer. > > > > > > That's why I want "system trusted keyrings" to refer to the builtin and > > > the > > > secondary - *and* an extra UEFI keyring if we grow one of those. It's a > > > collection of related keyrings. > > > > Sigh, this is the same discussion we've had for years. > > No, it isn't.
Good! > > The UEFI keys should not be trusted to validate the certificates being added > > to the IMA keyring. > > A machine-security (e.g. UEFI) keyring will conceivably live in > certs/system_keyring.c and only be enabled if CONFIG_SYSTEM_TRUSTED_KEYRINGS=y > and, say, CONFIG_MACHINE_TRUSTED_KEYRING=y. I didn't say that IMA necessarily > has to use it. Ok. > What we need to do is define a set of functions allow IMA to get the > restrictions it wants, depending on configuration. In the code I currently > have, I think we have those: > > restrict_link_reject Option 1 > restrict_link_by_builtin_trusted Option 2 > restrict_link_by_system_trusted By renaming the system keyring to builtin, this is where it becomes unclear what is included by restrict_link_by_system_trusted - builtin and secondary, or builtin, secondary, and UEFI. > If you really want, I can add a restrict_link_for_ima in there, but I'd rather > not if IMA can use whichever of the above three most suits it. How about: > > restrict_link_reject > restrict_link_by_builtin_trusted > restrict_link_by_builtin_or_secondary_trusted Option 3 - "restrict_link_by_builtin_or_secondary_trusted" is a bit wordy, but there wouldn't be any confusion. Mimi > > Neither should the keys on the secondary keyring, unless specifically IMA > > Kconfig enabled, be used to validate the certificates being added to the IMA > > keyring. > > Yes. > > David >
