Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756881AbbEVM2c (ORCPT ); Fri, 22 May 2015 08:28:32 -0400 Received: from e28smtp08.in.ibm.com ([122.248.162.8]:44085 "EHLO e28smtp08.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756821AbbEVM23 (ORCPT ); Fri, 22 May 2015 08:28:29 -0400 Message-ID: <1432297697.2450.53.camel@linux.vnet.ibm.com> Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4] From: Mimi Zohar To: David Howells Cc: "Luis R. Rodriguez" , Andy Lutomirski , Andy Lutomirski , Rusty Russell , Michal Marek , Matthew Garrett , keyrings@linux-nfs.org, Dmitry Kasatkin , "linux-kernel@vger.kernel.org" , Seth Forshee , LSM List , David Woodhouse Date: Fri, 22 May 2015 08:28:17 -0400 In-Reply-To: <32540.1432280936@warthog.procyon.org.uk> References: <20150521213829.GH23057@wotan.suse.de> <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> <555BD715.40202@kernel.org> <31772.1432128969@warthog.procyon.org.uk> <20150520162059.GC10473@localhost> <32540.1432280936@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.10 (3.12.10-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15052212-0029-0000-0000-00000610C6E4 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1251 Lines: 30 On Fri, 2015-05-22 at 08:48 +0100, David Howells wrote: > Luis R. Rodriguez wrote: > > > > This is similar to what i am doing right now - create CA hierarchy so we can > > > have something like: > > > > > > +-> KeyB > > > | > > > RootCA ---> CertA ---> CertB ---> CertC ---> KeyC > > > | > > > +-> CertA' ---> KeyA" > > > > How exactly do you go about uploading CertB to the kernel BTW? > > Assuming RootCA or CertA is present in the kernel, the idea would be to use > the add_key() system call or the request_key() mechanism to add the key to the > system keyring. The key in the cert would only be added to the keyring if it > is trusted by a key already there. >From Petko's description, the RootCA is on the system keyring, but CertA is on a new IMA trusted CA keyring. So everything you said is true, but on this new, yet to be upstreamed, IMA trusted CA keyring. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/