From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755079AbaFKMae (ORCPT ); Wed, 11 Jun 2014 08:30:34 -0400 Received: from e36.co.us.ibm.com ([32.97.110.154]:44905 "EHLO e36.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753971AbaFKMaa (ORCPT ); Wed, 11 Jun 2014 08:30:30 -0400 Message-ID: <1402489820.612.58.camel@dhcp-9-2-203-236.watson.ibm.com> Subject: Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only From: Mimi Zohar To: Matthew Garrett Cc: Dmitry Kasatkin , Josh Boyer , David Howells , Dmitry Kasatkin , keyrings , "linux-kernel@vger.kernel.org" , linux-security-module Date: Wed, 11 Jun 2014 08:30:20 -0400 In-Reply-To: <20140611032355.GA6470@srcf.ucam.org> References: <20140610204021.GA8916@srcf.ucam.org> <20140610212516.GB10614@srcf.ucam.org> <20140610214038.GA13881@srcf.ucam.org> <1402449893.612.14.camel@dhcp-9-2-203-236.watson.ibm.com> <20140611022222.GA2349@srcf.ucam.org> <1402456095.612.32.camel@dhcp-9-2-203-236.watson.ibm.com> <20140611032355.GA6470@srcf.ucam.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14061112-3532-0000-0000-00000267103E Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2014-06-11 at 04:23 +0100, Matthew Garrett wrote: > Yes. Wouldn't having a mechanism to allow userspace to drop keys that > have otherwise been imported be a generally useful solution to the issue > you have with that? There are issues removing a key from both the local system(eg. cache, running apps) and the attestation server (eg. ima-sig template verification) perspectives. We would need to address these concerns before supporting key removal. Mimi