On Sun, Oct 15, 2017 at 7:27 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, 2017-10-11 at 12:10 -0700, Matthew Garrett wrote: >> EVM will only perform validation once a key has been loaded. This key >> may either be a symmetric trusted key (for HMAC validation and creation) >> or the public half of an asymmetric key (for digital signature >> validation). The /sys/kernel/security/evm interface allows userland to >> signal that a symmetric key has been loaded, but does not allow userland >> to signal that an asymmetric public key has been loaded. >> >> This patch extends the interface to permit userspace to pass a bitmask >> of loaded key types. It also allows userspace to block loading of an >> asymmetric key in order to avoid a compromised system from being able to >> load an additional key type later. > > I assume you mean "block loading of a symmetric key". Other than this > and a trailing blank line, the patch looks good. If you don't have > objections, I'll fix these two things. Sorry, yes. That works for me - thank you!
