[PATCH v8 03/17] integrity: Introduce a Linux keyring called machine
Mimi Zohar
zohar at linux.ibm.com
Thu Nov 25 02:49:19 UTC 2021
Hi Eric,
On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote:
> +config INTEGRITY_MACHINE_KEYRING
> + bool "Provide a keyring to which CA Machine Owner Keys may be added"
> + depends on SECONDARY_TRUSTED_KEYRING
> + depends on INTEGRITY_ASYMMETRIC_KEYS
Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this
change, is "KEYS: Create static version of
public_key_verify_signature" trusted needed?
Mimi
> + depends on SYSTEM_BLACKLIST_KEYRING
> + depends on LOAD_UEFI_KEYS
> + help
> + If set, provide a keyring to which CA Machine Owner Keys (MOK) may
> + be added. This keyring shall contain just CA MOK keys. Unlike keys
> + in the platform keyring, keys contained in the .machine keyring will
> + be trusted within the kernel.
> +
More information about the Linux-security-module-archive
mailing list