[PATCH v5 6/6] integrity: machine keyring CA configuration
Mimi Zohar
zohar at linux.ibm.com
Mon Mar 13 14:26:47 UTC 2023
On Thu, 2023-03-02 at 11:46 -0500, Eric Snowberg wrote:
> Add machine keyring CA restriction options to control the type of
> keys that may be added to it. The motivation is separation of
> certificate signing from code signing keys. Subsquent work will
> limit certificates being loaded into the IMA keyring to code
> signing keys used for signature verification.
>
> When no restrictions are selected, all Machine Owner Keys (MOK) are added
> to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
> selected, the CA bit must be true. Also the key usage must contain
> keyCertSign, any other usage field may be set as well.
>
> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> be true. Also the key usage must contain keyCertSign and the
> digitialSignature usage may not be set.
>
> Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
Thanks, Eric.
Acked-by: Mimi Zohar <zohar at linux.ibm.com>
More information about the Linux-security-module-archive
mailing list