[OS-BUILD PATCH] redhat/configs: allow IMA to use MOK keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Coiby Xu <coxu@xxxxxxxxxx>

redhat/configs: allow IMA to use MOK keys

Users can add IMA CA keys to the MOK list which will be added to the
.machine keyring. The .machine keyring is linked the
.secondary_trusted_keys keyring. Allow IMA to access the
.secondary_trusted_keys keyring so users' customer IMA CA keys can be
used to vouch for the keys to be added to the .ima keyring.

CONFIG_INTEGRITY_CA_MACHINE_KEYRING_CA and
CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is enabled to a) meet the
requirement FIA_X509_EXT.1 X.509 as specified in OSPP 4.3 [1] and b) let
custom kernel module signing key stay in the .platform keyring.

[1] https://www.niap-ccevs.org/MMO/PP/OS%204.3%20PP/

Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>

diff --git a/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY b/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
index blahblah..blahblah 100644
--- a/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
+++ b/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -1 +1 @@
-# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
diff --git a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
index blahblah..blahblah 100644
--- a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
+++ b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
@@ -1 +1 @@
-# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set
+CONFIG_INTEGRITY_CA_MACHINE_KEYRING=y
diff --git a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX
@@ -0,0 +1 @@
+CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2599
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux