A key added to the IMA keyring must be signed by a key contained in either the built-in trusted or secondary trusted keyring. IMA also requires these keys to be a CA. The only option for an end-user to add their own CA is to compile it into the kernel themselves or to use the insert-sys-cert. Many end-users do not want to compile their own kernels. With the insert-sys-cert option, there are missing upstream changes. Currently, all Machine Owner Keys (MOK) load into the machine keyring. Add a new Kconfig option to only allow CA keys into the machine keyring. When compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA keys will load into the platform keyring instead. This will allow the end- user to enroll their own CA key into the machine keyring for use with IMA. These patches are based on Jarkko's linux-tpmdd tree. git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git Eric Snowberg (4): KEYS: Create static version of public_key_verify_signature X.509: Parse Basic Constraints for CA KEYS: CA link restriction integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca certs/system_keyring.c | 9 ++-- crypto/asymmetric_keys/restrict.c | 43 +++++++++++++++++++ crypto/asymmetric_keys/x509_cert_parser.c | 9 ++++ include/crypto/public_key.h | 25 +++++++++++ include/keys/system_keyring.h | 3 +- security/integrity/Kconfig | 21 +++++++++ security/integrity/Makefile | 1 + security/integrity/digsig.c | 14 ++++-- security/integrity/integrity.h | 3 +- .../platform_certs/keyring_handler.c | 4 +- 10 files changed, 123 insertions(+), 9 deletions(-) base-commit: c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1 -- 2.27.0
