> On Mar 6, 2022, at 4:33 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Hi Eric, > > On Tue, 2022-03-01 at 12:36 -0500, Eric Snowberg wrote: >> A key added to the IMA keyring must be signed by a key contained in either the >> built-in trusted or secondary trusted keyring. IMA also requires these keys >> to be a CA. The only option for an end-user to add their own CA is to compile >> it into the kernel themselves or to use the insert-sys-cert. Many end-users >> do not want to compile their own kernels. With the insert-sys-cert option, >> there are missing upstream changes. >> >> Currently, all Machine Owner Keys (MOK) load into the machine keyring. Add >> a new Kconfig option to only allow CA keys into the machine keyring. When >> compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA >> keys will load into the platform keyring instead. This will allow the end- >> user to enroll their own CA key into the machine keyring for use with IMA. > > In addition to only loading the MOK CA keys onto the .machine keyring, > the keyUsage should be required and limited to keyCertSign. Ok, I’ll add this in the next round.
