Re: [PATCH v5 6/6] integrity: machine keyring CA configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2023-03-02 at 11:46 -0500, Eric Snowberg wrote:
> Add machine keyring CA restriction options to control the type of
> keys that may be added to it. The motivation is separation of
> certificate signing from code signing keys. Subsquent work will
> limit certificates being loaded into the IMA keyring to code
> signing keys used for signature verification.
> 
> When no restrictions are selected, all Machine Owner Keys (MOK) are added
> to the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
> selected, the CA bit must be true.  Also the key usage must contain
> keyCertSign, any other usage field may be set as well.
> 
> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> be true. Also the key usage must contain keyCertSign and the
> digitialSignature usage may not be set.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>

Thanks, Eric.

Acked-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux