On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote: > Introduce a new link restriction that includes the trusted builtin, > secondary and machine keys. The restriction is based on the key to be > added being vouched for by a key in any of these three keyrings. > > With the introduction of the machine keyring, the end-user may choose to > trust Machine Owner Keys (MOK) within the kernel. If they have chosen to > trust them, the .machine keyring will contain these keys. If not, the > machine keyring will always be empty. Update the restriction check to > allow the secondary trusted keyring and ima keyring to also trust > machine keys. As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a Linux keyring called machine" only loads the platform keys onto the .machine keyring, when IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled. The last sentence needs to be updated to reflect v9. thanks, Mimi
