> On Jan 9, 2022, at 3:42 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote: >> Introduce a new link restriction that includes the trusted builtin, >> secondary and machine keys. The restriction is based on the key to be >> added being vouched for by a key in any of these three keyrings. >> >> With the introduction of the machine keyring, the end-user may choose to >> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to >> trust them, the .machine keyring will contain these keys. If not, the >> machine keyring will always be empty. Update the restriction check to >> allow the secondary trusted keyring and ima keyring to also trust >> machine keys. > > As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a > Linux keyring called machine" only loads the platform keys onto the > .machine keyring, when > IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled. The > last sentence needs to be updated to reflect v9. I missed that when I dropped IMA support. I will remove the ima reference in the next round. Thanks.
