On Fri, 2020-01-17 at 02:39 +0800, Clay Chang wrote:
> Hi,
>
> We know that IMA or EVM signing key must be signed by the .builtin_trusted_keys.
> In the .builtin_trusted_keys keyring of a fresh CentOS, for example,
> there are public keys created by CentOS. And the private key counterparts
> were not available publicly. So I think there is technically no way for
> others to sign the IMA or EVM key by the private keys of those CA.
>
> Is there a possibility of getting the IMA or EVM signing keys signed
> (probably by the public key in .builtin_trusted_keys) without rolling own
> CA and re-gen the kernel?
If the kernel was built with CONFIG_SYSTEM_EXTRA_CERTIFICATE, the
customer could insert their public key post build.[1] This would
obviously require the kernel to be resigned.
I agree there needs to be a simpler way of including a customer key,
without requiring them to resign the kernel.
Mimi
[1] c4c361059585 ("KEYS: Reserve an extra certificate symbol for
inserting without recompiling")
