Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/6/2020 8:42 AM, Eric Snowberg wrote:

@@ -31,6 +32,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
  	".ima",
  #endif
  	".platform",
+	".builtin_trusted_keys",
  };
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -45,8 +47,11 @@ static struct key *integrity_keyring_from_id(const unsigned int id)
  		return ERR_PTR(-EINVAL);
if (!keyring[id]) {
-		keyring[id] =
-			request_key(&key_type_keyring, keyring_name[id], NULL);
+		if (id == INTEGRITY_KEYRING_KERNEL)
+			keyring[id] = VERIFY_USE_SECONDARY_KEYRING;

Since "Built-In Trusted Keyring" or "Secondary Trusted Keyring" is used, would it be more appropriate to name this identifier INTEGRITY_KEYRING_BUILTIN_OR_SECONDARY?

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 73fc286834d7..63f0e6bff0e0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -145,7 +145,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
  #define INTEGRITY_KEYRING_EVM		0
  #define INTEGRITY_KEYRING_IMA		1
  #define INTEGRITY_KEYRING_PLATFORM	2
-#define INTEGRITY_KEYRING_MAX		3
+#define INTEGRITY_KEYRING_KERNEL	3
+#define INTEGRITY_KEYRING_MAX		4


 -lakshmi



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux