On Thu, 2021-02-18 at 17:00 -0500, Nayna Jain wrote: > The kernel currently only loads the kernel module signing key onto > the builtin trusted keyring. To support IMA, load the module signing > key selectively either onto the builtin or IMA keyring based on MODULE_SIG > or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel > key onto the builtin trusted keyring. > > Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx> Always having a CA key would simplify the code. Otherwise for the patch set, Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
