> On Feb 13, 2023, at 12:54 AM, Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote: > > On Fri, Feb 10, 2023 at 08:05:22AM -0500, Mimi Zohar wrote: >> Hi Eric, >> >> On Mon, 2023-02-06 at 21:59 -0500, Eric Snowberg wrote: >>> Add a machine keyring CA restriction menu option to control the type of >>> keys that may be added to it. The options include none, min and max >>> restrictions. >>> >>> When no restrictions are selected, all Machine Owner Keys (MOK) are added >>> to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is >>> selected, the CA bit must be true. Also the key usage must contain >>> keyCertSign, any other usage field may be set as well. >>> >>> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must >>> be true. Also the key usage must contain keyCertSign and the >>> digitialSignature usage may not be set. >>> >>> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> >> >> Missing from the patch description is the motivation for this change. >> The choices none, min, max implies a progression, which is good, and >> the technical differences between the choices, but not the reason. >> >> The motivation, at least from my perspective, is separation of >> certificate signing from code signing keys, where "none" is no >> separation and "max" being total separation of keys based on usage. >> >> Subsequent work, as discussed in the cover letter thread, will limit >> certificates being loaded onto the IMA keyring to code signing keys >> used for signature verification. > > > It would be more robust just to have two binary options for CA bit and > keyCertSign. You can use "select" for setting keyCertSign, when CA bit > option is selected. Ok, I will make that change in the next round, thanks.
