On Thu, 2023-03-02 at 11:46 -0500, Eric Snowberg wrote: > Add machine keyring CA restriction options to control the type of > keys that may be added to it. The motivation is separation of > certificate signing from code signing keys. Subsquent work will > limit certificates being loaded into the IMA keyring to code > signing keys used for signature verification. > > When no restrictions are selected, all Machine Owner Keys (MOK) are added > to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is > selected, the CA bit must be true. Also the key usage must contain > keyCertSign, any other usage field may be set as well. > > When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must > be true. Also the key usage must contain keyCertSign and the > digitialSignature usage may not be set. > > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> Thanks, Eric. Acked-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
