Hi Eric, The subject line is referred to as the 'summary' phrase. As far as I'm aware the length is still between 70-75 charcaters. Refer to https://www.kernel.org/doc/Documentation/process/submitting-patches.rst . On Thu, 2023-11-02 at 13:06 -0400, Eric Snowberg wrote: > When the machine keyring is enabled, it may be used as a trust source > for the .ima keyring. Add a reference to this in > IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. > > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > --- > security/integrity/ima/Kconfig | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index a6bd817efc1a..c5dc0fabbc8b 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG > to accept such signatures. > > config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY > - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" > + bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)" Please add 'machine' in between built-in and secondary, like described below. > depends on SYSTEM_TRUSTED_KEYRING > depends on SECONDARY_TRUSTED_KEYRING > depends on INTEGRITY_ASYMMETRIC_KEYS > @@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY > default n > help > Keys may be added to the IMA or IMA blacklist keyrings, if the > - key is validly signed by a CA cert in the system built-in or > - secondary trusted keyrings. The key must also have the > - digitalSignature usage set. > + key is validly signed by a CA cert in the system built-in, > + machine (if configured), or secondary trusted keyrings. The > + key must also have the digitalSignature usage set. > > Intermediate keys between those the kernel has compiled in and the > IMA keys to be added may be added to the system secondary keyring, > provided they are validly signed by a key already resident in the > - built-in or secondary trusted keyrings. > + built-in, machine (if configured) or secondary trusted keyrings. > > config IMA_BLACKLIST_KEYRING > bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" -- thanks, Mimi
