• Eric Snowberg's avatar
    integrity: machine keyring CA configuration · 099f26f2
    Eric Snowberg authored
    Add machine keyring CA restriction options to control the type of
    keys that may be added to it. The motivation is separation of
    certificate signing from code signing keys. Subsquent work will
    limit certificates being loaded into the IMA keyring to code
    signing keys used for signature verification.
    
    When no restrictions are selected, all Machine Owner Keys (MOK) are added
    to the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
    selected, the CA bit must be true.  Also the key usage must contain
    keyCertSign, any other usage field may be set as well.
    
    When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
    be true. Also the key usage must contain keyCertSign and the
    digitialSignature usage may not be set.
    Signed-off-by: default avatarEric Snowberg <eric.snowberg@oracle.com>
    Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
    Tested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
    099f26f2
restrict.c 9.47 KB