Skip to content
Commit 099f26f2 authored by Eric Snowberg's avatar Eric Snowberg Committed by Jarkko Sakkinen
Browse files

integrity: machine keyring CA configuration



Add machine keyring CA restriction options to control the type of
keys that may be added to it. The motivation is separation of
certificate signing from code signing keys. Subsquent work will
limit certificates being loaded into the IMA keyring to code
signing keys used for signature verification.

When no restrictions are selected, all Machine Owner Keys (MOK) are added
to the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
selected, the CA bit must be true.  Also the key usage must contain
keyCertSign, any other usage field may be set as well.

When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
be true. Also the key usage must contain keyCertSign and the
digitialSignature usage may not be set.

Signed-off-by: default avatarEric Snowberg <eric.snowberg@oracle.com>
Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Tested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
parent 76adb2fb
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment