Re: [RFC PATCH 12/12] IMA: Use the the system trusted keyrings instead of .ima_mok [ver #3]
From: David Howells
Date: Fri Apr 01 2016 - 10:33:38 EST
Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> The only place where "KEY_ALLOC_BYPASS_RESTRICTION" is specified is in
> load_system_certificate_list(), when adding keys to
> the .builtin_trusted_keys keyring. There is no other set of keys
> builtin and added to the IMA keyring.
Are the keys loaded by integrity_load_x509() required to be validly signed by
the builtin/secondary keys? Or is that unnecessary given that they are loaded
and thus protected through integrity_read_file()?
David