Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module appended signatures
From: Lakshmi Ramasubramanian
Date: Thu Feb 06 2020 - 12:07:08 EST
On 2/6/2020 8:42 AM, Eric Snowberg wrote:
@@ -31,6 +32,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
".ima",
#endif
".platform",
+ ".builtin_trusted_keys",
};
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -45,8 +47,11 @@ static struct key *integrity_keyring_from_id(const unsigned int id)
return ERR_PTR(-EINVAL);
if (!keyring[id]) {
- keyring[id] =
- request_key(&key_type_keyring, keyring_name[id], NULL);
+ if (id == INTEGRITY_KEYRING_KERNEL)
+ keyring[id] = VERIFY_USE_SECONDARY_KEYRING;
Since "Built-In Trusted Keyring" or "Secondary Trusted Keyring" is used,
would it be more appropriate to name this identifier
INTEGRITY_KEYRING_BUILTIN_OR_SECONDARY?
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 73fc286834d7..63f0e6bff0e0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -145,7 +145,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
#define INTEGRITY_KEYRING_EVM 0
#define INTEGRITY_KEYRING_IMA 1
#define INTEGRITY_KEYRING_PLATFORM 2
-#define INTEGRITY_KEYRING_MAX 3
+#define INTEGRITY_KEYRING_KERNEL 3
+#define INTEGRITY_KEYRING_MAX 4
-lakshmi