Re: [PATCH v6 03/13] KEYS: CA link restriction

From: Nayna
Date: Thu Sep 16 2021 - 16:05:41 EST

Next message: Amit Pundir: "[PATCH] arm64: dts: qcom: sdm850-yoga: Reshuffle IPA memory mappings"
Previous message: Nayna: "Re: [PATCH v6 00/13] Enroll kernel keys thru MOK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/14/21 5:14 PM, Eric Snowberg wrote:

Add a new link restriction. Restrict the addition of keys in a keyring
based on the key to be added being a CA (self-signed).

A self-signed cert can be a root CA cert or a code-signing cert. The way to differentiate a CA cert is by checking BasicConstraints CA:TRUE and keyUsage:keyCertSign. Refer to Section Basic Constraints and Key Usage in the document - https://datatracker.ietf.org/doc/html/rfc5280.

Thanks & Regards,

- Nayna

Next message: Amit Pundir: "[PATCH] arm64: dts: qcom: sdm850-yoga: Reshuffle IPA memory mappings"
Previous message: Nayna: "Re: [PATCH v6 00/13] Enroll kernel keys thru MOK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]