Re: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys

From: Mimi Zohar
Date: Sun Jan 09 2022 - 17:42:54 EST


On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
> Introduce a new link restriction that includes the trusted builtin,
> secondary and machine keys. The restriction is based on the key to be
> added being vouched for by a key in any of these three keyrings.
>
> With the introduction of the machine keyring, the end-user may choose to
> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
> trust them, the .machine keyring will contain these keys. If not, the
> machine keyring will always be empty. Update the restriction check to
> allow the secondary trusted keyring and ima keyring to also trust
> machine keys.

As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a
Linux keyring called machine" only loads the platform keys onto the
.machine keyring, when
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled. The
last sentence needs to be updated to reflect v9.

thanks,

Mimi