Re: [PATCH v5 6/6] integrity: machine keyring CA configuration

From: Mimi Zohar
Date: Mon Mar 13 2023 - 10:33:14 EST

Next message: Rafael J. Wysocki: "[PATCH v2 4/4] ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes"
Previous message: David Vernet: "Re: [PATCH bpf-next] bpf, doc: use internal linking for link to netdev FAQ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2023-03-02 at 11:46 -0500, Eric Snowberg wrote:
> Add machine keyring CA restriction options to control the type of
> keys that may be added to it. The motivation is separation of
> certificate signing from code signing keys. Subsquent work will
> limit certificates being loaded into the IMA keyring to code
> signing keys used for signature verification.
>
> When no restrictions are selected, all Machine Owner Keys (MOK) are added
> to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
> selected, the CA bit must be true. Also the key usage must contain
> keyCertSign, any other usage field may be set as well.
>
> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> be true. Also the key usage must contain keyCertSign and the
> digitialSignature usage may not be set.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>

Thanks, Eric.

Acked-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

Next message: Rafael J. Wysocki: "[PATCH v2 4/4] ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes"
Previous message: David Vernet: "Re: [PATCH bpf-next] bpf, doc: use internal linking for link to netdev FAQ"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]