Re: [PATCH v5 6/6] integrity: machine keyring CA configuration
From: Mimi Zohar
Date: Mon Mar 13 2023 - 10:33:14 EST
On Thu, 2023-03-02 at 11:46 -0500, Eric Snowberg wrote:
> Add machine keyring CA restriction options to control the type of
> keys that may be added to it. The motivation is separation of
> certificate signing from code signing keys. Subsquent work will
> limit certificates being loaded into the IMA keyring to code
> signing keys used for signature verification.
>
> When no restrictions are selected, all Machine Owner Keys (MOK) are added
> to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
> selected, the CA bit must be true. Also the key usage must contain
> keyCertSign, any other usage field may be set as well.
>
> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> be true. Also the key usage must contain keyCertSign and the
> digitialSignature usage may not be set.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
Thanks, Eric.
Acked-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>