From: Coiby Xu <[email protected]> redhat/configs: allow IMA to use MOK keys
Users can add IMA CA keys to the MOK list which will be added to the .machine keyring. The .machine keyring is linked the .secondary_trusted_keys keyring. Allow IMA to access the .secondary_trusted_keys keyring so users' customer IMA CA keys can be used to vouch for the keys to be added to the .ima keyring. CONFIG_INTEGRITY_CA_MACHINE_KEYRING_CA and CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is enabled to a) meet the requirement FIA_X509_EXT.1 X.509 as specified in OSPP 4.3 [1] and b) let custom kernel module signing key stay in the .platform keyring. [1] https://www.niap-ccevs.org/MMO/PP/OS%204.3%20PP/ Signed-off-by: Coiby Xu <[email protected]> diff --git a/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY b/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY index blahblah..blahblah 100644 --- a/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +++ b/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY @@ -1 +1 @@ -# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y diff --git a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING index blahblah..blahblah 100644 --- a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING +++ b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING @@ -1 +1 @@ -# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set +CONFIG_INTEGRITY_CA_MACHINE_KEYRING=y diff --git a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX @@ -0,0 +1 @@ +CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2599 _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
