Mimi Zohar <[email protected]> wrote: > Only certificates signed by a key on the system keyring were added to > the IMA keyring, unless IMA_MOK_KEYRING was configured. Then, the > certificate could be signed by a either a key on the system or ima_mok > keyrings. To replicate this behavior, the default behavior should be to > only permit certificates signed by a key on the builtin keyring, unless > this new Kconfig is enabled. Only then, permit certificates signed by a > key on either the builtin or secondary keyrings to be added to the IMA > keyring.
How about I change it to a choice-type item, with the following options: (1) No addition. (2) Addition restricted by built-in keyring. (3) Addition restricted by secondary keyring + built-in keyring. where the second and third options then depend on the appropriate keyrings being enabled. David
