On Thu, 2021-02-18 at 17:00 -0500, Nayna Jain wrote:
> The kernel currently only loads the kernel module signing key onto
> the builtin trusted keyring. To support IMA, load the module signing
> key selectively either onto the builtin or IMA keyring based on MODULE_SIG
> or MODULE_APPRAISE_MODSIG config respectively; and loads the CA kernel
> key onto the builtin trusted keyring.
> 
> Signed-off-by: Nayna Jain <na...@linux.ibm.com>

Always having a CA key would simplify the code.   Otherwise for the
patch set,

Reviewed-by: Mimi Zohar <zo...@linux.ibm.com>

Reply via email to