Provide configuration option to load X509 certificate into the _ima kernel keyring.
Signed-off-by: Dmitry Kasatkin <[email protected]> --- security/integrity/ima/Kconfig | 9 +++++++++ security/integrity/ima/ima_init.c | 1 + 2 files changed, 10 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index be11c01..5474c47 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -131,3 +131,12 @@ config IMA_TRUSTED_KEYRING help This option requires that all keys added to the _ima keyring be signed by a key on the system trusted keyring. + +config IMA_LOAD_X509 + bool "Load X509 certificate to the '_ima' trusted keyring" + depends on IMA_TRUSTED_KEYRING + select INTEGRITY_LOAD_X509 + default n + help + This option enables X509 certificate loading from the kernel + to the '_ima' trusted keyring. diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 515c1a2..c13d6a8 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -108,6 +108,7 @@ int __init ima_init(void) ima_add_boot_aggregate(); /* boot aggregate must be first entry */ ima_init_policy(); integrity_init_keyring(INTEGRITY_KEYRING_IMA); + integrity_load_x509(INTEGRITY_KEYRING_IMA, "/etc/keys/x509_ima.der"); return ima_fs_init(); } -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
