ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
When the machine keyring is enabled, it may be used as a trust source for the .ima keyring. Add a reference to this in IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Eric Snowberg
Mimi Zohar
parent
2cc14f52ae
commit
bdf1abd17e
|
|
@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
|
|||
to accept such signatures.
|
||||
|
||||
config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
||||
bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
|
||||
bool "Permit keys validly signed by a built-in, machine (if configured) or secondary (EXPERIMENTAL)"
|
||||
depends on SYSTEM_TRUSTED_KEYRING
|
||||
depends on SECONDARY_TRUSTED_KEYRING
|
||||
depends on INTEGRITY_ASYMMETRIC_KEYS
|
||||
|
|
@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
|||
default n
|
||||
help
|
||||
Keys may be added to the IMA or IMA blacklist keyrings, if the
|
||||
key is validly signed by a CA cert in the system built-in or
|
||||
secondary trusted keyrings. The key must also have the
|
||||
digitalSignature usage set.
|
||||
key is validly signed by a CA cert in the system built-in,
|
||||
machine (if configured), or secondary trusted keyrings. The
|
||||
key must also have the digitalSignature usage set.
|
||||
|
||||
Intermediate keys between those the kernel has compiled in and the
|
||||
IMA keys to be added may be added to the system secondary keyring,
|
||||
provided they are validly signed by a key already resident in the
|
||||
built-in or secondary trusted keyrings.
|
||||
built-in, machine (if configured) or secondary trusted keyrings.
|
||||
|
||||
config IMA_BLACKLIST_KEYRING
|
||||
bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
|
||||
|
|
|
|||
Loading…
Reference in New Issue