Commit bdf1abd1 authored by Eric Snowberg's avatar Eric Snowberg Committed by Mimi Zohar
Browse files

ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 



When the machine keyring is enabled, it may be used as a trust source
for the .ima keyring.  Add a reference to this in
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

Signed-off-by: default avatarEric Snowberg <eric.snowberg@oracle.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 2cc14f52

security/integrity/ima/Kconfig

+5 −5
Original line number Diff line number Diff line
@@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG 
	   to accept such signatures.



config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"

	bool "Permit keys validly signed by a built-in, machine (if configured) or secondary (EXPERIMENTAL)"

	depends on SYSTEM_TRUSTED_KEYRING

	depends on SECONDARY_TRUSTED_KEYRING

	depends on INTEGRITY_ASYMMETRIC_KEYS
@@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 
	default n

	help

	  Keys may be added to the IMA or IMA blacklist keyrings, if the

	  key is validly signed by a CA cert in the system built-in or

	  secondary trusted keyrings. The key must also have the

	  digitalSignature usage set.

	  key is validly signed by a CA cert in the system built-in,

	  machine (if configured), or secondary trusted keyrings. The

	  key must also have the digitalSignature usage set.



	  Intermediate keys between those the kernel has compiled in and the

	  IMA keys to be added may be added to the system secondary keyring,

	  provided they are validly signed by a key already resident in the

	  built-in or secondary trusted keyrings.

	  built-in, machine (if configured) or secondary trusted keyrings.



config IMA_BLACKLIST_KEYRING

	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"