diff options
| author |  Eric Snowberg <eric.snowberg@oracle.com>
| 2023-05-22 19:09:43 -0400 |
|---|---|---|
| committer |  Jarkko Sakkinen <jarkko@kernel.org>
| 2023-08-17 20:12:35 +0000 |
| commit | 90f6f691a706754e33d2d0c6fa2e1dacedb477f6 (patch) | |
| tree | 21f58a26b3370ff62708d5f18bb3b501180456fc /security/integrity/ima | |
| parent | KEYS: DigitalSignature link restriction (diff) | |
| download | linux-90f6f691a706754e33d2d0c6fa2e1dacedb477f6.tar.gz linux-90f6f691a706754e33d2d0c6fa2e1dacedb477f6.tar.bz2 linux-90f6f691a706754e33d2d0c6fa2e1dacedb477f6.zip | |
integrity: Enforce digitalSignature usage in the ima and evm keyrings
After being vouched for by a system keyring, only allow keys into the .ima
and .evm keyrings that have the digitalSignature usage field set.
Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-and-tested-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'security/integrity/ima')
| -rw-r--r-- | security/integrity/ima/Kconfig | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 60a511c6b583..684425936c53 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help Keys may be added to the IMA or IMA blacklist keyrings, if the key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. + secondary trusted keyrings. The key must also have the + digitalSignature usage set. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, |