| Message ID | 20231102170617.2403495-2-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ima: IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY cleanup | expand |
Hi Eric, The subject line is referred to as the 'summary' phrase. As far as I'm aware the length is still between 70-75 charcaters. Refer to https://www.kernel.org/doc/Documentation/process/submitting-patches.rst . On Thu, 2023-11-02 at 13:06 -0400, Eric Snowberg wrote: > When the machine keyring is enabled, it may be used as a trust source > for the .ima keyring. Add a reference to this in > IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > security/integrity/ima/Kconfig | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index a6bd817efc1a..c5dc0fabbc8b 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG > to accept such signatures. > > config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY > - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" > + bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)" Please add 'machine' in between built-in and secondary, like described below. > depends on SYSTEM_TRUSTED_KEYRING > depends on SECONDARY_TRUSTED_KEYRING > depends on INTEGRITY_ASYMMETRIC_KEYS > @@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY > default n > help > Keys may be added to the IMA or IMA blacklist keyrings, if the > - key is validly signed by a CA cert in the system built-in or > - secondary trusted keyrings. The key must also have the > - digitalSignature usage set. > + key is validly signed by a CA cert in the system built-in, > + machine (if configured), or secondary trusted keyrings. The > + key must also have the digitalSignature usage set. > > Intermediate keys between those the kernel has compiled in and the > IMA keys to be added may be added to the system secondary keyring, > provided they are validly signed by a key already resident in the > - built-in or secondary trusted keyrings. > + built-in, machine (if configured) or secondary trusted keyrings. > > config IMA_BLACKLIST_KEYRING > bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
> On Nov 6, 2023, at 12:33 PM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > Hi Eric, > > The subject line is referred to as the 'summary' phrase. As far as I'm > aware the length is still between 70-75 charcaters. Refer to > https://www.kernel.org/doc/Documentation/process/submitting-patches.rst > . > > On Thu, 2023-11-02 at 13:06 -0400, Eric Snowberg wrote: >> When the machine keyring is enabled, it may be used as a trust source >> for the .ima keyring. Add a reference to this in >> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> >> --- >> security/integrity/ima/Kconfig | 10 +++++----- >> 1 file changed, 5 insertions(+), 5 deletions(-) >> >> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig >> index a6bd817efc1a..c5dc0fabbc8b 100644 >> --- a/security/integrity/ima/Kconfig >> +++ b/security/integrity/ima/Kconfig >> @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG >> to accept such signatures. >> >> config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY >> - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" >> + bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)" > > Please add 'machine' in between built-in and secondary, like described > below. I'll make both changes and send out a new version, thanks.
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index a6bd817efc1a..c5dc0fabbc8b 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG to accept such signatures. config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" + bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS @@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY default n help Keys may be added to the IMA or IMA blacklist keyrings, if the - key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. The key must also have the - digitalSignature usage set. + key is validly signed by a CA cert in the system built-in, + machine (if configured), or secondary trusted keyrings. The + key must also have the digitalSignature usage set. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the - built-in or secondary trusted keyrings. + built-in, machine (if configured) or secondary trusted keyrings. config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
When the machine keyring is enabled, it may be used as a trust source for the .ima keyring. Add a reference to this in IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- security/integrity/ima/Kconfig | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)