redhat/configs: allow IMA to use MOK keys (!2599) · Merge requests · cki-project / kernel-ark

Coiby Xu requested to merge coxu/kernel-ark:ima_mok into os-build Jul 12, 2023

Users can add IMA CA keys to the MOK list which will be added to the .machine keyring. The .machine keyring is linked the .secondary_trusted_keys keyring. Allow IMA to access the .secondary_trusted_keys keyring so users' customer IMA CA keys can be used to vouch for the keys to be added to the .ima keyring.

CONFIG_INTEGRITY_CA_MACHINE_KEYRING_CA and CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is enabled to a) meet the requirement FIA_X509_EXT.1 X.509 as specified in OSPP 4.3 [1] and b) let custom kernel module signing key stay in the .platform keyring.

[1] https://www.niap-ccevs.org/MMO/PP/OS%204.3%20PP/

Signed-off-by: Coiby Xu coxu@redhat.com

redhat/configs: allow IMA to use MOK keys

Merge request reports