redhat: add IMA certificates (!3094) · Merge requests · cki-project / kernel-ark

Jan Stancek requested to merge jstancek/kernel-ark:ima_certs into os-build May 03, 2024

Forward port c9s commit: 7ff63254426d ("redhat: add IMA certificates")

Starting with RHEL9.0, installed package files will have IMA signatures if users choose so. The IMA subsystem will search for the certificate in the .ima keyring to verify a file signature thus to make sure this file hasn't been tampered with. To be able to add the IMA code-signing certificate to the .ima keyring, this certificate needs to be signed by a CA certificate in the system keyrings.

This patch builds the IMA CA certificate into the .builtin_trusted_keys keyring and installs the IMA code-signing certificate to /usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like dracut to add it the .ima keyring.

Signed-off-by: Coiby Xu coxu@redhat.com Signed-off-by: Jan Stancek jstancek@redhat.com

redhat: add IMA certificates

Merge request reports