redhat: add IMA certificates
redhat: add IMA certificates
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1870705
Upstream Status: RHEL only
Starting with RHEL9.0, installed package files will have IMA signatures if users choose so. The IMA subsystem will search for the certificate in the .ima keyring to verify a file signature thus to make sure this file hasn't been tampered with. To be able to add the IMA code-signing certificate to the .ima keyring, this certificate needs to be signed by a CA certificate in the system keyrings.
This patch builds the IMA CA certificate into the .builtin_trusted_keys keyring and installs the IMA code-signing certificate to /usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like dracut to add it the .ima keyring.
Signed-off-by: Coiby Xu coxu@redhat.com