redhat: add IMA certificates (!2918) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Coiby Xu requested to merge coxu/centos-stream-9:ima_certs into main Aug 10, 2023

redhat: add IMA certificates

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1870705

Upstream Status: RHEL only

Starting with RHEL9.0, installed package files will have IMA signatures if users choose so. The IMA subsystem will search for the certificate in the .ima keyring to verify a file signature thus to make sure this file hasn't been tampered with. To be able to add the IMA code-signing certificate to the .ima keyring, this certificate needs to be signed by a CA certificate in the system keyrings.

This patch builds the IMA CA certificate into the .builtin_trusted_keys keyring and installs the IMA code-signing certificate to /usr/share/doc/kernel-keys/KVERREL/ima.cer for user space tools like dracut to add it the .ima keyring.

Signed-off-by: Coiby Xu coxu@redhat.com

Edited Aug 11, 2023 by Coiby Xu

Admin message

redhat: add IMA certificates

Merge request reports