review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Eric Snowberg <eric.snowberg@oracle.com>
	Thu, 2 Mar 2023 16:46:52 +0000 (11:46 -0500)
committer	Jarkko Sakkinen <jarkko@kernel.org>
	Mon, 24 Apr 2023 13:15:53 +0000 (16:15 +0300)
commit	099f26f22f5834ad744aee093ed4d11de13cac15
tree	78982465b1d36b2d58b97e03b4888a3d84d22032	tree \| snapshot
parent	76adb2fbc69a13c80b39042aab4d34e99309c8d4	commit \| diff

integrity: machine keyring CA configuration

Add machine keyring CA restriction options to control the type of
keys that may be added to it. The motivation is separation of
certificate signing from code signing keys. Subsquent work will
limit certificates being loaded into the IMA keyring to code
signing keys used for signature verification.

When no restrictions are selected, all Machine Owner Keys (MOK) are added
to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
selected, the CA bit must be true. Also the key usage must contain
keyCertSign, any other usage field may be set as well.

When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
be true. Also the key usage must contain keyCertSign and the
digitialSignature usage may not be set.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

crypto/asymmetric_keys/restrict.c		diff \| blob \| history
security/integrity/Kconfig		diff \| blob \| history
security/integrity/digsig.c		diff \| blob \| history