• Petko Manolov's avatar
    IMA: create machine owner and blacklist keyrings · 41c89b64
    Petko Manolov authored
    This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
    intermediate keyring that sits between .system and .ima keyrings,
    effectively forming a simple CA hierarchy.  To successfully import a key
    into .ima_mok it must be signed by a key which CA is in .system keyring.
    On turn any key that needs to go in .ima keyring must be signed by CA in
    either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.
    
    IMA blacklist keyring contains all revoked IMA keys.  It is consulted
    before any other keyring.  If the search is successful the requested
    operation is rejected and error is returned to the caller.
    Signed-off-by: default avatarPetko Manolov <petkan@mip-labs.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    41c89b64
system_keyring.h 1.48 KB