Re: [PATCH v5 6/6] integrity: machine keyring CA configuration

From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
	jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
	dmitry.kasatkin@gmail.com, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
	kanth.ghatraju@oracle.com, konrad.wilk@oracle.com,
	erpalmer@linux.vnet.ibm.com, coxu@redhat.com,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 6/6] integrity: machine keyring CA configuration
Date: Mon, 13 Mar 2023 10:26:47 -0400	[thread overview]
Message-ID: <32ec16c9c3caa731c3de69371de6318da7f7ea91.camel@linux.ibm.com> (raw)
In-Reply-To: <20230302164652.83571-7-eric.snowberg@oracle.com>

On Thu, 2023-03-02 at 11:46 -0500, Eric Snowberg wrote:
> Add machine keyring CA restriction options to control the type of
> keys that may be added to it. The motivation is separation of
> certificate signing from code signing keys. Subsquent work will
> limit certificates being loaded into the IMA keyring to code
> signing keys used for signature verification.
> 
> When no restrictions are selected, all Machine Owner Keys (MOK) are added
> to the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
> selected, the CA bit must be true.  Also the key usage must contain
> keyCertSign, any other usage field may be set as well.
> 
> When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
> be true. Also the key usage must contain keyCertSign and the
> digitialSignature usage may not be set.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Thanks, Eric.

Acked-by: Mimi Zohar <zohar@linux.ibm.com>