From: Coiby Xu <coxu(a)redhat.com>
redhat/configs: allow IMA to use MOK keys
Users can add IMA CA keys to the MOK list which will be added to the
.machine keyring. The .machine keyring is linked the
.secondary_trusted_keys keyring. Allow IMA to access the
.secondary_trusted_keys keyring so users' customer IMA CA keys can be
used to vouch for the keys to be added to the .ima keyring.
CONFIG_INTEGRITY_CA_MACHINE_KEYRING_CA and
CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is enabled to a) meet the
requirement FIA_X509_EXT.1 X.509 as specified in OSPP 4.3 [1] and b) let
custom kernel module signing key stay in the .platform keyring.
[1]
https://www.niap-ccevs.org/MMO/PP/OS%204.3%20PP/
Signed-off-by: Coiby Xu <coxu(a)redhat.com>
diff --git
a/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
b/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
index blahblah..blahblah 100644
---
a/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
+++
b/redhat/configs/common/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -1 +1 @@
-# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
diff --git a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
index blahblah..blahblah 100644
--- a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
+++ b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING
@@ -1 +1 @@
-# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set
+CONFIG_INTEGRITY_CA_MACHINE_KEYRING=y
diff --git a/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX
b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/configs/common/generic/CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX
@@ -0,0 +1 @@
+CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2599