linux/security
Eric Snowberg 099f26f22f integrity: machine keyring CA configuration
Add machine keyring CA restriction options to control the type of
keys that may be added to it. The motivation is separation of
certificate signing from code signing keys. Subsquent work will
limit certificates being loaded into the IMA keyring to code
signing keys used for signature verification.

When no restrictions are selected, all Machine Owner Keys (MOK) are added
to the machine keyring.  When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is
selected, the CA bit must be true.  Also the key usage must contain
keyCertSign, any other usage field may be set as well.

When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must
be true. Also the key usage must contain keyCertSign and the
digitialSignature usage may not be set.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2023-04-24 16:15:53 +03:00
..
apparmor capability: just use a 'u64' instead of a 'u32[2]' array 2023-03-01 10:01:22 -08:00
bpf bpf: Implement task local storage 2020-11-06 08:08:37 -08:00
integrity integrity: machine keyring CA configuration 2023-04-24 16:15:53 +03:00
keys keys: Do not cache key in task struct if key is requested from kernel thread 2023-03-21 16:22:40 +00:00
landlock landlock: Support file truncation 2022-10-19 09:01:44 +02:00
loadpin LoadPin: Allow filesystem switch when not enforcing 2023-01-19 15:18:20 -08:00
lockdown lockdown: ratelimit denial messages 2022-09-14 07:37:50 -04:00
safesetid LSM: SafeSetID: Add setgroups() security policy handling 2022-07-15 18:24:42 +00:00
selinux - Daniel Verkamp has contributed a memfd series ("mm/memfd: add 2023-02-23 17:09:35 -08:00
smack One fix for resetting CIPSO labeling. 2023-02-22 12:52:59 -08:00
tomoyo tomoyo: Update website link 2023-01-13 23:11:38 +09:00
yama task_work: cleanup notification modes 2020-10-17 15:05:30 -06:00
commoncap.c capability: just use a 'u64' instead of a 'u32[2]' array 2023-03-01 10:01:22 -08:00
device_cgroup.c device_cgroup: Roll back to original exceptions after copy failure 2022-11-16 18:28:55 -05:00
inode.c
Kconfig x86/retbleed: Add fine grained Kconfig knobs 2022-06-29 17:43:41 +02:00
Kconfig.hardening randstruct: disable Clang 15 support 2023-02-08 15:26:58 -08:00
lsm_audit.c audit: Fix some kernel-doc warnings 2022-10-28 06:37:55 -04:00
Makefile security: remove unneeded subdir-$(CONFIG_...) 2021-09-03 08:17:20 +09:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c integrity-v6.3 2023-02-22 12:36:25 -08:00