Re: [PATCH 1/2] ima: Add machine keyring reference to IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
From: Eric Snowberg
Date: Mon Nov 06 2023 - 16:33:53 EST
> On Nov 6, 2023, at 12:33 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> Hi Eric,
>
> The subject line is referred to as the 'summary' phrase. As far as I'm
> aware the length is still between 70-75 charcaters. Refer to
> https://www.kernel.org/doc/Documentation/process/submitting-patches.rst
> .
>
> On Thu, 2023-11-02 at 13:06 -0400, Eric Snowberg wrote:
>> When the machine keyring is enabled, it may be used as a trust source
>> for the .ima keyring. Add a reference to this in
>> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
>>
>> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
>> ---
>> security/integrity/ima/Kconfig | 10 +++++-----
>> 1 file changed, 5 insertions(+), 5 deletions(-)
>>
>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> index a6bd817efc1a..c5dc0fabbc8b 100644
>> --- a/security/integrity/ima/Kconfig
>> +++ b/security/integrity/ima/Kconfig
>> @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
>> to accept such signatures.
>>
>> config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
>> - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
>> + bool "Permit keys validly signed by a built-in, secondary or machine CA cert (EXPERIMENTAL)"
>
> Please add 'machine' in between built-in and secondary, like described
> below.
I'll make both changes and send out a new version, thanks.