diff options
author | Dmitry Kasatkin <dmitry.kasatkin@huawei.com> | 2015-10-22 21:26:10 +0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-11-23 14:30:02 -0500 |
commit | f4dc37785e9b3373d0cb93125d5579fed2af3a43 (patch) | |
tree | b1bed1b8038d92770cc9881a1ad57b97e1b57dc3 /security/integrity/ima/Kconfig | |
parent | ebd68df3f24b318d391d15c458d6f43f340ba36a (diff) | |
download | linux-f4dc37785e9b3373d0cb93125d5579fed2af3a43.tar.gz linux-f4dc37785e9b3373d0cb93125d5579fed2af3a43.tar.bz2 linux-f4dc37785e9b3373d0cb93125d5579fed2af3a43.zip |
integrity: define '.evm' as a builtin 'trusted' keyring
Require all keys added to the EVM keyring be signed by an
existing trusted key on the system trusted keyring.
This patch also switches IMA to use integrity_init_keyring().
Changes in v3:
* Added 'init_keyring' config based variable to skip initializing
keyring instead of using __integrity_init_keyring() wrapper.
* Added dependency back to CONFIG_IMA_TRUSTED_KEYRING
Changes in v2:
* Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common
CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option
* Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config
file compatibility. (Mimi Zohar)
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima/Kconfig')
-rw-r--r-- | security/integrity/ima/Kconfig | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index df303346029b..a292b881c16f 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -123,14 +123,17 @@ config IMA_APPRAISE If unsure, say N. config IMA_TRUSTED_KEYRING - bool "Require all keys on the .ima keyring be signed" + bool "Require all keys on the .ima keyring be signed (deprecated)" depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS + select INTEGRITY_TRUSTED_KEYRING default y help This option requires that all keys added to the .ima keyring be signed by a key on the system trusted keyring. + This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING + config IMA_LOAD_X509 bool "Load X509 certificate onto the '.ima' trusted keyring" depends on IMA_TRUSTED_KEYRING |