IMA: create machine owner and blacklist keyrings
authorPetko Manolov <petkan@mip-labs.com>
Wed, 2 Dec 2015 15:47:55 +0000 (17:47 +0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Tue, 15 Dec 2015 15:01:43 +0000 (10:01 -0500)
commit41c89b64d7184a780f12f2cccdabe65cb2408893
tree2f4b10b186e186bd70be5fea18c8423334ab831d
parent38d859f991f3a05b352a06f82af0baa1acf33e02
IMA: create machine owner and blacklist keyrings

This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
intermediate keyring that sits between .system and .ima keyrings,
effectively forming a simple CA hierarchy.  To successfully import a key
into .ima_mok it must be signed by a key which CA is in .system keyring.
On turn any key that needs to go in .ima keyring must be signed by CA in
either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.

IMA blacklist keyring contains all revoked IMA keys.  It is consulted
before any other keyring.  If the search is successful the requested
operation is rejected and error is returned to the caller.

Signed-off-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
crypto/asymmetric_keys/x509_public_key.c
include/keys/system_keyring.h
security/integrity/digsig_asymmetric.c
security/integrity/ima/Kconfig
security/integrity/ima/Makefile
security/integrity/ima/ima_mok.c [new file with mode: 0644]