integrity: Enforce digitalSignature usage in the ima and evm keyrings

After being vouched for by a system keyring, only allow keys into the .ima
and .evm keyrings that have the digitalSignature usage field set.

Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-and-tested-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
This commit is contained in:
Eric Snowberg
2023-05-22 19:09:43 -04:00
committed by Jarkko Sakkinen
parent 4cfb908054
commit 90f6f691a7
3 changed files with 6 additions and 4 deletions
+2 -1
View File
@@ -64,7 +64,8 @@ config EVM_LOAD_X509
This option enables X509 certificate loading from the kernel
onto the '.evm' trusted keyring. A public key can be used to
verify EVM integrity starting from the 'init' process.
verify EVM integrity starting from the 'init' process. The
key must have digitalSignature usage set.
config EVM_X509_PATH
string "EVM X509 certificate path"