forked from torvalds/linux
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
KEYS: Introduce sig restriction that validates root of trust
The current keyring restrictions validate if a key can be vouched for by another key already contained in a keyring. Add a new restriction called restrict_link_by_rot_and_signature that both vouches for the new key and validates the vouching key contains the builtin root of trust flag. Two new system keyring restrictions are added to use restrict_link_by_rot_and_signature. The first restriction called restrict_link_by_rot_builtin_trusted uses the builtin_trusted_keys as the restricted keyring. The second system keyring restriction called restrict_link_by_rot_builtin_and_secondary_trusted uses the secondary_trusted_keys as the restricted keyring. Should the machine keyring be defined, it shall be validated too, since it is linked to the secondary_trusted_keys keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
- Loading branch information
1 parent
efb1716
commit 68d98a1
Showing
3 changed files
with
76 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters