On Fri, 2016-04-01 at 15:06 +0100, David Howells wrote: > David Howells <dhowe...@redhat.com> wrote: > > > The three choice options I implemented don't exactly provide new features. > > Firstly: > > > > config IMA_LOAD_X509 > > > > allow keys to be loaded in at compile time, > > Ah - I think I'm labouring under a slight misapprehension here. IMA_LOAD_X509 > doesn't load keys at compile time, but rather the kernel loads a file by name > when booting, right?
Right, all certificates must be signed by a key on the builtin (or secondary keyring) before being added to the IMA keyring. Similarly, dracut (modules/98integrity/ and systemd (ima-setup.c) have support for loading signed certificates on the IMA keyring. Mimi
