git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Petko Manolov <petkan@mip-labs.com>
	Wed, 2 Dec 2015 15:47:55 +0000 (17:47 +0200)
committer	Tim Gardner <tim.gardner@canonical.com>
	Wed, 20 Apr 2016 20:08:50 +0000 (14:08 -0600)
commit	c926114774bf335dbc7c95391345a52fc589f683
tree	d06a956d62d4f1e1a318da820c269ea46c250b8b	tree
parent	d25ee574884368db547466624c2256de905195a3	commit \| diff

IMA: create machine owner and blacklist keyrings

BugLink: http://bugs.launchpad.net/bugs/1569924
This option creates IMA MOK and blacklist keyrings.  IMA MOK is an
intermediate keyring that sits between .system and .ima keyrings,
effectively forming a simple CA hierarchy.  To successfully import a key
into .ima_mok it must be signed by a key which CA is in .system keyring.
On turn any key that needs to go in .ima keyring must be signed by CA in
either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.

IMA blacklist keyring contains all revoked IMA keys.  It is consulted
before any other keyring.  If the search is successful the requested
operation is rejected and error is returned to the caller.

Signed-off-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
(back ported from commit 41c89b64d7184a780f12f2cccdabe65cb2408893)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Conflicts:
security/integrity/ima/Kconfig
Signed-off-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

crypto/asymmetric_keys/x509_public_key.c		diff \| blob \| blame \| history
include/keys/system_keyring.h		diff \| blob \| blame \| history
security/integrity/digsig_asymmetric.c		diff \| blob \| blame \| history
security/integrity/ima/Kconfig		diff \| blob \| blame \| history
security/integrity/ima/Makefile		diff \| blob \| blame \| history
security/integrity/ima/ima_mok.c	[new file with mode: 0644]	blob