From nobody Wed Dec 31 06:38:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 254F9C41535 for ; Mon, 6 Nov 2023 23:12:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233422AbjKFXMX (ORCPT ); Mon, 6 Nov 2023 18:12:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42278 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233412AbjKFXMU (ORCPT ); Mon, 6 Nov 2023 18:12:20 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDEFB10CA; Mon, 6 Nov 2023 15:12:16 -0800 (PST) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A6Mgb2F007667; Mon, 6 Nov 2023 23:11:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=uAuv5aXQiANLa6avktd+szCJ5g5DQK6cNa+t+byYV/w=; b=eBO/+o0mRtv7fyYigyyRI1yXlWyEORUFJRk1JU1t85XZCDgln1htXsL1QfvissyQNHS1 nDzes0rxRosla7en24Hvc1KfQREdxuXrjrpwEZyJNZO8niDs6tIHCHY3m1c2FsQVBfeh M+Tm6sCRxRTTbWLgrxkmhoeyK8J2K2PgWRoRYoaHvl/U4xdSGpsJ0F7foiumkvYbLOco mEbin8i27ZpbUnObuR+gwXUgzOx2WHrmfMVfrGfem5SDUJAk4pc5CX/BKxbstuCPWLY8 siAAWspeFq4Va6IDkzDdAJkKnNyG/lYCTZEG12wm8OfInlxqqIYYg1AbGQMi43G3GXBO LA== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3u5cj2vn5v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Nov 2023 23:11:58 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 3A6LNQqR026782; Mon, 6 Nov 2023 23:11:58 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2169.outbound.protection.outlook.com [104.47.56.169]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3u5cd5xdpw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Nov 2023 23:11:58 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gnjW6R7+h7oNQUcUmlcEHi2riqDo9xSDUHOpTBwcXGYs6ufB+SxwjyfLYLWllVt2mg+aCXKDclpvCZzYa4RvVL2estttTqzYu7z9U5BSIyzyNt7TLM0JlsMyhhfWXoLpoH/Kh8y9TTcgPeBhc72Sv7K+ZzQPa229S+CNU52BKNfjJ666jMIMLtX5KmPiKbB63uUzBjvhtWp2gudUjbiJKD6rop2Y3NIy4/pGe6xVa61qA/yLxGp3eQB09RnvJJlBqRnLUvaJpEl9nuDYPIMfFXMrOqfbPGsyNCTcvPzAW+dzMyCTMa57giB11LWuDJgPPtM5psHt6nb9GnzN7HvXrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uAuv5aXQiANLa6avktd+szCJ5g5DQK6cNa+t+byYV/w=; b=XdOSXfEHxOzYpsCvbSYsCBozwmhrH6Y6UR4QxgP9n9mRvdeOVrYTeJZ/twAPH8kTuGcVRHjT7mXrI9dfcPqEHs1jRGs/3ynk40wjhCrWLa1SALUdY8Fg1PUTSILjwaOC0grlkHWR9amLIaqAIxvEHWBlAyA69M5d1DpfmbntJK7ET+W0ZJrKla0Y037jmryC/QRA2vMM5Bx2Jf0IOnZA3/twkzS82hYtmSEfvE7DKuMxpE2RcyzcTqIn9qLu036i21uzGzRYhKckyyuKA6xdCi9bPH0NAESywEZ6IgXGRC+8aeV1sCJo4vOMedAIkECB2naG71Oy4RS6AQDCiHJJaQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uAuv5aXQiANLa6avktd+szCJ5g5DQK6cNa+t+byYV/w=; b=SmbnmMnB66265pyFlL7ktlfiSv/65KnauNaRwaSEcg/7jD8VP3Iv2QGfW6e2PwtzBkMl2NT1s4kbRCFUlGh3DLF9RkevJxeOe2JCloX/I67k3xyOdiXl0ev3Viesswh/qW9AtCCIwXyshCcY2zJw7AuxvbKB4Z8oUN0UvacfWe0= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS0PR10MB7479.namprd10.prod.outlook.com (2603:10b6:8:164::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Mon, 6 Nov 2023 23:11:56 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::adf2:9029:9b90:56f0]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::adf2:9029:9b90:56f0%7]) with mapi id 15.20.6954.028; Mon, 6 Nov 2023 23:11:56 +0000 From: Eric Snowberg To: zohar@linux.ibm.com Cc: dmitry.kasatkin@gmail.com, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/2] ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Date: Mon, 6 Nov 2023 18:06:25 -0500 Message-Id: <20231106230626.2730342-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20231106230626.2730342-1-eric.snowberg@oracle.com> References: <20231106230626.2730342-1-eric.snowberg@oracle.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: PH7PR10CA0020.namprd10.prod.outlook.com (2603:10b6:510:23d::18) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS0PR10MB7479:EE_ X-MS-Office365-Filtering-Correlation-Id: 769efc03-cca2-4214-d966-08dbdf1dc562 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: uh+koWAHYRhusUTPq8WVyBYPI0Ka/Zj3bupdh1pTcLm9LPSP4sx9UwJ47yTjHaMnHhWKHvqaB54i3NMrTLbbRi5FyK1OrCJq157ngXj5gsvnFnE5MCi9KxmcedMI0PzubXxvpSRAWZRg3WLwHb4cmPIvAVCNolmp/pAaa7fnfJx+bIj/e2Yip5QJGQ4plJ85G2QEycYBpK72rhzcwgUy1EdIJP7h5ds6TWLCZhRV69jYgIIZx/FbeContUcF40wshJbt0QeshNRPkBcBgnMLqFLIcPtEWOlycGvlm7WVOs61bABFTh7pYNTvpWyaoTMDMEBjDfGidKu8seXqf4Qm2XZrDusmKRhSDuceL3+FEfSh88mziZXCWe7/ZdpyIxoZZc+wBXvsQmqJJm/OOGwm5FB11uGChgxV9qjSo0R2kZqSUYW2zSJNqyaxJBsv8pVN4ytnbde5Byn5QV7SXTcaU+SuGlqaMCa1ATpxn/CAd/ZmAtg0fiAes39lWDEl0wTZFf/bNbIsZ2QzDsRqlFBn+8pkTGUjIBexTbqjHnE1FCTs99C9nCK7cPdlCLzFHfwa X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(396003)(346002)(366004)(136003)(376002)(39860400002)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(36756003)(86362001)(2906002)(6486002)(1076003)(41300700001)(83380400001)(478600001)(8676002)(8936002)(4326008)(5660300002)(6506007)(6512007)(6666004)(2616005)(44832011)(38100700002)(6916009)(66556008)(66476007)(66946007)(316002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?xQyr1+8ClT1Vl7BJ+VHKqtk4ZzCT0Shx6H1THiFp/iGRj74+/tLi0Sb25vrX?= =?us-ascii?Q?/ySpl1P+VgqcLyYOfnyy7bGt/xi1SerlmZBeD04KY0eA/RZH0B4ym9p7ntJx?= =?us-ascii?Q?ABWf2ZvCG3tDodLU5ORmt1cq0eNRAmGCI6qGHzcWklHbiMObAgd4t8NHWrgO?= =?us-ascii?Q?89EWvZ+h+URk6VJOJv/k4Y09x72N3FX5KsBvahcaBcU1Cp0yLGuXxafhe5Rl?= =?us-ascii?Q?ZKTBcELt0JpOpDKktwt2emaH7kSINsOpQcBDcfSoi8iWDqBP4mYQ/lcpE1ap?= =?us-ascii?Q?AcLxSfHyzxn3ItvZBtcUNV55cP4Fah3HHVyH07BwZq7/RQbpEFNThpzOUWU3?= =?us-ascii?Q?eJX9x4RlLJZQFz9PHWL9+tKTvWK+0C4aENwgty3gVK1cqzcd02HxdltvzAVC?= =?us-ascii?Q?Mpbhp0/qN4RWSQrKvB3oEwRqxXsLAG9GULNwqoDKUpWXyDASDGjbSTA2Cnnn?= =?us-ascii?Q?GrGS+hIPRPZLcBiCW2nHcjzPVT/fzsFYf/LonD7IX5ixoNQCucMVRZK3x+9K?= =?us-ascii?Q?FDMh8wLj+/X4+ns/qm/Hte2p3YCxoxKPN2F5Lub5cw4tl5AkwWpYBrYExYF/?= =?us-ascii?Q?o9m69PhnpEOM01isn3m/EklwpaYPh8BZNr4fB3wnyWDlnQBYSZ8pX4R1p7Q/?= =?us-ascii?Q?xB0s19Nw6eOJkVYChIbvjmRqbV5jd3nTPJKplhftGvXilTlzDbDP1rHt4CQU?= =?us-ascii?Q?rJbPM3QpvMZKbR0MchpXDLfc1QCslsrvFC1xVChV5bYb9XGO7zgFRciNTefB?= =?us-ascii?Q?mPHbSBuiIwlsM6WPqkJG4LP6cnajkN6PW/Gv3/LtYP5hOgMWKzZRKTzeQcst?= =?us-ascii?Q?eucb9FgRU9dApXbK4GojG8nd6+yRBVKNaBeYqZUnPq26ZQcPF/9h5unql0f2?= =?us-ascii?Q?TvfDbR0I6AH9GqcAG/z5Ie4mh2Svkzazr/YtkBuQikAEFyfdF45k7BXnPhE2?= =?us-ascii?Q?6eH4qWuiriBJQfuAp5v9wGXe1vRuD/KMkpc4wnujmnsX6wjx2jwRZQM6LxLF?= =?us-ascii?Q?rfSPZO4Rkyim+0IY4A84A3pSDyj+vZnBNPxXh9CHNmlT271/6P3hGtqwHqFP?= =?us-ascii?Q?UJC7tDssmqRQ04++5+B3BSMDy/Wj0/UeVjbq6QzpF5wnfg//uX4A4xaWM6B2?= =?us-ascii?Q?rc6++z6gy0z6+DnhNcurUivjf89QyziMQ5+9dLLsFVPwVNjxAtmrfYR1goBS?= =?us-ascii?Q?RGo5QTJm7eV6Z+7DDadkxEWC4uJw28Kzk+BuHe7Qci+zTNRQyhX+wxnYL09L?= =?us-ascii?Q?BeNRSyy4ULoPhh7Kcy6Ey/FEdonLCuewaKGgpwShng4FF9GMeqnczxp2nwSV?= =?us-ascii?Q?UL6GEGcwFymBNOdNteQMZAKfySn5j14AOpDQtN/f/mDqBalFx3M9k6ITXKe1?= =?us-ascii?Q?oXuu1OT9SF/Jku7EZPorLhzlIKkeJbTLQgSUU9ygE/wpsis03+QLe+nJdfSm?= =?us-ascii?Q?KwWoigUL7jdw0D8W3mOg5UvxdHmhbf92DHS+jWe98L62LMA3LXNFUZog6Nah?= =?us-ascii?Q?ZJugD55Zk2j7JEoisRSDVedlETGoYVQoKur3UjjkmgSm54q+TpxqdbVGBrLO?= =?us-ascii?Q?pxpOt48kQbY7XHc8o+jcxBOOlnUq92pFqM/VsCI815MNhleFIiYkbH6JCFct?= =?us-ascii?Q?s4y/tm/4ddAm6wvPnfbGV/E=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?us-ascii?Q?REZ0RnTI175oKRXYl+kL1IjxuZCxjeehD2zTDjn37inWOEsK2ZOq4DvfUMn9?= =?us-ascii?Q?iowZc7PHNWT+Ew6Voqs1oC+gSEXDy3xnm8ow6oj4u6VrBliqnLAxjNdo7qRY?= =?us-ascii?Q?CMWh/ERwpYmtp6ylyYhFOiPNSC0RgpdjxBe8ppT1YE4AE0RRdz6JaAIdlMqK?= =?us-ascii?Q?lG+PbWRGzZCjEiYpSxBxfTZ99tDUVKmTrJURD2iO8IYzF1IdyK902o85U65m?= =?us-ascii?Q?7f4WKa6d44vZJDybCH6ryLPgu0E1YF0AJPIpC37sz0usez5rIgLEOPMNlUcS?= =?us-ascii?Q?wwzVxJn3vpB5f+zzkpkX/Q7YXIChHaILIVet9its2AfDfOYcTvDlIQT+rpZD?= =?us-ascii?Q?b78+a0fV0e/9C1XXeJvrec/icbHpPMNCK3NMlFV6jQvk5nv50ZkwDhdfJrUP?= =?us-ascii?Q?dxDLM/wQwv1uUa1q8yj7JzO64tnDThXIT4dqNg2uLoXr2kiiI1LXrje/O4To?= =?us-ascii?Q?SiLlNR+xHmlupO+2mIXJp33rAprKnH1xuUd67ePZCBoNK7ifmdxIxW/odiVp?= =?us-ascii?Q?5vIeeDrrpSjelLLJAd8svHkznJ2CkTb3G0uPIfBRgNpA+ilfR2JBWE+jJKOz?= =?us-ascii?Q?UncnbNCifn3OC5vyHBYQMm/6anmuPueZJro0d4me3/MWFI4Uc4Jn0RPkQloJ?= =?us-ascii?Q?7IAcpXOlje4GyNaUCszW0cVQVZJ0SLdfjT86JV5pHTjwbCBeo3s+phiZRTsd?= =?us-ascii?Q?1IBcxbjZt5Zibg+ZFkCxGFlOfJ/CytIEUaB9lldvRKqxJBR1Y5qn9fvjvYq7?= =?us-ascii?Q?lCR3bpvVG1x4IQ4kdi24rm9vFOurIgtnyWWw2oVK/cavtxvV77hHE7ZgGq3U?= =?us-ascii?Q?6AF3Ei5Rfe3GCPf8KnjzkRWYEUBl1FE6F0WqFzrD6+NshH0uNO0PNs5ZhzUT?= =?us-ascii?Q?qTtQuTnQ9VroQNr1/CzogrWD8ULrPrx6jRGDyPJUUcVzAYUAI5O7HatesotP?= =?us-ascii?Q?TCoiZVHrDDHtr8GbwDzxIg=3D=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 769efc03-cca2-4214-d966-08dbdf1dc562 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2023 23:11:56.3758 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mCvj6gPI7BrFbfJPCb315EwJAssUV8vE+ZK7+ISk+7S70sIw6NwzgDRhETryX0+QI1qMuFHfpFaBY1BxieZexa7rqmzKjhN8h+/sUkRJhbE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB7479 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-06_15,2023-11-02_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxlogscore=999 mlxscore=0 phishscore=0 malwarescore=0 spamscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2310240000 definitions=main-2311060190 X-Proofpoint-ORIG-GUID: 8EHlRJTn7f4BrNednzVdqEYz-pnE_9DH X-Proofpoint-GUID: 8EHlRJTn7f4BrNednzVdqEYz-pnE_9DH Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When the machine keyring is enabled, it may be used as a trust source for the .ima keyring. Add a reference to this in IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY. Signed-off-by: Eric Snowberg --- security/integrity/ima/Kconfig | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index a6bd817efc1a..a0a767dc5c04 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG to accept such signatures. =20 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPE= RIMENTAL)" + bool "Permit keys validly signed by a built-in, machine (if configured) o= r secondary (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS @@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECON= DARY default n help Keys may be added to the IMA or IMA blacklist keyrings, if the - key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. The key must also have the - digitalSignature usage set. + key is validly signed by a CA cert in the system built-in, + machine (if configured), or secondary trusted keyrings. The + key must also have the digitalSignature usage set. =20 Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the - built-in or secondary trusted keyrings. + built-in, machine (if configured) or secondary trusted keyrings. =20 config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" --=20 2.39.3 From nobody Wed Dec 31 06:38:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3328C4332F for ; Mon, 6 Nov 2023 23:12:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233443AbjKFXM3 (ORCPT ); Mon, 6 Nov 2023 18:12:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233080AbjKFXMU (ORCPT ); Mon, 6 Nov 2023 18:12:20 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7EF18D75; Mon, 6 Nov 2023 15:12:17 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A6MVVbS027188; Mon, 6 Nov 2023 23:12:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2023-03-30; bh=KOGWfO8sNBX62LpdPb/klFoP0r1AmbGyZa8Y/e86WSU=; b=v1bz1myABMLCObd+yDPb+KN7NXb3h4kTOE78wvxSjCRSkecbHF+3/Y5KZtJl4Ke+U01Z t3daoHYTICCjZRTTui/+aEuUQBrZLZYQ7QMcEubJR/eww1p20kRUxXxogO8OBnq170Cu +umZBe1Fay7pA5bgOMWQ7OLLq0dsmqUexwypQrQVPOKq+/3b7pOTDhbdfPYRCf8P/alG mBdeqll4IiuSdCRmmNB3KtGP0dJZ86VlXu45DaPcF2bHL9sRv6phPa6EF20Rnvg4q3jA fMn8Qo7Sj7Y1hPfOCbwQBcble60KN7llO1sjA3hbeAukpVLGfi9KO+PHBLrHeWXR0x/U mw== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3u5dub4jg3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Nov 2023 23:12:03 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 3A6MjLj6020747; Mon, 6 Nov 2023 23:12:02 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3u5cdcek0v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 06 Nov 2023 23:12:02 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NTAprwtvvFvZTZ3f689woUnnzQcnMy5lxLTK9s3T3ZK7IWUJtOGrOPAkxTHYq1vfMMiotW1zO60bllbXO5MuWUgqWkoo234WdGrW9BZYFAZFoSNv62TirYWHexXPYfhzwjrbUOPTWH5mR+8aTRJH+NiedobdlLgVAtNbuV/6BkssPpphG7+Z95H+cQJ3CNyQxDi3aZ340rq3gEhPdiYVfTohoyrtgGDbkyTdvtvHCzb4E1yrATsWeooHXyOR5dI6I2zIcHL9EzCVaqWEeLfEw6J7wI/sNYU2+bGIlUTpvm+/whZu4MKzLeIUNroZCPkKrvWNFDEw5kYTdNN5jXmBxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KOGWfO8sNBX62LpdPb/klFoP0r1AmbGyZa8Y/e86WSU=; b=kxdDL+MohOxorv1mNPBDBH+m92ugnV1MGSbFUC4MopfEOQixcTEu4yIKOjbgLb20Pz1bPmEwxAWKL1FzDjUIo2jymWRsv1xFv8F5BLmVN7wePAG0k2MnOhyGpufLqyWRFUtURKLEnNRP6hPINadQb3Mh/qep4z5rOyE5g5wEHymOefKWoAbc69Yt6+MtfmvOUzPyNbY/qhHRZPwEu1HWkmhMPHyuRoAxrI01XkfiXXKkItyZNa4+Iuuludhdsd8tsaRIvlI25PtWt6mS8dZAi890oChrBH9FbbytAY8yBhk50Svycgc3AQK9XoT92XUp4ySB+wQdmnmROKSjfvni+w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KOGWfO8sNBX62LpdPb/klFoP0r1AmbGyZa8Y/e86WSU=; b=f4jMQuSyniQXDnLtvk/JlUOR0ySYFSFMkIytJawkwJZYsD9UxfOGybu7DdALPgHy/JTkfDka9U/pIjeWJgjwPDf2OeDDJiS484A96izAzM++ApwBjyrm8EFsq9RaWSe4CyDZA7FeoEhEq1HM3pq9JeKEEmwnX47aq90fhxG54RQ= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS0PR10MB7479.namprd10.prod.outlook.com (2603:10b6:8:164::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Mon, 6 Nov 2023 23:11:59 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::adf2:9029:9b90:56f0]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::adf2:9029:9b90:56f0%7]) with mapi id 15.20.6954.028; Mon, 6 Nov 2023 23:11:59 +0000 From: Eric Snowberg To: zohar@linux.ibm.com Cc: dmitry.kasatkin@gmail.com, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/2] ima: Remove EXPERIMENTAL from Kconfig Date: Mon, 6 Nov 2023 18:06:26 -0500 Message-Id: <20231106230626.2730342-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20231106230626.2730342-1-eric.snowberg@oracle.com> References: <20231106230626.2730342-1-eric.snowberg@oracle.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: PH7PR10CA0007.namprd10.prod.outlook.com (2603:10b6:510:23d::7) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS0PR10MB7479:EE_ X-MS-Office365-Filtering-Correlation-Id: d681e3df-205f-47d4-85d6-08dbdf1dc776 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 10hZ8IBzNk+DWY3++XM62eWdue9Dqbilm4p4LhmKTE0koJaLmRf18LBMSfMjEt6FPq8ez0WCykpOqklkIGZ0C/Mkv2dyLADwCZsKH+Jm+0N2ylif2IVx52Qnvqe3EO/75N3qBRdYCcK4ctS9+vm2mi/zH2yeU6C4tOvOPEyT5oh00nNwDYyQC4gXFF9YOhNfOA6u1Snvp/OFyAbQncSgvfax4hOe/BTJtTkeJu1KY51sdfEinSGSXM1SanWcaw1j8ubUk6qMLGoAXz/+lHncpdJfpACMRQzu5HH2F1x9wFC5js9YMCU8GMVlqfZDwPI1jJAsMnfiP3xV9AJ6sZCNkhNwHIkgtmxw26TySGg0YtED3+ULRkMF1kVVBHg0FO83CpkB6uPxOpvFUfuTS2z24OOxhVXNAGyz5Bd7+kyo7bLRsxJ16xF1bEd+2/77kbmPZp8I9Xyy+MKU0muSJQGlhXkEbLZNm7C0N0bNPxOQ2xxM8psvbZcQG5RUh7dG/4L3KAT+Gb240400xduY5gNKktUypPqaQqAdpjk2YQdUs1Y= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(396003)(346002)(366004)(136003)(376002)(39860400002)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(36756003)(86362001)(2906002)(6486002)(1076003)(41300700001)(83380400001)(478600001)(966005)(8676002)(8936002)(4326008)(5660300002)(6506007)(6512007)(6666004)(2616005)(44832011)(38100700002)(6916009)(66556008)(66476007)(66946007)(316002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?R8BB9tK7acmmkDZUjedrZxt8rdoot0TOrGPIR6hSMXv2lBLUnRKfNoVqQ4Ha?= =?us-ascii?Q?qL9Nv9wgcn8qVl9LcAhSeTFqfdxJfMW4PgIZm66rjJErorPtPMqzrLw4N2b6?= =?us-ascii?Q?lzd9RyprlhPuPu91Mm+bmv9qlTM0W8vSiR767GFbbGNEy6ztn8Gbn62cKJN+?= =?us-ascii?Q?obSDQUPPz+L4ZkqpE+vHeCNQUiXcnfZv/J0UEBp6A1LVHi5iwa9Yu7D4xCKn?= =?us-ascii?Q?XVYNt1NTED//uT5o8S6O5hL9D+GmrOD+3U6mx2KgYt73C3psIlulR/AaGQLP?= =?us-ascii?Q?wFOXHCCwCpJmRxwRjii7Yx04amNOwsQKcx0g+i5RUlpeCaVcQgS281loDHk0?= =?us-ascii?Q?/NtRteqf852YwbAKuhGJWfWDLs9O+7vVnSMWIwUI34C1L9rho2bYHVVBW/rc?= =?us-ascii?Q?c9hsXZw979IuWXL5pwENC/MxKdlDrTaGh/9hyrvQ9bgcVPjnLs9d9Iq4E052?= =?us-ascii?Q?o+PQPrpBfHHcYCBlm6jZLqZ21FWFpVL89C9bE9gK4xMUtjyaigdvNppxzQpU?= =?us-ascii?Q?2BE+Od+9/Tp8dBTaP0on0aRDHQxMXeCg9kb6RAua1Pr0ORUwrOy8r64BSCY2?= =?us-ascii?Q?rnsFr3hRofYNrBnVx6/kwjiv4swlA+AKkRb59gxDhdA+WnfseL6mbSQ8iB3a?= =?us-ascii?Q?CmIyH+BmOxZaWr7S3jsPB+zQLGnvRbNkXMyc3Sp7H0y2zqMo2KRXc0nX7hCR?= =?us-ascii?Q?RL1e7VdIumziX+UTwfWeWVi4oAOwsh0zIc7T50b0kNNq3Q2CkIW3730+2hRs?= =?us-ascii?Q?dlx9rsI2Esrj7IfLJivIVAn9MAPGoRu+kFlVKss+KxhKlS2SacJAJZXBl0Uz?= =?us-ascii?Q?n0Dl8Sl6AK9FBEJkx0U6zM0UeIEP4yZ1f5deJ5reSfZFcyiOjoNH81qtsgEc?= =?us-ascii?Q?w+xdGbpQeGrVOdCN9/hs71XJRheC3pzkWQU91v0Wb1K5vhPkjeS7YCvzmqTo?= =?us-ascii?Q?kH9xvBpK0uHxvCOzEOii3nBLTxNZp6HxqGa4jVDHfKlqfE7xz/gEp3U3+yUF?= =?us-ascii?Q?9FIAD8vy5KaGMCgLpCGnaTpigagtANrFt01XKNxcDmZwwm0WZIsKwAup6PPs?= =?us-ascii?Q?/54UAiy+Wpk0DQeClYmAxSZDoeslsZYFzbt7GLXFDB83KtdgCv6qYOZz9oT5?= =?us-ascii?Q?svghcZ4KU2RHCRiLGm4D/izC91aDjOyvKBCqNfjCI0ox71gkow/MvvC+Uq88?= =?us-ascii?Q?V11Zcz1nUUTkmeKUn9C0oPdkMG8YV0LDyoyIxtuKkNWr51ZA8twApOTmP/QY?= =?us-ascii?Q?7+exGh+4z5DCs9gWjEDSEr0VzEnsPNMq2JNrQ4hor9oASjVdh+a+QJMim+Dt?= =?us-ascii?Q?J6/pbd+JJ5cLJzhBXEFENtF2PBrTo2Ha1zbCLexeUvUVSM3629r1GfcaA93t?= =?us-ascii?Q?hAMxayjLvCoaDlYpzrNEm7oTXFsqZwxBxj3ryxtlEXXtF7X/rDDMzdjzz/uV?= =?us-ascii?Q?MR5hJrE0FBzLxo+YntONmLZU1hv9dNNP3BzsOoRmtef++kAcC/XIyHL4bogA?= =?us-ascii?Q?OGFjIfTq60ic5Bgx/FLHk87G1cIP0KQu7JM73xVx0bPXZvsV78yKyLxlD7Rs?= =?us-ascii?Q?a/Oy2RpsMzMgcSvVIG2+sdCyCanXCGsBN6wErnbkMqsB65OSY8fRcApZwHXo?= =?us-ascii?Q?8RLyFtzzgw2S3w+PEQ0Joh8=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?us-ascii?Q?OkZO8a7sgg+9IXHgagZfkXBjsBo5T3OqptPBXW0ufkIUgiPUDqdrEKA1m/Ss?= =?us-ascii?Q?t9BYP0+e9V1MqM+Lwyzbl1Is3yP7oWgae7CwZ1cWiShB8wjDmkNUfEPBQqMx?= =?us-ascii?Q?rYV7vSxIXapMeJP9IDniir/bjyw5NO8fC1O28n2O6g66OezVJZ8IvXiNLFKP?= =?us-ascii?Q?+8oijRFnRjYcKSMwsZZ4moSebzzz++r4rHDV3A0emPf1vz87KL53Q6TYvz/U?= =?us-ascii?Q?f4uJ+UNnaG+CMqlzbFW07oV/9/ifZp0gA/pxgfL/DpQ34grf5QhpxnTl+PnO?= =?us-ascii?Q?2iVCus1pNMVH6F8Bv2LfMnxEs29HhQ29X4Jr/S2586g39ml40u/gH0x4NW60?= =?us-ascii?Q?oFWWfruZb9H4AtA3VAbLuzRM2sJIy4RMHIZvB7g/0fjijF68HNjHH7ua5oi+?= =?us-ascii?Q?hZNu0+WXUPu+IHmz/R0VeZqo8sbB2wN7NPGgVU3ukJ/IO4BzzXL6TNS+9mC+?= =?us-ascii?Q?jMen8Xx94oTS52hJFf8vzQjlwJKZ7ZNhX26YnuCRBOt4kOhQrYoBm02/fgbj?= =?us-ascii?Q?u/1fq/XhbnKerTtTrIVAVnaxjugHWyAwMXquRPUDVurUZRQFn1nrF6syIXSv?= =?us-ascii?Q?L30BXtlRe9qftFY1RdaUyDrqTDwa4KpXOrJ+5v0bOHuJWKmZHqve9MYji19o?= =?us-ascii?Q?1qWB8zHAe7+7cAwk3FB69bhK6XgFvxHy+MXUBYr4DmVFDrTvKNzN2KdVVHIK?= =?us-ascii?Q?OFJC2gVYbR07cB2HggbAx511WuAENgz4HCMMPiCeAyMcQEE/qkDM1ciHEssa?= =?us-ascii?Q?6gJYLzs7B7cgb6QXlMcfF27da9S9vn8K/v650tf0L609VqLgEWMARLCHFbdH?= =?us-ascii?Q?pok6eRefpYTdL08fOQtMa9TkcTNtuqAXlHtpHo+b+GgdngzrXa2QNna6UxXl?= =?us-ascii?Q?i1dHpaVbm97u+HDNxeg8MJUJypoCx16ihZHrpv1nBvz4lDgRIVUY7u1H8b68?= =?us-ascii?Q?DA/G5lAq6/wyPGzBkro3zQ=3D=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d681e3df-205f-47d4-85d6-08dbdf1dc776 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2023 23:11:59.8499 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: uPj4KK/Xis/OQtDeXk3lmPps1GZyZn08yyebuAoDDsDg/vDowNDyWQxLluNm0RLmL8bZcNNWNhc+gauyPbfGgAvXAIt2KAJwcHvccHaDrSQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB7479 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-06_15,2023-11-02_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 bulkscore=0 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2310240000 definitions=main-2311060190 X-Proofpoint-GUID: wWuBH6qFhDURPJS8dTYOrsTCEJvLhNaA X-Proofpoint-ORIG-GUID: wWuBH6qFhDURPJS8dTYOrsTCEJvLhNaA Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Remove the EXPERIMENTAL from the IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig now that digitalSignature usage enforcement is set. Signed-off-by: Eric Snowberg link: https://lore.kernel.org/all/20230508220708.2888510-4-eric.snowberg@or= acle.com/ Acked-by: Jarkko Sakkinen Reviewed-by: Mimi Zohar --- security/integrity/ima/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index a0a767dc5c04..b98bfe9efd0c 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG to accept such signatures. =20 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY - bool "Permit keys validly signed by a built-in, machine (if configured) o= r secondary (EXPERIMENTAL)" + bool "Permit keys validly signed by a built-in, machine (if configured) o= r secondary" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS --=20 2.39.3