Re: [Linux-ima-user] IMA/EVM

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 15-03-23 18:47:43, Mimi Zohar wrote:
> On Mon, 2015-03-23 at 16:43 +0200, Petko Manolov wrote: 
> > 
> > I've gotten the above to work.  The question is, does this make sense:
> > 
> > local-CA ----> IMA_key_1 (signed certificate (eg. selfsigned/CA 1))  
> >          |
> >          |---> local-CA2 (on the .system keyring) ---> IMA_key_3 (signed cert/CA3)
> > 
> > Here local-CA2 (that belongs to trusted entity) is used to sign
> > IMA_key_3 (and possibly others) which on turn IMA signs immutable
> > files.
> 
> Assuming you trust all the keys on the system keyring, then any key on
> the system keyring can verify the certificate. Otherwise, use the
> "ca_keys=" boot command line option to specify the specific key.

Another useful option, thanks.

BTW, where can i download these (MOK related) kernel patches from?  Are they public?

		Petko