integrity: Enforce digitalSignature usage in the ima and evm keyrings

After being vouched for by a system keyring, only allow keys into the .ima and .evm keyrings that have the digitalSignature usage field set. Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Acked-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
author: Eric Snowberg <eric.snowberg@oracle.com> 2023-05-23 02:09:43 +0300
committer: Jarkko Sakkinen <jarkko@kernel.org> 2023-08-17 23:12:35 +0300
commit: 90f6f691a706754e33d2d0c6fa2e1dacedb477f6 (patch)
tree: 21f58a26b3370ff62708d5f18bb3b501180456fc /security/integrity/evm
parent: 4cfb908054456ad8b6b8cd5108bbdf80faade8cd (diff)
download: linux-90f6f691a706754e33d2d0c6fa2e1dacedb477f6.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index a6e19d23e700..fba9ee359bc9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -64,7 +64,8 @@ config EVM_LOAD_X509
 
 	   This option enables X509 certificate loading from the kernel
 	   onto the '.evm' trusted keyring.  A public key can be used to
-	   verify EVM integrity starting from the 'init' process.
+	   verify EVM integrity starting from the 'init' process. The
+	   key must have digitalSignature usage set.
 
 config EVM_X509_PATH
 	string "EVM X509 certificate path"
author	Eric Snowberg <eric.snowberg@oracle.com>	2023-05-23 02:09:43 +0300
committer	Jarkko Sakkinen <jarkko@kernel.org>	2023-08-17 23:12:35 +0300
commit	90f6f691a706754e33d2d0c6fa2e1dacedb477f6 (patch)
tree	21f58a26b3370ff62708d5f18bb3b501180456fc /security/integrity/evm
parent	4cfb908054456ad8b6b8cd5108bbdf80faade8cd (diff)
download	linux-90f6f691a706754e33d2d0c6fa2e1dacedb477f6.tar.xz