path: root/crypto/asymmetric_keys
diff options
authorPetko Manolov <>2015-12-02 17:47:55 +0200
committerMimi Zohar <>2015-12-15 10:01:43 -0500
commit41c89b64d7184a780f12f2cccdabe65cb2408893 (patch)
tree2f4b10b186e186bd70be5fea18c8423334ab831d /crypto/asymmetric_keys
parent38d859f991f3a05b352a06f82af0baa1acf33e02 (diff)
IMA: create machine owner and blacklist keyrings
This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that needs to go in .ima keyring must be signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot. IMA blacklist keyring contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and error is returned to the caller. Signed-off-by: Petko Manolov <> Signed-off-by: Mimi Zohar <>
Diffstat (limited to 'crypto/asymmetric_keys')
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 2a44b3752471..9e9e5a6a9ed6 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -321,6 +321,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
goto error_free_cert;
} else if (!prep->trusted) {
ret = x509_validate_trust(cert, get_system_trusted_keyring());
+ if (ret)
+ ret = x509_validate_trust(cert, get_ima_mok_keyring());
if (!ret)
prep->trusted = 1;