Message ID | 20230711164447.714035-1-nayna@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig | expand |
On Tue, 2023-07-11 at 12:44 -0400, Nayna Jain wrote: > Time to remove "IMA_TRUSTED_KEYRING". > > Fixes: f4dc37785e9b ("integrity: define '.evm' as a builtin 'trusted' keyring") # v4.5+ > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Thanks, Nayna. The patch is now queued in next-integrity-testing.
Hello, There are two Kconfigs that depend on IMA_TRUSTED_KEYRING: IMA_LOAD_X509 and IMA_BLACKLIST_KEYRING. Removing IMA_TRUSTED_KEYRING makes them unreachable. Should they be removed too or should the dependency clauses be removed?
On 9/19/23 03:32, Oleksandr Tymoshenko wrote: > Hello, > > There are two Kconfigs that depend on IMA_TRUSTED_KEYRING: > IMA_LOAD_X509 and IMA_BLACKLIST_KEYRING. Removing IMA_TRUSTED_KEYRING > makes them unreachable. Should they be removed too or should > the dependency clauses be removed? > > Thanks Oleksandr for noticing this. Since IMA_TRUSTED_KEYRING is deprecated in favor of INTEGRITY_TRUSTED_KEYRING, I think the dependency clause should be updated to use INTEGRITY_TRUSTED_KEYRING. Thanks & Regards, - Nayna
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 60a511c6b583..c17660bf5f34 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -248,18 +248,6 @@ config IMA_APPRAISE_MODSIG The modsig keyword can be used in the IMA policy to allow a hook to accept such signatures. -config IMA_TRUSTED_KEYRING - bool "Require all keys on the .ima keyring be signed (deprecated)" - depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING - depends on INTEGRITY_ASYMMETRIC_KEYS - select INTEGRITY_TRUSTED_KEYRING - default y - help - This option requires that all keys added to the .ima - keyring be signed by a key on the system trusted keyring. - - This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING - config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" depends on SYSTEM_TRUSTED_KEYRING
Time to remove "IMA_TRUSTED_KEYRING". Fixes: f4dc37785e9b ("integrity: define '.evm' as a builtin 'trusted' keyring") # v4.5+ Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- security/integrity/ima/Kconfig | 12 ------------ 1 file changed, 12 deletions(-)