Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5834638pxb; Mon, 14 Feb 2022 08:40:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJxO8dFdG20tFxykelUpT1hU2B3qx/Q+GJ8wiPXYSP5iF3vicGwK3AV+wfddilW0zfkTn7FK X-Received: by 2002:a62:5b02:: with SMTP id p2mr270601pfb.29.1644856809069; Mon, 14 Feb 2022 08:40:09 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1644856809; cv=pass; d=google.com; s=arc-20160816; b=pay+i2UCi4TFgep3Qtn3c3tyIxB2M4jC+GTx98nXQpXJA0rwXVoQAStyaYwspOoOts A9XJQDOHFargVZGIfUW54Mt3V5BnMjmHUNtDIkbZGUYkoLxWlBXamLjGIAl77/tgtoEQ Zj2NhroJ02+xRGuvTN27oDqEaDxYBDBE5mx9udn1sTJX5m3hN3fVZwPMHRuQuRQ6F5yV 0DmVyteBzCcn6Z07yVAK6nMb3yRQjH1TLiR8LfhQ4hMVs58UO3uLJ6vGXroBWBq9XaS0 eAMTADcq6DiBo+rZSUiVFpTduCos1Qo2f9WC45acEY1QsqJtomF7OJ/bSCYI1KQ0u2LH ZcUA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature:dkim-signature; bh=daekriFGJO7mFmYQrwCc1Qi169r+P5nIdd54i7kIWyI=; b=k5V2ElM/Ld6fdoHFyRw/R4fP4T7B4om0ILhR6D4cJ0NGKy0RUZALQPKh76LpX3ZS7O uFFKtGq0afOui6hQ65WhHH/ZM0b6fCTNovxwuXzdpbyrtcBcyuu3txq9MZb4GQcfQrdA PBHWWUUo+C+4VNEKFDiw3/E61a5j8H4D3K/nM88zlon2Q98oyJbpZ4z3088Rwzebtciz nbG9HzZ/q34KOzpG0vCOC8bYBFs3rAHusjwWaq8/GAvoxUIOR0/S8tV+jscczUlqNQ8C hcmCq6QcmaahBRz+t/AaQFaaBBxl3BbowCx+8mB0piBkcpzlJZ6yi7t3Wj1rGLPuoioB rehg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2021-07-09 header.b=BzcjmHhR; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=xeuYpwTE; arc=pass (i=1); spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e1si12198473pjm.55.2022.02.14.08.39.46; Mon, 14 Feb 2022 08:40:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2021-07-09 header.b=BzcjmHhR; dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=xeuYpwTE; arc=pass (i=1); spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353323AbiBNMnY (ORCPT + 99 others); Mon, 14 Feb 2022 07:43:24 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353378AbiBNMnW (ORCPT ); Mon, 14 Feb 2022 07:43:22 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EAFE249279; Mon, 14 Feb 2022 04:43:14 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 21EARqrF021223; Mon, 14 Feb 2022 12:42:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : in-reply-to : references : date : message-id : content-type : mime-version; s=corp-2021-07-09; bh=daekriFGJO7mFmYQrwCc1Qi169r+P5nIdd54i7kIWyI=; b=BzcjmHhRwdgl77r32VMOwmNC2w5y1ksb9cCrgr1dlQSapttTAVJndipuzXCouaG0YPIc 2Y1ZR/XlEsGHRewjGRWcVrcdUpksZnIdkTF3wdRzMkSYMCzvJX4Z4lrnX/C7juVuja3e W7iQ4CqFEqBfYst4OEZWBayqIYFKJBeiZZPahk5K3ZrhGmKGshHVwAWQOiHPB5zp3zec z12iaqw9efDPMbLLgowql/XGPdS53QaoH4zdy1cfV3I5kHjeANXYlLhdiISJs6pkDhU7 +c1VKXw5BB7JfxfcvLpkUiVF3bx3RwoBBzD0RKahfJr2Dp2bE8o+juWYRzVXKUizWvhC aA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3e63p24ens-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 14 Feb 2022 12:42:14 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 21ECePXn159179; Mon, 14 Feb 2022 12:42:13 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2107.outbound.protection.outlook.com [104.47.55.107]) by aserp3030.oracle.com with ESMTP id 3e62xd1r0p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 14 Feb 2022 12:42:13 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MmU6x5IFj5sr9LZpKE5XuKLVoOIi0fICW/up0nmzpqjhAj9zfPhKbYEtcNiV4pjoFPXwII20j1+S5d3nR8S4NJeoV7FVqswzxEiZ+68kEhcYYO8L2c2smAKfRsoEJvd1gBAUfTBNZVmNzx+t63Hdd8d0X3fgg/wPHnGdK9IMGU7+Djd5pPPBY9/3Kb8lvTngOQCf0ZqF5lYr1aseySzTXeuzR/LaQa7ABINUz+18FcTAvv1pFUFzTmr5ES6A7IRkK7Si5cvDavKviSaQyEBKvBsh3wk/pJrlamCTcQ3MJjKbVWFE5XfIBTNnS8BXTk6x//lwbTOZ0TQDlOeyjA3p9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=daekriFGJO7mFmYQrwCc1Qi169r+P5nIdd54i7kIWyI=; b=N4pS/eMYV2CZOD9sOkSRIswJIE/LRImtc3K2WHL85Q8TGN2WgYEcUZCkD2bhDHG3dZg6pbdqUPX5G74A0wRLLIxHvVLjmqNHJ4CQ4Y28iq3+2fpQBKrS5e6G+VgDaqDsiX8pwpsC15VJS79GeplqkQPrVA0tO0Zhwm+A5Rw0YA5cTh+EjvNTfAr0N6Lu7sLaBwrAr/lA/xQFZoIg4soLDGwiY9vpBJt18/6I629UY34AAQxMLAp5frBRTLl9wFeDsvcIrXcZC+bpJ9ws1m9uWZNZnTSM5nPl0IEeo+OnlBYTqt9JFoorVssQROduQf18aPXHEDog5Svp5a/pHdhVSQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=daekriFGJO7mFmYQrwCc1Qi169r+P5nIdd54i7kIWyI=; b=xeuYpwTE4ACeaT/diparUujge4S8BZFRMwGxPZvQZQ2vB8guiJSMC5JbKs0uM/ZlGHtK6+2MWlTAfHuD3kIYs5t5DnLCkPUIYFBXgTU3AHM62nd1oEmDQcqn8klxQT91RUVSp1HC+s3s1TtbQrDprdZ6dRH48xmNrJ/ROAI4Gn0= Received: from BLAPR10MB5138.namprd10.prod.outlook.com (2603:10b6:208:322::8) by CH2PR10MB4133.namprd10.prod.outlook.com (2603:10b6:610:a6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.19; Mon, 14 Feb 2022 12:42:09 +0000 Received: from BLAPR10MB5138.namprd10.prod.outlook.com ([fe80::e1b9:9813:d7a8:8d30]) by BLAPR10MB5138.namprd10.prod.outlook.com ([fe80::e1b9:9813:d7a8:8d30%5]) with mapi id 15.20.4975.019; Mon, 14 Feb 2022 12:42:09 +0000 From: Darren Kenny To: Eric Snowberg , keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, torvalds@linux-foundation.org, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, konrad.wilk@oracle.com Subject: Re: [PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca In-Reply-To: <20211124044124.998170-8-eric.snowberg@oracle.com> References: <20211124044124.998170-1-eric.snowberg@oracle.com> <20211124044124.998170-8-eric.snowberg@oracle.com> Date: Mon, 14 Feb 2022 12:42:04 +0000 Message-ID: Content-Type: text/plain X-ClientProxiedBy: DU2PR04CA0357.eurprd04.prod.outlook.com (2603:10a6:10:2b4::32) To BLAPR10MB5138.namprd10.prod.outlook.com (2603:10b6:208:322::8) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3397007f-33ef-4f7c-330d-08d9efb76a63 X-MS-TrafficTypeDiagnostic: CH2PR10MB4133:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VW8H7sMSg/EyyxFIyiphtEzUBsUGfICDZ/km7XxhRMHhiPJYZ9a/dj54REv/xv1DmAN/aRhtfJC2dfSar3MYCxfCXBERtcbOebdIEEtcWOg9B7yQ1v9cP7FBzjDNjYZYejXMi0o76CSNOmnEs7WWjcOac+6Rl4HpcFYVYNpDWdYzyhRoBHT5rnVfpvfukBD+VvmoSbteWT6ZSWzRRuGlHr9yFhVpy8ETtymyLJ8QgKiVI2quZ/Vxbi6ZUjtmPrUoVcFZ8fH1l+MtjKrUOYU3IpFjcboPs5oDJJp4GtSw05evlHG9xNksMcQeZ8Gyj7lkSKdhb/1mPttbKBtGo4xK6T2gVGgeuzA9W2BIk/KypqmaA+LWrAvQseIEoKcsDCG8Ml0zi+cdZYdo9BxvEUq0hObOvkV7XAbNaQvNZjRZDA0gzwXVk/y6rh75/qGm1Fw2NgM29mH0NH+cuZt+xiPDJem8qVxJrOKrr5q6JCXQ7A7pNlEWiTK556kNsfC3GilvCHC6pKWHr8Q9KqPttYexU3/vaVPX9oPu5RkZ0BvuL9kbqOM4Lw0Ms43gLsUb8jf1IPwqWBdIlVlLZadH6XmB9xM1jNOcusKrZDqiSldzC0XPke/yMauU1koApAfMP5by2ot3dBaUz4jlbCUXPYSyXuV/CcW/YcN71fbQKmAh6ThJR3Ypb+Oaf6s6BxOW3o+vskh/wkemUjbruGCpJkHYWrsjfGAMqo1sPCb/UIWdd3A= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR10MB5138.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(6506007)(316002)(508600001)(6486002)(83380400001)(6666004)(86362001)(6512007)(5660300002)(26005)(186003)(44832011)(2906002)(4001150100001)(2616005)(36756003)(107886003)(4326008)(8676002)(66476007)(66556008)(52116002)(921005)(38100700002)(66946007)(38350700002)(8936002)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?6RtZ3J8vKJeJASZ2qsoItvy4dNoktqN5UhIZa561h5+3zVQq+mNDCPw85Fvc?= =?us-ascii?Q?I+9eTEiHPblSGp3VFhFCU7I2fEaT0ByufNjrwSWYq2dPg9KPhWTT7RlFvDgo?= =?us-ascii?Q?oXbSIL7HIxdFYz+R8X/vakjFkOUGE7oK9MAF7YO1SQIFAeiySbUtIJjZIGiu?= =?us-ascii?Q?M27Oe4vqxdZK++Y1flaVBj0nxi9jCDtBiejJ3Ecm8F9c1x0vmnygfy7v7fd3?= =?us-ascii?Q?OrUMajLM0pjI9Zhp0/kpBnPfyFWZan5ooLyvzfqByH1L7++clQrdLGXrIdo3?= =?us-ascii?Q?rC3qioaWwrdPVnxWRcnRvzoXcBJ9VEehQr14o8RqbApRaJTqoPSdUNj655xP?= =?us-ascii?Q?McTmI3YL9PHpXwegecCM3yZS2oUAAz5xIVFHmOFQOIqiNVxur+mez6LPGGI/?= =?us-ascii?Q?FWlTg2lWiVaJOMxePzSPoCxmUKg5G98eUi8HWL2ZzPL21UCNWXZXh0bb8K1L?= =?us-ascii?Q?w0B9bOSNIwaTQpvgCacRkWVC3iVLdMMFvFiwo6btRIYp34pVWU8uFP4uGBv5?= =?us-ascii?Q?hORPZD8ykHOyV1Z/V8lmxmyXqKR+TdHASX790wv9agGtQZP5sk9/jsLHFzTy?= =?us-ascii?Q?Gb6Hir0VBWnXJhv0ki/BKRs6NyRBtVW0CCz4CqyMXPPwI0iRb+ddxqOFgvSA?= =?us-ascii?Q?0npEl5iTE3LLdHUBstaU80RJBhownZBBkYXrPVoZTzfuLJg2vvvcHpPqdKKp?= =?us-ascii?Q?ARxiCVwE1VgY07ke/w7Yqa5OtW4/4V2CQ9RuuU94P05QDALAhg/0yoSg+16q?= =?us-ascii?Q?1lYrrZOEf2++je0+xQ8hJgM2hEt+heZTVxjqy0WYS2QBKbtnu5L6fTmY9CgB?= =?us-ascii?Q?CRTiUppyWt/1ow1kDAtprtozKLx+AdSnHwmhRn72nXVttKBLrSgkiHDgsm5w?= =?us-ascii?Q?YTU5+iTegjkScY7ck8Zr7y3bh1wjOUeF3QMGLmhr9RGvvNgtvgCCcyBuS+JQ?= =?us-ascii?Q?I3G0IrIIb0WyhIUBIPTxJC/9Hcf+c6HpJXyzDLJoFc0ea5bbVpzlfIXq8IGY?= =?us-ascii?Q?b4NR3BFSu1bUdGkyvyw5dH6l5FTHIwQu+U68T73nQJzYFMa2rlPtsfP1tE/Z?= =?us-ascii?Q?125NUTa5GaerTRB+W/+vOL3cYs+664Y2PYIqH7fTJl//6QE0z2u462RAgV6d?= =?us-ascii?Q?tHPPHWZ0d69E2p+re/VJWyVeuqy4FDuZvehVDO8aq9x2d/D3enQ/gH3AL24K?= =?us-ascii?Q?PnH6LYIBdu88KdRY/FSZfWt2H75NgBGRJ/wTTErGaf4vSLrifVW/CO/ENUzp?= =?us-ascii?Q?bIQrwFHiDYOcyqyxTy5uBuRSwPR4ngzC4b8JdiV4hVCzu91Bx61rMa/UNVvQ?= =?us-ascii?Q?SjKY2UWaVJZXAlLD2kRFe51L4kr4VvIL7F9XU0DV1oJ2Tf9tZnF/NvMHUqIH?= =?us-ascii?Q?ZJE81O/q1lJO0fSxg+Dj6EEs3iBC7uYY32UX7EMjoJPHJfnMuHedwY9SR951?= =?us-ascii?Q?2UDbOSlgTNMGCAy/oG8ZaCa+CtJ4EEAhX4/F0pxwlVC8AqLUTROMkz8aEy57?= =?us-ascii?Q?Py4dBFhKRQLR7iwrFGa4qI+A8tFLvE68ssnChdeIGSpFBNzcWAW9k4HEPT2x?= =?us-ascii?Q?mT6xjeX6D97M4m6+KRrteqSgmwGECwsdCF3JFRaIrRyrovgOMKrDepP7mv+L?= =?us-ascii?Q?p3IickMWbjAFiD2FD6JYctY=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3397007f-33ef-4f7c-330d-08d9efb76a63 X-MS-Exchange-CrossTenant-AuthSource: BLAPR10MB5138.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2022 12:42:09.6324 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OtAMGUWJ4bEXovswJWWETv8eayaQbGsVMdeJcWOleFpWrIlBjMbMUvkI/Lauu59g7KwYAvdRycp7tZg1gLWLwQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4133 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10257 signatures=673431 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 phishscore=0 bulkscore=0 malwarescore=0 adultscore=0 spamscore=0 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202140077 X-Proofpoint-ORIG-GUID: XBoZB23hP8yr8X7ONFW7_sz8bF1hzhmd X-Proofpoint-GUID: XBoZB23hP8yr8X7ONFW7_sz8bF1hzhmd X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Tuesday, 2021-11-23 at 23:41:14 -05, Eric Snowberg wrote: > Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to > restrict_link_by_ca. This will only allow CA keys into the machine > keyring. > > Signed-off-by: Eric Snowberg Reviewed-by: Darren Kenny > --- > v1: Initial version > v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok > keyring gets created even when it isn't enabled > v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca > v4: removed unnecessary restriction->check set > v5: Rename to machine keyring > v6: split line over 80 char (suggested by Mimi) > v8: Unmodified from v6 > --- > security/integrity/digsig.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 910fe29a5037..e7dfc55a7c55 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id) > goto out; > } > > - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) > + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && > + id != INTEGRITY_KEYRING_MACHINE) > return 0; > > restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); > if (!restriction) > return -ENOMEM; > > - restriction->check = restrict_link_to_ima; > + if (id == INTEGRITY_KEYRING_MACHINE) > + restriction->check = restrict_link_by_ca; > + else > + restriction->check = restrict_link_to_ima; > > /* > * No additional keys shall be allowed to load into the machine > -- > 2.18.4