Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > The only place where "KEY_ALLOC_BYPASS_RESTRICTION" is specified is in > load_system_certificate_list(), when adding keys to > the .builtin_trusted_keys keyring. There is no other set of keys > builtin and added to the IMA keyring.
Are the keys loaded by integrity_load_x509() required to be validly signed by the builtin/secondary keys? Or is that unnecessary given that they are loaded and thus protected through integrity_read_file()? David
