On Sat, 2021-05-01 at 15:49 -0700, Linus Torvalds wrote:

On Wed, Apr 28, 2021 at 6:47 AM Mimi Zohar [off-list ref] wrote:

quoted

In addition to loading the kernel module signing key onto the builtin
keyring, load it onto the IMA keyring as well.

This clashed pretty badly with the other cert changes.

I think the end result looks nice and clean (the cert updates mesh
well with the _intention_ of your code, just not with the
implementation), but you should really double-check that I didn't mess
anything up in the merge and whatever test-case you have for IMA still
works.

I only verified that the kernel module signing key still works for
modules - no IMA test-case.

I'm really sorry I forgot to mention in the pull request that Stephen
was carrying a merge conflict fix.  Everything looks good.  I tested
it, making sure that the kernel module signing key is loaded onto the
builtin and/or IMA keyrings properly.

thanks,

Mimi