Permit keys validly signed by a built-in, machine (if configured) or secondary

configname: CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

Linux Kernel Configuration
└─>Security options
└─>Permit keys validly signed by a built-in, machine (if configured) or secondary
In linux kernel since version 3.10 (release Date: 2013-06-30)  
Keys may be added to the IMA or IMA blacklist keyrings, if the
key is validly signed by a CA cert in the system built-in,
machine (if configured), or secondary trusted keyrings. The
key must also have the digitalSignature usage set.

Intermediate keys between those the kernel has compiled in and the
IMA keys to be added may be added to the system secondary keyring,
provided they are validly signed by a key already resident in the
built-in, machine (if configured) or secondary trusted keyrings.