meta-integrity/README.md: update

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

1 files changed, 14 insertions, 15 deletions

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 9525227..4d73c38 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -97,14 +97,16 @@ The custom external IMA policy file is eventually installed to `/etc/ima_policy`
 in initramfs.
 
 ##### IMA certificate & private Key
-The private key come in two flavors; one used by an installer to sign all
-regular files in rootfs and one used by RPM to re-sign the executable, shared
-library, kernel module and firmware during RPM installation. Correspondingly,
-the IMA certificate is used to verify the IMA signature signed by the private
-key.
+The private key come in two flavors; one used to sign all regular files in
+rootfs and one used by RPM to re-sign the executable, shared library, kernel
+module and firmware during RPM installation. Correspondingly, the IMA
+certificate is used to verify the IMA signature signed by the private key.
 
 In addition, initramfs is a good place to import the IMA certificate likewise.
 
+Note that the IMA certificate must be signed by the system trusted key by
+design. This guarantees the imported IMA certificate is always trustworthy.
+
 ###### The default IMA certificate & private key
 The default IMA certificate & private key are generated by the build system. By
 default, the sample keys are used for the purpose of development and
@@ -150,25 +152,22 @@ The following best practices should be applied with using IMA.
 
   To fix the failure, manually re-sign the affected file.
 
-  Note: RPM installation violates the IMA appraisal but its post_install
-  operation will always re-sign the affected files.
-
 - Overwriting an existing file with the same content is deemed as tampering of
   the file.
 
 - The default IMA rules provides the ability of measuring the boot components
   and calculating the aggregate integrity value for attesting. However, this
   function conflicts with encrypted-storage feature which employs PCR policy
-  session to retrieve the passphrase in a safe way. If the installer enables
-  both of them, the default IMA rules will be not used.
+  session to retrieve the passphrase in a safe way. If both of them are
+  enabled, the default IMA rules will be not used.
 
 ### Reference
-[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
+[Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
 
-[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot)
+[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-efi-secure-boot)
 
-[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key)
+[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-signing-key)
 
-[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm)
+[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm)
 
-[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2)
+[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-secure-core/tree/master/meta-tpm2)