summaryrefslogtreecommitdiff
path: root/include/keys
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2016-04-06 16:14:27 +0100
committerDavid Howells <dhowells@redhat.com>2016-04-11 22:48:09 +0100
commitd3bfe84129f65e0af2450743ebdab33d161d01c9 (patch)
tree37d567ed647f869e6a01cddcb40ec67b716204e0 /include/keys
parent77f68bac9481ad440f4f34dda3d28c2dce6eb87b (diff)
certs: Add a secondary system keyring that can be added to dynamically
Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from the new keyring (called .secondary_trusted_keys). The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING. If the secondary keyring is enabled, a link is created from that to .builtin_trusted_keys so that the the latter will automatically be searched too if the secondary keyring is searched. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'include/keys')
-rw-r--r--include/keys/system_keyring.h9
1 files changed, 9 insertions, 0 deletions
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index c72330ae76df..614424029de7 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -24,6 +24,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
#define restrict_link_by_builtin_trusted restrict_link_reject
#endif
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+extern int restrict_link_by_builtin_and_secondary_trusted(
+ struct key *keyring,
+ const struct key_type *type,
+ const union key_payload *payload);
+#else
+#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+#endif
+
#ifdef CONFIG_IMA_MOK_KEYRING
extern struct key *ima_mok_keyring;
extern struct key *ima_blacklist_keyring;