e6f0bf09f0
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEEjSMCCC7+cjo3nszSa3kkZrA+cVoFAmCIuMgUHHpvaGFyQGxp bnV4LmlibS5jb20ACgkQa3kkZrA+cVqCew//SHwZ3LuqZUyqX1lCeW0eUsJQmf9P Rc++pK5+cigaYwg/LpLXBtIthOO91KJ+p4UrXIttlz6wRWqH5Enm/nQk3ngIIrWJ g4HsU4LoXeE5V1QZgDdUWM+ViaNvZuzT8enaUt4VvelHTRMoAgeTu7/amjx01t9L R8Qhmg2tBI5ehRgocNfEApNfaDyOcJhR14wAnGFhQH1pH2o0e+O+L5E6ke3Z2N0D oa9LBkA2wZFlTXkYHAYBdZjPW0BXX55brIusLHhrvFC16Ad9IVwcxRvRwYy4v2IK p8kO7EwGO4IkqsuL6FApgbW8/dTZXo3pD8YmplXhQdvAd9L/LshYhDePX7UsEp+O CL3rFvNFzZKC5qTx0UXLqjcktosOLTTFkAzRMg5taTljbTWBp9ziI8X0nTgoThLH fTs41Ol5v5veiq8JbZ1VixCoDJVOWtED/FuSZD41OyXJb7yGNpTnmvP6QJNIa1Yo vWsxSWmEX62xT85CzYLBR1Ow5+9t9+IjoCRt0pu0SRSps4gYcg1BjS+gIFnuCtB/ B9Ysh+rHo9ne9iojFd9TrEYQSAXebVEYSOjqPWV3E7gd0EXuF+JY0akj8JBduHt3 mfogxVtJdaHDjHtpHoHhBTpHG8l/E2n/47eFDmCiTsBGdL54R4jJSkOu8QmWBgzz HVNX+f86SJ2haUw= =gkFF -----END PGP SIGNATURE----- Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull IMA updates from Mimi Zohar: "In addition to loading the kernel module signing key onto the builtin keyring, load it onto the IMA keyring as well. Also six trivial changes and bug fixes" * tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies ima: Fix fall-through warnings for Clang integrity: Add declarations to init_once void arguments. ima: Fix function name error in comment. ima: enable loading of build time generated key on .ima keyring ima: enable signing of modules with build time generated key keys: cleanup build time module signing keys ima: Fix the error code for restoring the PCR value ima: without an IMA policy loaded, return quickly
98 lines
2.5 KiB
C
98 lines
2.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/* System keyring containing trusted public keys.
|
|
*
|
|
* Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#ifndef _KEYS_SYSTEM_KEYRING_H
|
|
#define _KEYS_SYSTEM_KEYRING_H
|
|
|
|
#include <linux/key.h>
|
|
|
|
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
|
|
|
|
extern int restrict_link_by_builtin_trusted(struct key *keyring,
|
|
const struct key_type *type,
|
|
const union key_payload *payload,
|
|
struct key *restriction_key);
|
|
extern __init int load_module_cert(struct key *keyring);
|
|
|
|
#else
|
|
#define restrict_link_by_builtin_trusted restrict_link_reject
|
|
|
|
static inline __init int load_module_cert(struct key *keyring)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
|
extern int restrict_link_by_builtin_and_secondary_trusted(
|
|
struct key *keyring,
|
|
const struct key_type *type,
|
|
const union key_payload *payload,
|
|
struct key *restriction_key);
|
|
#else
|
|
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
|
|
#endif
|
|
|
|
extern struct pkcs7_message *pkcs7;
|
|
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
extern int mark_hash_blacklisted(const char *hash);
|
|
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
|
const char *type);
|
|
extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
|
|
#else
|
|
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
|
const char *type)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
|
|
{
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_SYSTEM_REVOCATION_LIST
|
|
extern int add_key_to_revocation_list(const char *data, size_t size);
|
|
extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
|
|
#else
|
|
static inline int add_key_to_revocation_list(const char *data, size_t size)
|
|
{
|
|
return 0;
|
|
}
|
|
static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
|
|
{
|
|
return -ENOKEY;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
|
extern struct key *ima_blacklist_keyring;
|
|
|
|
static inline struct key *get_ima_blacklist_keyring(void)
|
|
{
|
|
return ima_blacklist_keyring;
|
|
}
|
|
#else
|
|
static inline struct key *get_ima_blacklist_keyring(void)
|
|
{
|
|
return NULL;
|
|
}
|
|
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
|
|
|
|
#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
|
|
defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
|
|
extern void __init set_platform_trusted_keys(struct key *keyring);
|
|
#else
|
|
static inline void set_platform_trusted_keys(struct key *keyring)
|
|
{
|
|
}
|
|
#endif
|
|
|
|
#endif /* _KEYS_SYSTEM_KEYRING_H */
|