linux-stable/include/keys/system_keyring.h
Linus Torvalds e6f0bf09f0 integrity-v5.13
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEEjSMCCC7+cjo3nszSa3kkZrA+cVoFAmCIuMgUHHpvaGFyQGxp
 bnV4LmlibS5jb20ACgkQa3kkZrA+cVqCew//SHwZ3LuqZUyqX1lCeW0eUsJQmf9P
 Rc++pK5+cigaYwg/LpLXBtIthOO91KJ+p4UrXIttlz6wRWqH5Enm/nQk3ngIIrWJ
 g4HsU4LoXeE5V1QZgDdUWM+ViaNvZuzT8enaUt4VvelHTRMoAgeTu7/amjx01t9L
 R8Qhmg2tBI5ehRgocNfEApNfaDyOcJhR14wAnGFhQH1pH2o0e+O+L5E6ke3Z2N0D
 oa9LBkA2wZFlTXkYHAYBdZjPW0BXX55brIusLHhrvFC16Ad9IVwcxRvRwYy4v2IK
 p8kO7EwGO4IkqsuL6FApgbW8/dTZXo3pD8YmplXhQdvAd9L/LshYhDePX7UsEp+O
 CL3rFvNFzZKC5qTx0UXLqjcktosOLTTFkAzRMg5taTljbTWBp9ziI8X0nTgoThLH
 fTs41Ol5v5veiq8JbZ1VixCoDJVOWtED/FuSZD41OyXJb7yGNpTnmvP6QJNIa1Yo
 vWsxSWmEX62xT85CzYLBR1Ow5+9t9+IjoCRt0pu0SRSps4gYcg1BjS+gIFnuCtB/
 B9Ysh+rHo9ne9iojFd9TrEYQSAXebVEYSOjqPWV3E7gd0EXuF+JY0akj8JBduHt3
 mfogxVtJdaHDjHtpHoHhBTpHG8l/E2n/47eFDmCiTsBGdL54R4jJSkOu8QmWBgzz
 HVNX+f86SJ2haUw=
 =gkFF
 -----END PGP SIGNATURE-----

Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull IMA updates from Mimi Zohar:
 "In addition to loading the kernel module signing key onto the builtin
  keyring, load it onto the IMA keyring as well.

  Also six trivial changes and bug fixes"

* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
  ima: Fix fall-through warnings for Clang
  integrity: Add declarations to init_once void arguments.
  ima: Fix function name error in comment.
  ima: enable loading of build time generated key on .ima keyring
  ima: enable signing of modules with build time generated key
  keys: cleanup build time module signing keys
  ima: Fix the error code for restoring the PCR value
  ima: without an IMA policy loaded, return quickly
2021-05-01 15:32:18 -07:00

97 lines
2.5 KiB
C

/* SPDX-License-Identifier: GPL-2.0-or-later */
/* System keyring containing trusted public keys.
*
* Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#ifndef _KEYS_SYSTEM_KEYRING_H
#define _KEYS_SYSTEM_KEYRING_H
#include <linux/key.h>
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
extern int restrict_link_by_builtin_trusted(struct key *keyring,
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
extern __init int load_module_cert(struct key *keyring);
#else
#define restrict_link_by_builtin_trusted restrict_link_reject
static inline __init int load_module_cert(struct key *keyring)
{
return 0;
}
#endif
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
extern int restrict_link_by_builtin_and_secondary_trusted(
struct key *keyring,
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif
extern struct pkcs7_message *pkcs7;
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
extern int mark_hash_blacklisted(const char *hash);
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
const char *type);
extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
#else
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
const char *type)
{
return 0;
}
static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
{
return 0;
}
#endif
#ifdef CONFIG_SYSTEM_REVOCATION_LIST
extern int add_key_to_revocation_list(const char *data, size_t size);
extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
#else
static inline int add_key_to_revocation_list(const char *data, size_t size)
{
return 0;
}
static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
{
return -ENOKEY;
}
#endif
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;
static inline struct key *get_ima_blacklist_keyring(void)
{
return ima_blacklist_keyring;
}
#else
static inline struct key *get_ima_blacklist_keyring(void)
{
return NULL;
}
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
extern void __init set_platform_trusted_keys(struct key *keyring);
#else
static inline void set_platform_trusted_keys(struct key *keyring)
{
}
#endif
#endif /* _KEYS_SYSTEM_KEYRING_H */