]>
Commit | Line | Data |
---|---|---|
b4d0d230 | 1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
b56e5a17 DH |
2 | /* System keyring containing trusted public keys. |
3 | * | |
4 | * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. | |
5 | * Written by David Howells (dhowells@redhat.com) | |
b56e5a17 DH |
6 | */ |
7 | ||
8 | #ifndef _KEYS_SYSTEM_KEYRING_H | |
9 | #define _KEYS_SYSTEM_KEYRING_H | |
10 | ||
a511e1af DH |
11 | #include <linux/key.h> |
12 | ||
141e5239 MS |
13 | enum blacklist_hash_type { |
14 | /* TBSCertificate hash */ | |
15 | BLACKLIST_HASH_X509_TBS = 1, | |
16 | /* Raw data hash */ | |
17 | BLACKLIST_HASH_BINARY = 2, | |
18 | }; | |
19 | ||
b56e5a17 DH |
20 | #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING |
21 | ||
a511e1af DH |
22 | extern int restrict_link_by_builtin_trusted(struct key *keyring, |
23 | const struct key_type *type, | |
aaf66c88 MM |
24 | const union key_payload *payload, |
25 | struct key *restriction_key); | |
4cfb9080 ES |
26 | int restrict_link_by_digsig_builtin(struct key *dest_keyring, |
27 | const struct key_type *type, | |
28 | const union key_payload *payload, | |
29 | struct key *restriction_key); | |
6cbdfb3d | 30 | extern __init int load_module_cert(struct key *keyring); |
b56e5a17 | 31 | |
3be4beaf | 32 | #else |
a511e1af | 33 | #define restrict_link_by_builtin_trusted restrict_link_reject |
4cfb9080 | 34 | #define restrict_link_by_digsig_builtin restrict_link_reject |
6cbdfb3d NJ |
35 | |
36 | static inline __init int load_module_cert(struct key *keyring) | |
37 | { | |
38 | return 0; | |
39 | } | |
40 | ||
b56e5a17 DH |
41 | #endif |
42 | ||
d3bfe841 DH |
43 | #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING |
44 | extern int restrict_link_by_builtin_and_secondary_trusted( | |
45 | struct key *keyring, | |
46 | const struct key_type *type, | |
aaf66c88 MM |
47 | const union key_payload *payload, |
48 | struct key *restriction_key); | |
4cfb9080 ES |
49 | int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, |
50 | const struct key_type *type, | |
51 | const union key_payload *payload, | |
52 | struct key *restriction_key); | |
44e69ea5 | 53 | void __init add_to_secondary_keyring(const char *source, const void *data, size_t len); |
d3bfe841 DH |
54 | #else |
55 | #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted | |
4cfb9080 | 56 | #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin |
44e69ea5 NJ |
57 | static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) |
58 | { | |
59 | } | |
d3bfe841 DH |
60 | #endif |
61 | ||
56edb6c2 | 62 | #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING |
087aa4ed ES |
63 | extern int restrict_link_by_builtin_secondary_and_machine( |
64 | struct key *dest_keyring, | |
65 | const struct key_type *type, | |
66 | const union key_payload *payload, | |
67 | struct key *restrict_key); | |
56edb6c2 ES |
68 | extern void __init set_machine_trusted_keys(struct key *keyring); |
69 | #else | |
087aa4ed | 70 | #define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted |
56edb6c2 ES |
71 | static inline void __init set_machine_trusted_keys(struct key *keyring) |
72 | { | |
73 | } | |
74 | #endif | |
75 | ||
56c58126 | 76 | extern struct pkcs7_message *pkcs7; |
734114f8 | 77 | #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING |
141e5239 MS |
78 | extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, |
79 | enum blacklist_hash_type hash_type); | |
734114f8 | 80 | extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, |
141e5239 | 81 | enum blacklist_hash_type hash_type); |
2434f7d2 | 82 | extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); |
734114f8 DH |
83 | #else |
84 | static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, | |
141e5239 | 85 | enum blacklist_hash_type hash_type) |
734114f8 DH |
86 | { |
87 | return 0; | |
88 | } | |
2434f7d2 NJ |
89 | |
90 | static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) | |
91 | { | |
92 | return 0; | |
93 | } | |
734114f8 DH |
94 | #endif |
95 | ||
56c58126 ES |
96 | #ifdef CONFIG_SYSTEM_REVOCATION_LIST |
97 | extern int add_key_to_revocation_list(const char *data, size_t size); | |
98 | extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); | |
99 | #else | |
100 | static inline int add_key_to_revocation_list(const char *data, size_t size) | |
101 | { | |
102 | return 0; | |
103 | } | |
104 | static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) | |
105 | { | |
106 | return -ENOKEY; | |
107 | } | |
108 | #endif | |
109 | ||
56104cf2 | 110 | #ifdef CONFIG_IMA_BLACKLIST_KEYRING |
41c89b64 PM |
111 | extern struct key *ima_blacklist_keyring; |
112 | ||
41c89b64 PM |
113 | static inline struct key *get_ima_blacklist_keyring(void) |
114 | { | |
115 | return ima_blacklist_keyring; | |
116 | } | |
117 | #else | |
41c89b64 PM |
118 | static inline struct key *get_ima_blacklist_keyring(void) |
119 | { | |
120 | return NULL; | |
121 | } | |
56104cf2 | 122 | #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ |
41c89b64 | 123 | |
219a3e86 KS |
124 | #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ |
125 | defined(CONFIG_SYSTEM_TRUSTED_KEYRING) | |
126 | extern void __init set_platform_trusted_keys(struct key *keyring); | |
127 | #else | |
128 | static inline void set_platform_trusted_keys(struct key *keyring) | |
129 | { | |
130 | } | |
131 | #endif | |
41c89b64 | 132 | |
b56e5a17 | 133 | #endif /* _KEYS_SYSTEM_KEYRING_H */ |