projects / thirdparty / kernel / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| b4d0d230 | 1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
| b56e5a17 DH |
2 | /* System keyring containing trusted public keys. |
| 3 | * | |
| 4 | * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. | |
| 5 | * Written by David Howells (dhowells@redhat.com) | |
| b56e5a17 DH |
6 | */ |
| 7 | ||
| 8 | #ifndef _KEYS_SYSTEM_KEYRING_H | |
| 9 | #define _KEYS_SYSTEM_KEYRING_H | |
| 10 | ||
| a511e1af DH |
11 | #include <linux/key.h> |
| 12 | ||
| 141e5239 MS |
13 | enum blacklist_hash_type { |
| 14 | /* TBSCertificate hash */ | |
| 15 | BLACKLIST_HASH_X509_TBS = 1, | |
| 16 | /* Raw data hash */ | |
| 17 | BLACKLIST_HASH_BINARY = 2, | |
| 18 | }; | |
| 19 | ||
| b56e5a17 DH |
20 | #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING |
| 21 | ||
| a511e1af DH |
22 | extern int restrict_link_by_builtin_trusted(struct key *keyring, |
| 23 | const struct key_type *type, | |
| aaf66c88 MM |
24 | const union key_payload *payload, |
| 25 | struct key *restriction_key); | |
| 4cfb9080 ES |
26 | int restrict_link_by_digsig_builtin(struct key *dest_keyring, |
| 27 | const struct key_type *type, | |
| 28 | const union key_payload *payload, | |
| 29 | struct key *restriction_key); | |
| 6cbdfb3d | 30 | extern __init int load_module_cert(struct key *keyring); |
| b56e5a17 | 31 | |
| 3be4beaf | 32 | #else |
| a511e1af | 33 | #define restrict_link_by_builtin_trusted restrict_link_reject |
| 4cfb9080 | 34 | #define restrict_link_by_digsig_builtin restrict_link_reject |
| 6cbdfb3d NJ |
35 | |
| 36 | static inline __init int load_module_cert(struct key *keyring) | |
| 37 | { | |
| 38 | return 0; | |
| 39 | } | |
| 40 | ||
| b56e5a17 DH |
41 | #endif |
| 42 | ||
| d3bfe841 DH |
43 | #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING |
| 44 | extern int restrict_link_by_builtin_and_secondary_trusted( | |
| 45 | struct key *keyring, | |
| 46 | const struct key_type *type, | |
| aaf66c88 MM |
47 | const union key_payload *payload, |
| 48 | struct key *restriction_key); | |
| 4cfb9080 ES |
49 | int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, |
| 50 | const struct key_type *type, | |
| 51 | const union key_payload *payload, | |
| 52 | struct key *restriction_key); | |
| 44e69ea5 | 53 | void __init add_to_secondary_keyring(const char *source, const void *data, size_t len); |
| d3bfe841 DH |
54 | #else |
| 55 | #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted | |
| 4cfb9080 | 56 | #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin |
| 44e69ea5 NJ |
57 | static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) |
| 58 | { | |
| 59 | } | |
| d3bfe841 DH |
60 | #endif |
| 61 | ||
| 56edb6c2 | 62 | #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING |
| 087aa4ed ES |
63 | extern int restrict_link_by_builtin_secondary_and_machine( |
| 64 | struct key *dest_keyring, | |
| 65 | const struct key_type *type, | |
| 66 | const union key_payload *payload, | |
| 67 | struct key *restrict_key); | |
| 56edb6c2 ES |
68 | extern void __init set_machine_trusted_keys(struct key *keyring); |
| 69 | #else | |
| 087aa4ed | 70 | #define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted |
| 56edb6c2 ES |
71 | static inline void __init set_machine_trusted_keys(struct key *keyring) |
| 72 | { | |
| 73 | } | |
| 74 | #endif | |
| 75 | ||
| 56c58126 | 76 | extern struct pkcs7_message *pkcs7; |
| 734114f8 | 77 | #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING |
| 141e5239 MS |
78 | extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, |
| 79 | enum blacklist_hash_type hash_type); | |
| 734114f8 | 80 | extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, |
| 141e5239 | 81 | enum blacklist_hash_type hash_type); |
| 2434f7d2 | 82 | extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); |
| 734114f8 DH |
83 | #else |
| 84 | static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, | |
| 141e5239 | 85 | enum blacklist_hash_type hash_type) |
| 734114f8 DH |
86 | { |
| 87 | return 0; | |
| 88 | } | |
| 2434f7d2 NJ |
89 | |
| 90 | static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) | |
| 91 | { | |
| 92 | return 0; | |
| 93 | } | |
| 734114f8 DH |
94 | #endif |
| 95 | ||
| 56c58126 ES |
96 | #ifdef CONFIG_SYSTEM_REVOCATION_LIST |
| 97 | extern int add_key_to_revocation_list(const char *data, size_t size); | |
| 98 | extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); | |
| 99 | #else | |
| 100 | static inline int add_key_to_revocation_list(const char *data, size_t size) | |
| 101 | { | |
| 102 | return 0; | |
| 103 | } | |
| 104 | static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) | |
| 105 | { | |
| 106 | return -ENOKEY; | |
| 107 | } | |
| 108 | #endif | |
| 109 | ||
| 56104cf2 | 110 | #ifdef CONFIG_IMA_BLACKLIST_KEYRING |
| 41c89b64 PM |
111 | extern struct key *ima_blacklist_keyring; |
| 112 | ||
| 41c89b64 PM |
113 | static inline struct key *get_ima_blacklist_keyring(void) |
| 114 | { | |
| 115 | return ima_blacklist_keyring; | |
| 116 | } | |
| 117 | #else | |
| 41c89b64 PM |
118 | static inline struct key *get_ima_blacklist_keyring(void) |
| 119 | { | |
| 120 | return NULL; | |
| 121 | } | |
| 56104cf2 | 122 | #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ |
| 41c89b64 | 123 | |
| 219a3e86 KS |
124 | #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ |
| 125 | defined(CONFIG_SYSTEM_TRUSTED_KEYRING) | |
| 126 | extern void __init set_platform_trusted_keys(struct key *keyring); | |
| 127 | #else | |
| 128 | static inline void set_platform_trusted_keys(struct key *keyring) | |
| 129 | { | |
| 130 | } | |
| 131 | #endif | |
| 41c89b64 | 132 | |
| b56e5a17 | 133 | #endif /* _KEYS_SYSTEM_KEYRING_H */ |