summaryrefslogtreecommitdiff
path: root/include/keys
diff options
context:
space:
mode:
authorEric Snowberg <eric.snowberg@oracle.com>2023-05-23 02:09:42 +0300
committerJarkko Sakkinen <jarkko@kernel.org>2023-08-17 23:12:20 +0300
commit4cfb908054456ad8b6b8cd5108bbdf80faade8cd (patch)
treebd4046f55cb525db633927638a605ce51e813606 /include/keys
parentbff24699b94a34c5fcb8d3283794e7d39adb092c (diff)
downloadlinux-4cfb908054456ad8b6b8cd5108bbdf80faade8cd.tar.xz
KEYS: DigitalSignature link restriction
Add a new link restriction. Restrict the addition of keys in a keyring based on the key having digitalSignature usage set. Additionally, verify the new certificate against the ones in the system keyrings. Add two additional functions to use the new restriction within either the builtin or secondary keyrings. [jarkko@kernel.org: Fix checkpatch.pl --strict issues] Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'include/keys')
-rw-r--r--include/keys/system_keyring.h10
1 files changed, 10 insertions, 0 deletions
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 91e080efb918..7e2583208820 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -23,10 +23,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+int restrict_link_by_digsig_builtin(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *restriction_key);
extern __init int load_module_cert(struct key *keyring);
#else
#define restrict_link_by_builtin_trusted restrict_link_reject
+#define restrict_link_by_digsig_builtin restrict_link_reject
static inline __init int load_module_cert(struct key *keyring)
{
@@ -41,8 +46,13 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *restriction_key);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin
#endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING