From d3bfe84129f65e0af2450743ebdab33d161d01c9 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 6 Apr 2016 16:14:27 +0100 Subject: certs: Add a secondary system keyring that can be added to dynamically Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from the new keyring (called .secondary_trusted_keys). The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING. If the secondary keyring is enabled, a link is created from that to .builtin_trusted_keys so that the the latter will automatically be searched too if the secondary keyring is searched. Signed-off-by: David Howells --- include/keys/system_keyring.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'include/keys/system_keyring.h') diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c72330ae76df..614424029de7 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -24,6 +24,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, #define restrict_link_by_builtin_trusted restrict_link_reject #endif +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +extern int restrict_link_by_builtin_and_secondary_trusted( + struct key *keyring, + const struct key_type *type, + const union key_payload *payload); +#else +#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#endif + #ifdef CONFIG_IMA_MOK_KEYRING extern struct key *ima_mok_keyring; extern struct key *ima_blacklist_keyring; -- cgit v1.2.3