diff options
author | David Howells <dhowells@redhat.com> | 2016-04-06 17:14:27 +0200 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2016-04-11 23:48:09 +0200 |
commit | d3bfe84129f65e0af2450743ebdab33d161d01c9 (patch) | |
tree | 37d567ed647f869e6a01cddcb40ec67b716204e0 /certs/Kconfig | |
parent | KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED (diff) | |
download | linux-d3bfe84129f65e0af2450743ebdab33d161d01c9.tar.xz linux-d3bfe84129f65e0af2450743ebdab33d161d01c9.zip |
certs: Add a secondary system keyring that can be added to dynamically
Add a secondary system keyring that can be added to by root whilst the
system is running - provided the key being added is vouched for by a key
built into the kernel or already added to the secondary keyring.
Rename .system_keyring to .builtin_trusted_keys to distinguish it more
obviously from the new keyring (called .secondary_trusted_keys).
The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING.
If the secondary keyring is enabled, a link is created from that to
.builtin_trusted_keys so that the the latter will automatically be searched
too if the secondary keyring is searched.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r-- | certs/Kconfig | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index 743d480f5f6f..fc5955f5fc8a 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -56,4 +56,12 @@ config SYSTEM_EXTRA_CERTIFICATE_SIZE This is the number of bytes reserved in the kernel image for a certificate to be inserted. +config SECONDARY_TRUSTED_KEYRING + bool "Provide a keyring to which extra trustable keys may be added" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, provide a keyring to which extra keys may be added, provided + those keys are not blacklisted and are vouched for by a key built + into the kernel or already in the secondary trusted keyring. + endmenu |