summaryrefslogtreecommitdiffstats
path: root/certs/Kconfig
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2016-04-06 17:14:27 +0200
committerDavid Howells <dhowells@redhat.com>2016-04-11 23:48:09 +0200
commitd3bfe84129f65e0af2450743ebdab33d161d01c9 (patch)
tree37d567ed647f869e6a01cddcb40ec67b716204e0 /certs/Kconfig
parentKEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED (diff)
downloadlinux-d3bfe84129f65e0af2450743ebdab33d161d01c9.tar.xz
linux-d3bfe84129f65e0af2450743ebdab33d161d01c9.zip
certs: Add a secondary system keyring that can be added to dynamically
Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from the new keyring (called .secondary_trusted_keys). The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING. If the secondary keyring is enabled, a link is created from that to .builtin_trusted_keys so that the the latter will automatically be searched too if the secondary keyring is searched. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r--certs/Kconfig8
1 files changed, 8 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index 743d480f5f6f..fc5955f5fc8a 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -56,4 +56,12 @@ config SYSTEM_EXTRA_CERTIFICATE_SIZE
This is the number of bytes reserved in the kernel image for a
certificate to be inserted.
+config SECONDARY_TRUSTED_KEYRING
+ bool "Provide a keyring to which extra trustable keys may be added"
+ depends on SYSTEM_TRUSTED_KEYRING
+ help
+ If set, provide a keyring to which extra keys may be added, provided
+ those keys are not blacklisted and are vouched for by a key built
+ into the kernel or already in the secondary trusted keyring.
+
endmenu