include/keys/system_keyring.h at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / include / keys / system_keyring.h
at master 3.9 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0-or-later */
  2/* System keyring containing trusted public keys.
  3 *
  4 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
  5 * Written by David Howells (dhowells@redhat.com)
  6 */
  7
  8#ifndef _KEYS_SYSTEM_KEYRING_H
  9#define _KEYS_SYSTEM_KEYRING_H
 10
 11#include <linux/key.h>
 12
 13enum blacklist_hash_type {
 14	/* TBSCertificate hash */
 15	BLACKLIST_HASH_X509_TBS = 1,
 16	/* Raw data hash */
 17	BLACKLIST_HASH_BINARY = 2,
 18};
 19
 20#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
 21
 22extern int restrict_link_by_builtin_trusted(struct key *keyring,
 23					    const struct key_type *type,
 24					    const union key_payload *payload,
 25					    struct key *restriction_key);
 26int restrict_link_by_digsig_builtin(struct key *dest_keyring,
 27				    const struct key_type *type,
 28				    const union key_payload *payload,
 29				    struct key *restriction_key);
 30extern __init int load_module_cert(struct key *keyring);
 31
 32#else
 33#define restrict_link_by_builtin_trusted restrict_link_reject
 34#define restrict_link_by_digsig_builtin restrict_link_reject
 35
 36static inline __init int load_module_cert(struct key *keyring)
 37{
 38	return 0;
 39}
 40
 41#endif
 42
 43#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 44extern int restrict_link_by_builtin_and_secondary_trusted(
 45	struct key *keyring,
 46	const struct key_type *type,
 47	const union key_payload *payload,
 48	struct key *restriction_key);
 49int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring,
 50						  const struct key_type *type,
 51						  const union key_payload *payload,
 52						  struct key *restriction_key);
 53void __init add_to_secondary_keyring(const char *source, const void *data, size_t len);
 54#else
 55#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
 56#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin
 57static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len)
 58{
 59}
 60#endif
 61
 62#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
 63extern int restrict_link_by_builtin_secondary_and_machine(
 64	struct key *dest_keyring,
 65	const struct key_type *type,
 66	const union key_payload *payload,
 67	struct key *restrict_key);
 68extern void __init set_machine_trusted_keys(struct key *keyring);
 69#else
 70#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
 71static inline void __init set_machine_trusted_keys(struct key *keyring)
 72{
 73}
 74#endif
 75
 76#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 77extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
 78			       enum blacklist_hash_type hash_type);
 79extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
 80			       enum blacklist_hash_type hash_type);
 81extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
 82#else
 83static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
 84				      enum blacklist_hash_type hash_type)
 85{
 86	return 0;
 87}
 88
 89static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 90{
 91	return 0;
 92}
 93#endif
 94
 95struct pkcs7_message;
 96#ifdef CONFIG_SYSTEM_REVOCATION_LIST
 97extern int add_key_to_revocation_list(const char *data, size_t size);
 98extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
 99#else
100static inline int add_key_to_revocation_list(const char *data, size_t size)
101{
102	return 0;
103}
104static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
105{
106	return -ENOKEY;
107}
108#endif
109
110#ifdef CONFIG_IMA_BLACKLIST_KEYRING
111extern struct key *ima_blacklist_keyring;
112
113static inline struct key *get_ima_blacklist_keyring(void)
114{
115	return ima_blacklist_keyring;
116}
117#else
118static inline struct key *get_ima_blacklist_keyring(void)
119{
120	return NULL;
121}
122#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
123
124#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
125	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
126extern void __init set_platform_trusted_keys(struct key *keyring);
127#else
128static inline void set_platform_trusted_keys(struct key *keyring)
129{
130}
131#endif
132
133#endif /* _KEYS_SYSTEM_KEYRING_H */