system_keyring.h (3206B)
1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* System keyring containing trusted public keys. 3 * 4 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8#ifndef _KEYS_SYSTEM_KEYRING_H 9#define _KEYS_SYSTEM_KEYRING_H 10 11#include <linux/key.h> 12 13enum blacklist_hash_type { 14 /* TBSCertificate hash */ 15 BLACKLIST_HASH_X509_TBS = 1, 16 /* Raw data hash */ 17 BLACKLIST_HASH_BINARY = 2, 18}; 19 20#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING 21 22extern int restrict_link_by_builtin_trusted(struct key *keyring, 23 const struct key_type *type, 24 const union key_payload *payload, 25 struct key *restriction_key); 26extern __init int load_module_cert(struct key *keyring); 27 28#else 29#define restrict_link_by_builtin_trusted restrict_link_reject 30 31static inline __init int load_module_cert(struct key *keyring) 32{ 33 return 0; 34} 35 36#endif 37 38#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 39extern int restrict_link_by_builtin_and_secondary_trusted( 40 struct key *keyring, 41 const struct key_type *type, 42 const union key_payload *payload, 43 struct key *restriction_key); 44#else 45#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted 46#endif 47 48#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING 49extern int restrict_link_by_builtin_secondary_and_machine( 50 struct key *dest_keyring, 51 const struct key_type *type, 52 const union key_payload *payload, 53 struct key *restrict_key); 54extern void __init set_machine_trusted_keys(struct key *keyring); 55#else 56#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted 57static inline void __init set_machine_trusted_keys(struct key *keyring) 58{ 59} 60#endif 61 62extern struct pkcs7_message *pkcs7; 63#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING 64extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, 65 enum blacklist_hash_type hash_type); 66extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, 67 enum blacklist_hash_type hash_type); 68extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); 69#else 70static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, 71 enum blacklist_hash_type hash_type) 72{ 73 return 0; 74} 75 76static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) 77{ 78 return 0; 79} 80#endif 81 82#ifdef CONFIG_SYSTEM_REVOCATION_LIST 83extern int add_key_to_revocation_list(const char *data, size_t size); 84extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); 85#else 86static inline int add_key_to_revocation_list(const char *data, size_t size) 87{ 88 return 0; 89} 90static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) 91{ 92 return -ENOKEY; 93} 94#endif 95 96#ifdef CONFIG_IMA_BLACKLIST_KEYRING 97extern struct key *ima_blacklist_keyring; 98 99static inline struct key *get_ima_blacklist_keyring(void) 100{ 101 return ima_blacklist_keyring; 102} 103#else 104static inline struct key *get_ima_blacklist_keyring(void) 105{ 106 return NULL; 107} 108#endif /* CONFIG_IMA_BLACKLIST_KEYRING */ 109 110#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ 111 defined(CONFIG_SYSTEM_TRUSTED_KEYRING) 112extern void __init set_platform_trusted_keys(struct key *keyring); 113#else 114static inline void set_platform_trusted_keys(struct key *keyring) 115{ 116} 117#endif 118 119#endif /* _KEYS_SYSTEM_KEYRING_H */