summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2013-08-30 16:07:30 +0100
committerDavid Howells <dhowells@redhat.com>2013-09-25 17:17:01 +0100
commitb56e5a17b6b9acd16997960504b9940d0d7984e7 (patch)
tree3041aadaf0eb3e79c0a5d1e7f9715489340f868a /init
parent0fbd39cf7ffe3b6a787b66b672d21b84e4675352 (diff)
KEYS: Separate the kernel signature checking keyring from module signing
Separate the kernel signature checking keyring from module signing so that it can be used by code other than the module-signing code. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'init')
-rw-r--r--init/Kconfig13
1 files changed, 13 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 3ecd8a1178f..0ff5407a837 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1668,6 +1668,18 @@ config BASE_SMALL
default 0 if BASE_FULL
default 1 if !BASE_FULL
+config SYSTEM_TRUSTED_KEYRING
+ bool "Provide system-wide ring of trusted keys"
+ depends on KEYS
+ help
+ Provide a system keyring to which trusted keys can be added. Keys in
+ the keyring are considered to be trusted. Keys may be added at will
+ by the kernel from compiled-in data and from hardware key stores, but
+ userspace may only add extra keys if those keys can be verified by
+ keys already in the keyring.
+
+ Keys in this keyring are used by module signature checking.
+
menuconfig MODULES
bool "Enable loadable module support"
option modules
@@ -1741,6 +1753,7 @@ config MODULE_SRCVERSION_ALL
config MODULE_SIG
bool "Module signature verification"
depends on MODULES
+ select SYSTEM_TRUSTED_KEYRING
select KEYS
select CRYPTO
select ASYMMETRIC_KEY_TYPE