12 Apr, 2016

2 commits

• d3bfe8412   certs: Add a secondary system keyring that can be added to dynamically ... Browse Code »

  Add a secondary system keyring that can be added to by root whilst the
  system is running - provided the key being added is vouched for by a key
  built into the kernel or already added to the secondary keyring.

  Rename .system_keyring to .builtin_trusted_keys to distinguish it more
  obviously from the new keyring (called .secondary_trusted_keys).

  The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING.

  If the secondary keyring is enabled, a link is created from that to
  .builtin_trusted_keys so that the the latter will automatically be searched
  too if the secondary keyring is searched.

  Signed-off-by: David Howells

  David Howells

  2016-04-12 05:48:09 +0800  
• 99716b7ca   KEYS: Make the system trusted keyring depend on the asymmetric key type ... Browse Code »

  Make the system trusted keyring depend on the asymmetric key type as
  there's not a lot of point having it if you can't then load asymmetric keys
  onto it.

  This requires the ASYMMETRIC_KEY_TYPE to be made a bool, not a tristate, as
  the Kconfig language doesn't then correctly force ASYMMETRIC_KEY_TYPE to
  'y' rather than 'm' if SYSTEM_TRUSTED_KEYRING is 'y'.

  Making SYSTEM_TRUSTED_KEYRING *select* ASYMMETRIC_KEY_TYPE instead doesn't
  work as the Kconfig interpreter then wrongly complains about dependency
  loops.

  Signed-off-by: David Howells

  David Howells

  2016-04-12 05:43:24 +0800  

26 Feb, 2016

1 commit

• c4c361059   KEYS: Reserve an extra certificate symbol for inserting without recompiling ... Browse Code »

  Place a system_extra_cert buffer of configurable size, right after the
  system_certificate_list, so that inserted keys can be readily processed by
  the existing mechanism. Added script takes a key file and a kernel image
  and inserts its contents to the reserved area. The
  system_certificate_list_size is also adjusted accordingly.

  Call the script as:

  scripts/insert-sys-cert -b -c

  If vmlinux has no symbol table, supply System.map file with -s flag.
  Subsequent runs replace the previously inserted key, instead of appending
  the new one.

  Signed-off-by: Mehmet Kayaalp
  Signed-off-by: David Howells
  Acked-by: Mimi Zohar

  Mehmet Kayaalp

  2016-02-26 23:30:20 +0800  

14 Aug, 2015

1 commit

• cfc411e7f   Move certificate handling to its own directory ... Browse Code »

  Move certificate handling out of the kernel/ directory and into a certs/
  directory to get all the weird stuff in one place and move the generated
  signing keys into this directory.

  Signed-off-by: David Howells
  Reviewed-by: David Woodhouse

  David Howells

  2015-08-14 23:06:13 +0800