include/keys/system_keyring.h

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /* System keyring containing trusted public keys.
0003  *
0004  * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #ifndef _KEYS_SYSTEM_KEYRING_H
0009 #define _KEYS_SYSTEM_KEYRING_H
0010
0011 #include <linux/key.h>
0012
0013 enum blacklist_hash_type {
0014     /* TBSCertificate hash */
0015     BLACKLIST_HASH_X509_TBS = 1,
0016     /* Raw data hash */
0017     BLACKLIST_HASH_BINARY = 2,
0018 };
0019
0020 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
0021
0022 extern int restrict_link_by_builtin_trusted(struct key *keyring,
0023                         const struct key_type *type,
0024                         const union key_payload *payload,
0025                         struct key *restriction_key);
0026 extern __init int load_module_cert(struct key *keyring);
0027
0028 #else
0029 #define restrict_link_by_builtin_trusted restrict_link_reject
0030
0031 static inline __init int load_module_cert(struct key *keyring)
0032 {
0033     return 0;
0034 }
0035
0036 #endif
0037
0038 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
0039 extern int restrict_link_by_builtin_and_secondary_trusted(
0040     struct key *keyring,
0041     const struct key_type *type,
0042     const union key_payload *payload,
0043     struct key *restriction_key);
0044 #else
0045 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
0046 #endif
0047
0048 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
0049 extern int restrict_link_by_builtin_secondary_and_machine(
0050     struct key *dest_keyring,
0051     const struct key_type *type,
0052     const union key_payload *payload,
0053     struct key *restrict_key);
0054 extern void __init set_machine_trusted_keys(struct key *keyring);
0055 #else
0056 #define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
0057 static inline void __init set_machine_trusted_keys(struct key *keyring)
0058 {
0059 }
0060 #endif
0061
0062 extern struct pkcs7_message *pkcs7;
0063 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
0064 extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
0065                    enum blacklist_hash_type hash_type);
0066 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
0067                    enum blacklist_hash_type hash_type);
0068 extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
0069 #else
0070 static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
0071                       enum blacklist_hash_type hash_type)
0072 {
0073     return 0;
0074 }
0075
0076 static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
0077 {
0078     return 0;
0079 }
0080 #endif
0081
0082 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
0083 extern int add_key_to_revocation_list(const char *data, size_t size);
0084 extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
0085 #else
0086 static inline int add_key_to_revocation_list(const char *data, size_t size)
0087 {
0088     return 0;
0089 }
0090 static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
0091 {
0092     return -ENOKEY;
0093 }
0094 #endif
0095
0096 #ifdef CONFIG_IMA_BLACKLIST_KEYRING
0097 extern struct key *ima_blacklist_keyring;
0098
0099 static inline struct key *get_ima_blacklist_keyring(void)
0100 {
0101     return ima_blacklist_keyring;
0102 }
0103 #else
0104 static inline struct key *get_ima_blacklist_keyring(void)
0105 {
0106     return NULL;
0107 }
0108 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
0109
0110 #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
0111     defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
0112 extern void __init set_platform_trusted_keys(struct key *keyring);
0113 #else
0114 static inline void set_platform_trusted_keys(struct key *keyring)
0115 {
0116 }
0117 #endif
0118
0119 #endif /* _KEYS_SYSTEM_KEYRING_H */