KEYS: Add a system blacklist keyring
authorDavid Howells <dhowells@redhat.com>
Thu, 1 Sep 2016 10:02:41 +0000 (11:02 +0100)
committerDavid Howells <dhowells@redhat.com>
Thu, 1 Sep 2016 10:02:41 +0000 (11:02 +0100)
commit8dada209fda3d8bacf6fc0fdd01fd6cb603de540
tree1ff8886d9141de928fd60ec09d4b72721b195090
parent8ccc7d6bad84bebf1f1a6364d1fa04d3d7b575f6
KEYS: Add a system blacklist keyring

Add the following:

 (1) A new system keyring that is used to store information about
     blacklisted certificates and signatures.

 (2) A new key type (called 'blacklist') that is used to store a
     blacklisted hash in its description as a hex string.  The key accepts
     no payload.

 (3) The ability to configure a list of blacklisted hashes into the kernel
     at build time.  This is done by setting
     CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
     that are in the form:

"<hash>", "<hash>", ..., "<hash>"

     where each <hash> is a hex string representation of the hash and must
     include all necessary leading zeros to pad the hash to the right size.

The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.

Once the kernel is booted, the blacklist keyring can be listed:

root@andromeda ~]# keyctl show %:.blacklist
Keyring
 723359729 ---lswrv      0     0  keyring: .blacklist
 676257228 ---lswrv      0     0   \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46

The blacklist cannot currently be modified by userspace, but it will be
possible to load it, for example, from the UEFI blacklist database.

A later commit will make it possible to load blacklisted asymmetric keys in
here too.

Signed-off-by: David Howells <dhowells@redhat.com>
certs/Kconfig
certs/Makefile
certs/blacklist.c [new file with mode: 0644]
certs/blacklist.h [new file with mode: 0644]
certs/blacklist_hashes.c [new file with mode: 0644]
certs/blacklist_nohashes.c [new file with mode: 0644]
include/keys/system_keyring.h
This page took 0.0395 seconds and 5 git commands to generate.