|author||David Howells <email@example.com>||2016-04-06 16:14:27 +0100|
|committer||David Howells <firstname.lastname@example.org>||2016-04-11 22:48:09 +0100|
certs: Add a secondary system keyring that can be added to dynamically
Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from the new keyring (called .secondary_trusted_keys). The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING. If the secondary keyring is enabled, a link is created from that to .builtin_trusted_keys so that the the latter will automatically be searched too if the secondary keyring is searched. Signed-off-by: David Howells <email@example.com>
Diffstat (limited to 'certs/Kconfig')
1 files changed, 8 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index 743d480f5f6f..fc5955f5fc8a 100644
@@ -56,4 +56,12 @@ config SYSTEM_EXTRA_CERTIFICATE_SIZE
This is the number of bytes reserved in the kernel image for a
certificate to be inserted.
+ bool "Provide a keyring to which extra trustable keys may be added"
+ depends on SYSTEM_TRUSTED_KEYRING
+ If set, provide a keyring to which extra keys may be added, provided
+ those keys are not blacklisted and are vouched for by a key built
+ into the kernel or already in the secondary trusted keyring.