diff options
author | David Howells <dhowells@redhat.com> | 2017-04-03 16:07:24 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2017-04-03 16:07:24 +0100 |
commit | 734114f8782f6c3398762f2353fe9101d87b6d06 (patch) | |
tree | e16e165dc33f7d1becfcb1f5d79c90e0e3c4e248 /certs/Kconfig | |
parent | ddb99e118e37f324a4be65a411bb60ae62795cf9 (diff) | |
download | op-kernel-dev-734114f8782f6c3398762f2353fe9101d87b6d06.zip op-kernel-dev-734114f8782f6c3398762f2353fe9101d87b6d06.tar.gz |
KEYS: Add a system blacklist keyring
Add the following:
(1) A new system keyring that is used to store information about
blacklisted certificates and signatures.
(2) A new key type (called 'blacklist') that is used to store a
blacklisted hash in its description as a hex string. The key accepts
no payload.
(3) The ability to configure a list of blacklisted hashes into the kernel
at build time. This is done by setting
CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
that are in the form:
"<hash>", "<hash>", ..., "<hash>"
where each <hash> is a hex string representation of the hash and must
include all necessary leading zeros to pad the hash to the right size.
The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.
Once the kernel is booted, the blacklist keyring can be listed:
root@andromeda ~]# keyctl show %:.blacklist
Keyring
723359729 ---lswrv 0 0 keyring: .blacklist
676257228 ---lswrv 0 0 \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46
The blacklist cannot currently be modified by userspace, but it will be
possible to load it, for example, from the UEFI blacklist database.
A later commit will make it possible to load blacklisted asymmetric keys in
here too.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r-- | certs/Kconfig | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index fc5955f..6ce51ed 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -64,4 +64,22 @@ config SECONDARY_TRUSTED_KEYRING those keys are not blacklisted and are vouched for by a key built into the kernel or already in the secondary trusted keyring. +config SYSTEM_BLACKLIST_KEYRING + bool "Provide system-wide ring of blacklisted keys" + depends on KEYS + help + Provide a system keyring to which blacklisted keys can be added. + Keys in the keyring are considered entirely untrusted. Keys in this + keyring are used by the module signature checking to reject loading + of modules signed with a blacklisted key. + +config SYSTEM_BLACKLIST_HASH_LIST + string "Hashes to be preloaded into the system blacklist keyring" + depends on SYSTEM_BLACKLIST_KEYRING + help + If set, this option should be the filename of a list of hashes in the + form "<hash>", "<hash>", ... . This will be included into a C + wrapper to incorporate the list into the kernel. Each <hash> should + be a string of hex digits. + endmenu |