From cfc411e7fff3e15cd6354ff69773907e2c9d1c0c Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 14 Aug 2015 15:20:41 +0100
Subject: Move certificate handling to its own directory

Move certificate handling out of the kernel/ directory and into a certs/
directory to get all the weird stuff in one place and move the generated
signing keys into this directory.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
---
 init/Kconfig | 39 ---------------------------------------
 1 file changed, 39 deletions(-)

(limited to 'init/Kconfig')

diff --git a/init/Kconfig b/init/Kconfig
index 5d1a703..5526dfa 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1740,31 +1740,6 @@ config MMAP_ALLOW_UNINITIALIZED
 
 	  See Documentation/nommu-mmap.txt for more information.
 
-config SYSTEM_TRUSTED_KEYRING
-	bool "Provide system-wide ring of trusted keys"
-	depends on KEYS
-	help
-	  Provide a system keyring to which trusted keys can be added.  Keys in
-	  the keyring are considered to be trusted.  Keys may be added at will
-	  by the kernel from compiled-in data and from hardware key stores, but
-	  userspace may only add extra keys if those keys can be verified by
-	  keys already in the keyring.
-
-	  Keys in this keyring are used by module signature checking.
-
-config SYSTEM_TRUSTED_KEYS
-	string "Additional X.509 keys for default system keyring"
-	depends on SYSTEM_TRUSTED_KEYRING
-	help
-	  If set, this option should be the filename of a PEM-formatted file
-	  containing trusted X.509 certificates to be included in the default
-	  system keyring. Any certificate used for module signing is implicitly
-	  also trusted.
-
-	  NOTE: If you previously provided keys for the system keyring in the
-	  form of DER-encoded *.x509 files in the top-level build directory,
-	  those are no longer used. You will need to set this option instead.
-
 config SYSTEM_DATA_VERIFICATION
 	def_bool n
 	select SYSTEM_TRUSTED_KEYRING
@@ -1965,20 +1940,6 @@ config MODULE_SIG_HASH
 	default "sha384" if MODULE_SIG_SHA384
 	default "sha512" if MODULE_SIG_SHA512
 
-config MODULE_SIG_KEY
-	string "File name or PKCS#11 URI of module signing key"
-	default "signing_key.pem"
-	depends on MODULE_SIG
-	help
-         Provide the file name of a private key/certificate in PEM format,
-         or a PKCS#11 URI according to RFC7512. The file should contain, or
-         the URI should identify, both the certificate and its corresponding
-         private key.
-
-         If this option is unchanged from its default "signing_key.pem",
-         then the kernel will automatically generate the private key and
-         certificate as described in Documentation/module-signing.txt
-
 config MODULE_COMPRESS
 	bool "Compress modules on installation"
 	depends on MODULES
-- 
cgit v1.1