1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* System keyring containing trusted public keys. 3 * 4 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #ifndef _KEYS_SYSTEM_KEYRING_H 9 #define _KEYS_SYSTEM_KEYRING_H 10 11 #include <linux/key.h> 12 13 enum blacklist_hash_type { 14 /* TBSCertificate hash */ 15 BLACKLIST_HASH_X509_TBS = 1, 16 /* Raw data hash */ 17 BLACKLIST_HASH_BINARY = 2, 18 }; 19 20 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING 21 22 extern int restrict_link_by_builtin_trusted(struct key *keyring, 23 const struct key_type *type, 24 const union key_payload *payload, 25 struct key *restriction_key); 26 int restrict_link_by_digsig_builtin(struct key *dest_keyring, 27 const struct key_type *type, 28 const union key_payload *payload, 29 struct key *restriction_key); 30 extern __init int load_module_cert(struct key *keyring); 31 32 #else 33 #define restrict_link_by_builtin_trusted restrict_link_reject 34 #define restrict_link_by_digsig_builtin restrict_link_reject 35 36 static inline __init int load_module_cert(struct key *keyring) 37 { 38 return 0; 39 } 40 41 #endif 42 43 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 44 extern int restrict_link_by_builtin_and_secondary_trusted( 45 struct key *keyring, 46 const struct key_type *type, 47 const union key_payload *payload, 48 struct key *restriction_key); 49 int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, 50 const struct key_type *type, 51 const union key_payload *payload, 52 struct key *restriction_key); 53 #else 54 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted 55 #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin 56 #endif 57 58 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING 59 extern int restrict_link_by_builtin_secondary_and_machine( 60 struct key *dest_keyring, 61 const struct key_type *type, 62 const union key_payload *payload, 63 struct key *restrict_key); 64 extern void __init set_machine_trusted_keys(struct key *keyring); 65 #else 66 #define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted 67 static inline void __init set_machine_trusted_keys(struct key *keyring) 68 { 69 } 70 #endif 71 72 extern struct pkcs7_message *pkcs7; 73 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING 74 extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, 75 enum blacklist_hash_type hash_type); 76 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, 77 enum blacklist_hash_type hash_type); 78 extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); 79 #else 80 static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, 81 enum blacklist_hash_type hash_type) 82 { 83 return 0; 84 } 85 86 static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) 87 { 88 return 0; 89 } 90 #endif 91 92 #ifdef CONFIG_SYSTEM_REVOCATION_LIST 93 extern int add_key_to_revocation_list(const char *data, size_t size); 94 extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); 95 #else 96 static inline int add_key_to_revocation_list(const char *data, size_t size) 97 { 98 return 0; 99 } 100 static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) 101 { 102 return -ENOKEY; 103 } 104 #endif 105 106 #ifdef CONFIG_IMA_BLACKLIST_KEYRING 107 extern struct key *ima_blacklist_keyring; 108 109 static inline struct key *get_ima_blacklist_keyring(void) 110 { 111 return ima_blacklist_keyring; 112 } 113 #else 114 static inline struct key *get_ima_blacklist_keyring(void) 115 { 116 return NULL; 117 } 118 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ 119 120 #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ 121 defined(CONFIG_SYSTEM_TRUSTED_KEYRING) 122 extern void __init set_platform_trusted_keys(struct key *keyring); 123 #else 124 static inline void set_platform_trusted_keys(struct key *keyring) 125 { 126 } 127 #endif 128 129 #endif /* _KEYS_SYSTEM_KEYRING_H */ 130