xref: /openbmc/linux/include/keys/system_keyring.h (revision 087aa4ed) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* System keyring containing trusted public keys.
3  *
4  * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #ifndef _KEYS_SYSTEM_KEYRING_H
9 #define _KEYS_SYSTEM_KEYRING_H
10 
11 #include <linux/key.h>
12 
13 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
14 
15 extern int restrict_link_by_builtin_trusted(struct key *keyring,
16 					    const struct key_type *type,
17 					    const union key_payload *payload,
18 					    struct key *restriction_key);
19 extern __init int load_module_cert(struct key *keyring);
20 
21 #else
22 #define restrict_link_by_builtin_trusted restrict_link_reject
23 
24 static inline __init int load_module_cert(struct key *keyring)
25 {
26 	return 0;
27 }
28 
29 #endif
30 
31 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
32 extern int restrict_link_by_builtin_and_secondary_trusted(
33 	struct key *keyring,
34 	const struct key_type *type,
35 	const union key_payload *payload,
36 	struct key *restriction_key);
37 #else
38 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
39 #endif
40 
41 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
42 extern int restrict_link_by_builtin_secondary_and_machine(
43 	struct key *dest_keyring,
44 	const struct key_type *type,
45 	const union key_payload *payload,
46 	struct key *restrict_key);
47 extern void __init set_machine_trusted_keys(struct key *keyring);
48 #else
49 #define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
50 static inline void __init set_machine_trusted_keys(struct key *keyring)
51 {
52 }
53 #endif
54 
55 extern struct pkcs7_message *pkcs7;
56 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
57 extern int mark_hash_blacklisted(const char *hash);
58 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
59 			       const char *type);
60 extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
61 #else
62 static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
63 				      const char *type)
64 {
65 	return 0;
66 }
67 
68 static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
69 {
70 	return 0;
71 }
72 #endif
73 
74 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
75 extern int add_key_to_revocation_list(const char *data, size_t size);
76 extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
77 #else
78 static inline int add_key_to_revocation_list(const char *data, size_t size)
79 {
80 	return 0;
81 }
82 static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
83 {
84 	return -ENOKEY;
85 }
86 #endif
87 
88 #ifdef CONFIG_IMA_BLACKLIST_KEYRING
89 extern struct key *ima_blacklist_keyring;
90 
91 static inline struct key *get_ima_blacklist_keyring(void)
92 {
93 	return ima_blacklist_keyring;
94 }
95 #else
96 static inline struct key *get_ima_blacklist_keyring(void)
97 {
98 	return NULL;
99 }
100 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
101 
102 #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
103 	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
104 extern void __init set_platform_trusted_keys(struct key *keyring);
105 #else
106 static inline void set_platform_trusted_keys(struct key *keyring)
107 {
108 }
109 #endif
110 
111 #endif /* _KEYS_SYSTEM_KEYRING_H */
112