xref: /openbmc/linux/include/keys/system_keyring.h (revision 9a29f5fc) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* System keyring containing trusted public keys.
3  *
4  * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #ifndef _KEYS_SYSTEM_KEYRING_H
9 #define _KEYS_SYSTEM_KEYRING_H
10 
11 #include <linux/key.h>
12 
13 enum blacklist_hash_type {
14 	/* TBSCertificate hash */
15 	BLACKLIST_HASH_X509_TBS = 1,
16 	/* Raw data hash */
17 	BLACKLIST_HASH_BINARY = 2,
18 };
19 
20 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
21 
22 extern int restrict_link_by_builtin_trusted(struct key *keyring,
23 					    const struct key_type *type,
24 					    const union key_payload *payload,
25 					    struct key *restriction_key);
26 extern __init int load_module_cert(struct key *keyring);
27 
28 #else
29 #define restrict_link_by_builtin_trusted restrict_link_reject
30 
31 static inline __init int load_module_cert(struct key *keyring)
32 {
33 	return 0;
34 }
35 
36 #endif
37 
38 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
39 extern int restrict_link_by_builtin_and_secondary_trusted(
40 	struct key *keyring,
41 	const struct key_type *type,
42 	const union key_payload *payload,
43 	struct key *restriction_key);
44 #else
45 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
46 #endif
47 
48 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
49 extern int restrict_link_by_builtin_secondary_and_machine(
50 	struct key *dest_keyring,
51 	const struct key_type *type,
52 	const union key_payload *payload,
53 	struct key *restrict_key);
54 extern void __init set_machine_trusted_keys(struct key *keyring);
55 #else
56 #define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
57 static inline void __init set_machine_trusted_keys(struct key *keyring)
58 {
59 }
60 #endif
61 
62 extern struct pkcs7_message *pkcs7;
63 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
64 extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
65 			       enum blacklist_hash_type hash_type);
66 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
67 			       enum blacklist_hash_type hash_type);
68 extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
69 #else
70 static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
71 				      enum blacklist_hash_type hash_type)
72 {
73 	return 0;
74 }
75 
76 static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
77 {
78 	return 0;
79 }
80 #endif
81 
82 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
83 extern int add_key_to_revocation_list(const char *data, size_t size);
84 extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
85 #else
86 static inline int add_key_to_revocation_list(const char *data, size_t size)
87 {
88 	return 0;
89 }
90 static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
91 {
92 	return -ENOKEY;
93 }
94 #endif
95 
96 #ifdef CONFIG_IMA_BLACKLIST_KEYRING
97 extern struct key *ima_blacklist_keyring;
98 
99 static inline struct key *get_ima_blacklist_keyring(void)
100 {
101 	return ima_blacklist_keyring;
102 }
103 #else
104 static inline struct key *get_ima_blacklist_keyring(void)
105 {
106 	return NULL;
107 }
108 #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
109 
110 #if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
111 	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
112 extern void __init set_platform_trusted_keys(struct key *keyring);
113 #else
114 static inline void set_platform_trusted_keys(struct key *keyring)
115 {
116 }
117 #endif
118 
119 #endif /* _KEYS_SYSTEM_KEYRING_H */
120