1/* SPDX-License-Identifier: GPL-2.0-or-later */ 2/* System keyring containing trusted public keys. 3 * 4 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8#ifndef _KEYS_SYSTEM_KEYRING_H 9#define _KEYS_SYSTEM_KEYRING_H 10 11#include <linux/key.h> 12 13enum blacklist_hash_type { 14 /* TBSCertificate hash */ 15 BLACKLIST_HASH_X509_TBS = 1, 16 /* Raw data hash */ 17 BLACKLIST_HASH_BINARY = 2, 18}; 19 20#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING 21 22extern int restrict_link_by_builtin_trusted(struct key *keyring, 23 const struct key_type *type, 24 const union key_payload *payload, 25 struct key *restriction_key); 26int restrict_link_by_digsig_builtin(struct key *dest_keyring, 27 const struct key_type *type, 28 const union key_payload *payload, 29 struct key *restriction_key); 30extern __init int load_module_cert(struct key *keyring); 31 32#else 33#define restrict_link_by_builtin_trusted restrict_link_reject 34#define restrict_link_by_digsig_builtin restrict_link_reject 35 36static inline __init int load_module_cert(struct key *keyring) 37{ 38 return 0; 39} 40 41#endif 42 43#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 44extern int restrict_link_by_builtin_and_secondary_trusted( 45 struct key *keyring, 46 const struct key_type *type, 47 const union key_payload *payload, 48 struct key *restriction_key); 49int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, 50 const struct key_type *type, 51 const union key_payload *payload, 52 struct key *restriction_key); 53void __init add_to_secondary_keyring(const char *source, const void *data, size_t len); 54#else 55#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted 56#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin 57static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) 58{ 59} 60#endif 61 62#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING 63extern int restrict_link_by_builtin_secondary_and_machine( 64 struct key *dest_keyring, 65 const struct key_type *type, 66 const union key_payload *payload, 67 struct key *restrict_key); 68extern void __init set_machine_trusted_keys(struct key *keyring); 69#else 70#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted 71static inline void __init set_machine_trusted_keys(struct key *keyring) 72{ 73} 74#endif 75 76extern struct pkcs7_message *pkcs7; 77#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING 78extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, 79 enum blacklist_hash_type hash_type); 80extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, 81 enum blacklist_hash_type hash_type); 82extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); 83#else 84static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, 85 enum blacklist_hash_type hash_type) 86{ 87 return 0; 88} 89 90static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) 91{ 92 return 0; 93} 94#endif 95 96#ifdef CONFIG_SYSTEM_REVOCATION_LIST 97extern int add_key_to_revocation_list(const char *data, size_t size); 98extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); 99#else 100static inline int add_key_to_revocation_list(const char *data, size_t size) 101{ 102 return 0; 103} 104static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) 105{ 106 return -ENOKEY; 107} 108#endif 109 110#ifdef CONFIG_IMA_BLACKLIST_KEYRING 111extern struct key *ima_blacklist_keyring; 112 113static inline struct key *get_ima_blacklist_keyring(void) 114{ 115 return ima_blacklist_keyring; 116} 117#else 118static inline struct key *get_ima_blacklist_keyring(void) 119{ 120 return NULL; 121} 122#endif /* CONFIG_IMA_BLACKLIST_KEYRING */ 123 124#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ 125 defined(CONFIG_SYSTEM_TRUSTED_KEYRING) 126extern void __init set_platform_trusted_keys(struct key *keyring); 127#else 128static inline void set_platform_trusted_keys(struct key *keyring) 129{ 130} 131#endif 132 133#endif /* _KEYS_SYSTEM_KEYRING_H */ 134