KEYS: Add a system blacklist keyring
Add the following:
(1) A new system keyring that is used to store information about
blacklisted certificates and signatures.
(2) A new key type (called 'blacklist') that is used to store a
blacklisted hash in its description as a hex string. The key accepts
no payload.
(3) The ability to configure a list of blacklisted hashes into the kernel
at build time. This is done by setting
CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
that are in the form:
"<hash>", "<hash>", ..., "<hash>"
where each <hash> is a hex string representation of the hash and must
include all necessary leading zeros to pad the hash to the right size.
The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.
Once the kernel is booted, the blacklist keyring can be listed:
root@andromeda ~]# keyctl show %:.blacklist
Keyring
723359729 ---lswrv 0 0 keyring: .blacklist
676257228 ---lswrv 0 0 \_ blackli...
Showing
- certs/Kconfig 18 additions, 0 deletionscerts/Kconfig
- certs/Makefile 6 additions, 0 deletionscerts/Makefile
- certs/blacklist.c 174 additions, 0 deletionscerts/blacklist.c
- certs/blacklist.h 3 additions, 0 deletionscerts/blacklist.h
- certs/blacklist_hashes.c 6 additions, 0 deletionscerts/blacklist_hashes.c
- certs/blacklist_nohashes.c 5 additions, 0 deletionscerts/blacklist_nohashes.c
- include/keys/system_keyring.h 12 additions, 0 deletionsinclude/keys/system_keyring.h
Please register or sign in to comment