linux/include/keys
David Howells 734114f878 KEYS: Add a system blacklist keyring
Add the following:

 (1) A new system keyring that is used to store information about
     blacklisted certificates and signatures.

 (2) A new key type (called 'blacklist') that is used to store a
     blacklisted hash in its description as a hex string.  The key accepts
     no payload.

 (3) The ability to configure a list of blacklisted hashes into the kernel
     at build time.  This is done by setting
     CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
     that are in the form:

	"<hash>", "<hash>", ..., "<hash>"

     where each <hash> is a hex string representation of the hash and must
     include all necessary leading zeros to pad the hash to the right size.

The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.

Once the kernel is booted, the blacklist keyring can be listed:

	root@andromeda ~]# keyctl show %:.blacklist
	Keyring
	 723359729 ---lswrv      0     0  keyring: .blacklist
	 676257228 ---lswrv      0     0   \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46

The blacklist cannot currently be modified by userspace, but it will be
possible to load it, for example, from the UEFI blacklist database.

A later commit will make it possible to load blacklisted asymmetric keys in
here too.

Signed-off-by: David Howells <dhowells@redhat.com>
2017-04-03 16:07:24 +01:00
..
asymmetric-parser.h KEYS: Asymmetric key pluggable data parsers 2012-10-08 13:50:13 +10:30
asymmetric-subtype.h KEYS: Allow authentication data to be stored in an asymmetric key 2016-04-06 16:13:33 +01:00
asymmetric-type.h KEYS: Generalise x509_request_asymmetric_key() 2016-04-11 22:41:56 +01:00
big_key-type.h KEYS: big_key: Use key preparsing 2014-07-22 21:46:47 +01:00
ceph-type.h libceph: Create a new key type "ceph". 2011-03-29 12:11:24 -07:00
dns_resolver-type.h DNS: Separate out CIFS DNS Resolver code 2010-08-05 17:17:51 +00:00
encrypted-type.h encrypted-keys: add key format support 2011-06-27 09:10:45 -04:00
keyring-type.h KEYS: Expand the capacity of a keyring 2013-09-24 10:35:18 +01:00
rxrpc-type.h KEYS: Strip trailing spaces 2016-06-14 10:29:44 +01:00
system_keyring.h KEYS: Add a system blacklist keyring 2017-04-03 16:07:24 +01:00
trusted-type.h tpm: fix checks for policy digest existence in tpm2_seal_trusted() 2016-02-10 04:10:55 +02:00
user-type.h KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() 2017-03-02 10:09:00 +11:00