diff options
author | Mat Martineau <mathew.j.martineau@linux.intel.com> | 2016-06-27 16:45:16 -0700 |
---|---|---|
committer | Mat Martineau <mathew.j.martineau@linux.intel.com> | 2017-04-04 14:10:13 -0700 |
commit | 7e3c4d22083f6e7316c5229b6197ca2d5335aa35 (patch) | |
tree | 5d8a79bfb32d3bb082ff2cffb8deba4ab588bb87 /Documentation/crypto | |
parent | 97d3aa0f313435a24440e7157c9c9115c58ca463 (diff) | |
download | linux-7e3c4d22083f6e7316c5229b6197ca2d5335aa35.tar.gz linux-7e3c4d22083f6e7316c5229b6197ca2d5335aa35.tar.bz2 linux-7e3c4d22083f6e7316c5229b6197ca2d5335aa35.zip |
KEYS: Restrict asymmetric key linkage using a specific keychain
Adds restrict_link_by_signature_keyring(), which uses the restrict_key
member of the provided destination_keyring data structure as the
key or keyring to search for signing keys.
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Diffstat (limited to 'Documentation/crypto')
-rw-r--r-- | Documentation/crypto/asymmetric-keys.txt | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index 4373e7d86c6a..9814722f4b6b 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt @@ -340,6 +340,17 @@ Several restriction methods are available: signing key. The ca_keys kernel parameter also affects which keys are used for signature verification. + (3) Restrict using a separate key or keyring + + - Option string used with KEYCTL_RESTRICT_KEYRING: + - "key_or_keyring:<key or keyring serial number>" + + Whenever a key link is requested, the link will only succeed if the key + being linked is signed by one of the designated keys. This key may be + specified directly by providing a serial number for one asymmetric key, or + a group of keys may be searched for the signing key by providing the + serial number for a keyring. + In all of these cases, if the signing key is found the signature of the key to be linked will be verified using the signing key. The requested key is added to the keyring only if the signature is successfully verified. -ENOKEY is |