diff options
author | David Howells <dhowells@redhat.com> | 2015-08-14 15:20:41 +0100 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2015-08-14 16:06:13 +0100 |
commit | cfc411e7fff3e15cd6354ff69773907e2c9d1c0c (patch) | |
tree | c67e679c1c2bbe4a657ce58d60e995c63535952b /certs/Kconfig | |
parent | 0e38c35815f50e5a347977d76fb5eb4c3bf020b5 (diff) | |
download | linux-cfc411e7fff3e15cd6354ff69773907e2c9d1c0c.tar.gz linux-cfc411e7fff3e15cd6354ff69773907e2c9d1c0c.tar.bz2 linux-cfc411e7fff3e15cd6354ff69773907e2c9d1c0c.zip |
Move certificate handling to its own directory
Move certificate handling out of the kernel/ directory and into a certs/
directory to get all the weird stuff in one place and move the generated
signing keys into this directory.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r-- | certs/Kconfig | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig new file mode 100644 index 000000000000..b030b9c7ed34 --- /dev/null +++ b/certs/Kconfig @@ -0,0 +1,42 @@ +menu "Certificates for signature checking" + +config MODULE_SIG_KEY + string "File name or PKCS#11 URI of module signing key" + default "certs/signing_key.pem" + depends on MODULE_SIG + help + Provide the file name of a private key/certificate in PEM format, + or a PKCS#11 URI according to RFC7512. The file should contain, or + the URI should identify, both the certificate and its corresponding + private key. + + If this option is unchanged from its default "certs/signing_key.pem", + then the kernel will automatically generate the private key and + certificate as described in Documentation/module-signing.txt + +config SYSTEM_TRUSTED_KEYRING + bool "Provide system-wide ring of trusted keys" + depends on KEYS + help + Provide a system keyring to which trusted keys can be added. Keys in + the keyring are considered to be trusted. Keys may be added at will + by the kernel from compiled-in data and from hardware key stores, but + userspace may only add extra keys if those keys can be verified by + keys already in the keyring. + + Keys in this keyring are used by module signature checking. + +config SYSTEM_TRUSTED_KEYS + string "Additional X.509 keys for default system keyring" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, this option should be the filename of a PEM-formatted file + containing trusted X.509 certificates to be included in the default + system keyring. Any certificate used for module signing is implicitly + also trusted. + + NOTE: If you previously provided keys for the system keyring in the + form of DER-encoded *.x509 files in the top-level build directory, + those are no longer used. You will need to set this option instead. + +endmenu |