|author||David Woodhouse <David.Woodhouse@intel.com>||2015-07-20 21:16:31 +0100|
|committer||David Howells <email@example.com>||2015-08-07 16:26:14 +0100|
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
Let the user explicitly provide a file containing trusted keys, instead of just automatically finding files matching *.x509 in the build tree and trusting whatever we find. This really ought to be an *explicit* configuration, and the build rules for dealing with the files were fairly painful too. Fix applied from James Morris that removes an '=' from a macro definition in kernel/Makefile as this is a feature that only exists from GNU make 3.82 onwards. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <firstname.lastname@example.org>
Diffstat (limited to 'init')
1 files changed, 13 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 2b119850784b..62b725653c36 100644
@@ -1752,6 +1752,19 @@ config SYSTEM_TRUSTED_KEYRING
Keys in this keyring are used by module signature checking.
+ string "Additional X.509 keys for default system keyring"
+ depends on SYSTEM_TRUSTED_KEYRING
+ If set, this option should be the filename of a PEM-formatted file
+ containing trusted X.509 certificates to be included in the default
+ system keyring. Any certificate used for module signing is implicitly
+ also trusted.
+ NOTE: If you previously provided keys for the system keyring in the
+ form of DER-encoded *.x509 files in the top-level build directory,
+ those are no longer used. You will need to set this option instead.