Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / cfc411e7fff3e15cd6354ff69773907e2c9d1c0c^! / . / certs / Kconfig
commitcfc411e7fff3e15cd6354ff69773907e2c9d1c0c[log] [tgz]
authorDavid Howells <dhowells@redhat.com>Fri Aug 14 15:20:41 2015 +0100
committerDavid Woodhouse <David.Woodhouse@intel.com>Fri Aug 14 16:06:13 2015 +0100
treec67e679c1c2bbe4a657ce58d60e995c63535952b
parent0e38c35815f50e5a347977d76fb5eb4c3bf020b5 [diff] [blame]
Move certificate handling to its own directory

Move certificate handling out of the kernel/ directory and into a certs/
directory to get all the weird stuff in one place and move the generated
signing keys into this directory.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/certs/Kconfig b/certs/Kconfig
new file mode 100644
index 0000000..b030b9c
--- /dev/null
+++ b/certs/Kconfig

@@ -0,0 +1,42 @@
+menu "Certificates for signature checking"
+
+config MODULE_SIG_KEY
+	string "File name or PKCS#11 URI of module signing key"
+	default "certs/signing_key.pem"
+	depends on MODULE_SIG
+	help
+         Provide the file name of a private key/certificate in PEM format,
+         or a PKCS#11 URI according to RFC7512. The file should contain, or
+         the URI should identify, both the certificate and its corresponding
+         private key.
+
+         If this option is unchanged from its default "certs/signing_key.pem",
+         then the kernel will automatically generate the private key and
+         certificate as described in Documentation/module-signing.txt
+
+config SYSTEM_TRUSTED_KEYRING
+	bool "Provide system-wide ring of trusted keys"
+	depends on KEYS
+	help
+	  Provide a system keyring to which trusted keys can be added.  Keys in
+	  the keyring are considered to be trusted.  Keys may be added at will
+	  by the kernel from compiled-in data and from hardware key stores, but
+	  userspace may only add extra keys if those keys can be verified by
+	  keys already in the keyring.
+
+	  Keys in this keyring are used by module signature checking.
+
+config SYSTEM_TRUSTED_KEYS
+	string "Additional X.509 keys for default system keyring"
+	depends on SYSTEM_TRUSTED_KEYRING
+	help
+	  If set, this option should be the filename of a PEM-formatted file
+	  containing trusted X.509 certificates to be included in the default
+	  system keyring. Any certificate used for module signing is implicitly
+	  also trusted.
+
+	  NOTE: If you previously provided keys for the system keyring in the
+	  form of DER-encoded *.x509 files in the top-level build directory,
+	  those are no longer used. You will need to set this option instead.
+
+endmenu