KEYS: Separate the kernel signature checking keyring from module signing

Separate the kernel signature checking keyring from module signing so that it can be used by code other than the module-signing code. Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2013-08-30 16:07:30 +0100
committer: David Howells <dhowells@redhat.com> 2013-09-25 17:17:01 +0100
commit: b56e5a17b6b9acd16997960504b9940d0d7984e7 (patch)
tree: 3041aadaf0eb3e79c0a5d1e7f9715489340f868a /init
parent: 0fbd39cf7ffe3b6a787b66b672d21b84e4675352 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 3ecd8a1178f1..0ff5407a8378 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1668,6 +1668,18 @@ config BASE_SMALL
 	default 0 if BASE_FULL
 	default 1 if !BASE_FULL
 
+config SYSTEM_TRUSTED_KEYRING
+	bool "Provide system-wide ring of trusted keys"
+	depends on KEYS
+	help
+	  Provide a system keyring to which trusted keys can be added.  Keys in
+	  the keyring are considered to be trusted.  Keys may be added at will
+	  by the kernel from compiled-in data and from hardware key stores, but
+	  userspace may only add extra keys if those keys can be verified by
+	  keys already in the keyring.
+
+	  Keys in this keyring are used by module signature checking.
+
 menuconfig MODULES
 	bool "Enable loadable module support"
 	option modules
@@ -1741,6 +1753,7 @@ config MODULE_SRCVERSION_ALL
 config MODULE_SIG
 	bool "Module signature verification"
 	depends on MODULES
+	select SYSTEM_TRUSTED_KEYRING
 	select KEYS
 	select CRYPTO
 	select ASYMMETRIC_KEY_TYPE
author	David Howells <dhowells@redhat.com>	2013-08-30 16:07:30 +0100
committer	David Howells <dhowells@redhat.com>	2013-09-25 17:17:01 +0100
commit	b56e5a17b6b9acd16997960504b9940d0d7984e7 (patch)
tree	3041aadaf0eb3e79c0a5d1e7f9715489340f868a /init
parent	0fbd39cf7ffe3b6a787b66b672d21b84e4675352 (diff)