• Dmitry Kasatkin's avatar
    KEYS: validate certificate trust only with builtin keys · 32c4741c
    Dmitry Kasatkin authored
    Instead of allowing public keys, with certificates signed by any
    key on the system trusted keyring, to be added to a trusted keyring,
    this patch further restricts the certificates to those signed only by
    builtin keys on the system keyring.
    
    This patch defines a new option 'builtin' for the kernel parameter
    'keys_ownerid' to allow trust validation using builtin keys.
    
    Simplified Mimi's "KEYS: define an owner trusted keyring" patch
    
    Changelog v7:
    - rename builtin_keys to use_builtin_keys
    Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    32c4741c
system_keyring.c 2.8 KB