summaryrefslogtreecommitdiff
path: root/init/Kconfig
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2015-08-14 15:20:41 +0100
committerDavid Woodhouse <David.Woodhouse@intel.com>2015-08-14 16:06:13 +0100
commitcfc411e7fff3e15cd6354ff69773907e2c9d1c0c (patch)
treec67e679c1c2bbe4a657ce58d60e995c63535952b /init/Kconfig
parent0e38c35815f50e5a347977d76fb5eb4c3bf020b5 (diff)
Move certificate handling to its own directory
Move certificate handling out of the kernel/ directory and into a certs/ directory to get all the weird stuff in one place and move the generated signing keys into this directory. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'init/Kconfig')
-rw-r--r--init/Kconfig39
1 files changed, 0 insertions, 39 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 5d1a703663ad..5526dfaac628 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1740,31 +1740,6 @@ config MMAP_ALLOW_UNINITIALIZED
See Documentation/nommu-mmap.txt for more information.
-config SYSTEM_TRUSTED_KEYRING
- bool "Provide system-wide ring of trusted keys"
- depends on KEYS
- help
- Provide a system keyring to which trusted keys can be added. Keys in
- the keyring are considered to be trusted. Keys may be added at will
- by the kernel from compiled-in data and from hardware key stores, but
- userspace may only add extra keys if those keys can be verified by
- keys already in the keyring.
-
- Keys in this keyring are used by module signature checking.
-
-config SYSTEM_TRUSTED_KEYS
- string "Additional X.509 keys for default system keyring"
- depends on SYSTEM_TRUSTED_KEYRING
- help
- If set, this option should be the filename of a PEM-formatted file
- containing trusted X.509 certificates to be included in the default
- system keyring. Any certificate used for module signing is implicitly
- also trusted.
-
- NOTE: If you previously provided keys for the system keyring in the
- form of DER-encoded *.x509 files in the top-level build directory,
- those are no longer used. You will need to set this option instead.
-
config SYSTEM_DATA_VERIFICATION
def_bool n
select SYSTEM_TRUSTED_KEYRING
@@ -1965,20 +1940,6 @@ config MODULE_SIG_HASH
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
-config MODULE_SIG_KEY
- string "File name or PKCS#11 URI of module signing key"
- default "signing_key.pem"
- depends on MODULE_SIG
- help
- Provide the file name of a private key/certificate in PEM format,
- or a PKCS#11 URI according to RFC7512. The file should contain, or
- the URI should identify, both the certificate and its corresponding
- private key.
-
- If this option is unchanged from its default "signing_key.pem",
- then the kernel will automatically generate the private key and
- certificate as described in Documentation/module-signing.txt
-
config MODULE_COMPRESS
bool "Compress modules on installation"
depends on MODULES