diff options
author | David Woodhouse <David.Woodhouse@intel.com> | 2015-07-20 21:16:31 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2015-08-07 16:26:14 +0100 |
commit | 99d27b1b52bd5cdf9bd9f7661ca8641e9a1b55e6 (patch) | |
tree | 8525b8bd99f20016d7e893fa4218951a0b249364 /init | |
parent | fb1179499134bc718dc7557c7a6a95dc72f224cb (diff) |
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
Let the user explicitly provide a file containing trusted keys, instead of
just automatically finding files matching *.x509 in the build tree and
trusting whatever we find. This really ought to be an *explicit*
configuration, and the build rules for dealing with the files were
fairly painful too.
Fix applied from James Morris that removes an '=' from a macro definition
in kernel/Makefile as this is a feature that only exists from GNU make 3.82
onwards.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'init')
-rw-r--r-- | init/Kconfig | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig index 2b119850784b..62b725653c36 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1752,6 +1752,19 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. +config SYSTEM_TRUSTED_KEYS + string "Additional X.509 keys for default system keyring" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, this option should be the filename of a PEM-formatted file + containing trusted X.509 certificates to be included in the default + system keyring. Any certificate used for module signing is implicitly + also trusted. + + NOTE: If you previously provided keys for the system keyring in the + form of DER-encoded *.x509 files in the top-level build directory, + those are no longer used. You will need to set this option instead. + config SYSTEM_DATA_VERIFICATION def_bool n select SYSTEM_TRUSTED_KEYRING |