8 files changed, 124 insertions, 41 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 851390c8d75b..10d3d8f8a65b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2634,15 +2634,34 @@ static inline void i_readcount_inc(struct inode *inode)
 #endif
 extern int do_pipe_flags(int *, int);
+#define __kernel_read_file_id(id) \
+        id(UNKNOWN, unknown)            \
+        id(FIRMWARE, firmware)          \
+        id(MODULE, kernel-module)               \
+        id(KEXEC_IMAGE, kexec-image)            \
+        id(KEXEC_INITRAMFS, kexec-initramfs)    \
+        id(POLICY, security-policy)             \
+        id(MAX_ID, )
+#define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
+#define __fid_stringify(dummy, str) #str,
 enum kernel_read_file_id {
-        READING_FIRMWARE = 1,
+        __kernel_read_file_id(__fid_enumify)
-        READING_MODULE,
+};
-        READING_KEXEC_IMAGE,
-        READING_KEXEC_INITRAMFS,
+static const char * const kernel_read_file_str[] = {
-        READING_POLICY,
+        __kernel_read_file_id(__fid_stringify)
-        READING_MAX_ID
 };
+static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id)
+{
+        if (id < 0 || id >= READING_MAX_ID)
+                return kernel_read_file_str[READING_UNKNOWN];
+        return kernel_read_file_str[id];
+}
 extern int kernel_read(struct file *, loff_t, char *, unsigned long);
 extern int kernel_read_file(struct file *, void **, loff_t *, loff_t,
                            enum kernel_read_file_id);
diff --git a/include/linux/ima.h b/include/linux/ima.h
index e6516cbbe9bf..0eb7c2e7f0d6 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -21,6 +21,7 @@ extern int ima_file_mmap(struct file *file, unsigned long prot);
 extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
 extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
                              enum kernel_read_file_id id);
+extern void ima_post_path_mknod(struct dentry *dentry);
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -54,6 +55,11 @@ static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
        return 0;
 }
+static inline void ima_post_path_mknod(struct dentry *dentry)
+{
+        return;
+}
 #endif /* CONFIG_IMA */
 #ifdef CONFIG_IMA_APPRAISE
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7463355a198b..eaee981c5558 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -45,7 +45,6 @@ struct key_preparsed_payload {
        size_t          datalen;        /* Raw datalen */
        size_t          quotalen;       /* Quota length for proposed payload */
        time_t          expiry;         /* Expiry time of key */
-        bool            trusted;        /* True if key is trusted */
 };
 typedef int (*request_key_actor_t)(struct key_construction *key,
diff --git a/include/linux/key.h b/include/linux/key.h
index 5f5b1129dc92..722914798f37 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -173,11 +173,9 @@ struct key {
 #define KEY_FLAG_NEGATIVE       5       /* set if key is negative */
 #define KEY_FLAG_ROOT_CAN_CLEAR 6       /* set if key can be cleared by root without permission */
 #define KEY_FLAG_INVALIDATED    7       /* set if key has been invalidated */
-#define KEY_FLAG_TRUSTED        8       /* set if key is trusted */
+#define KEY_FLAG_BUILTIN        8       /* set if key is built in to the kernel */
-#define KEY_FLAG_TRUSTED_ONLY   9       /* set if keyring only accepts links to trusted keys */
+#define KEY_FLAG_ROOT_CAN_INVAL 9       /* set if key can be invalidated by root without permission */
-#define KEY_FLAG_BUILTIN        10      /* set if key is builtin */
+#define KEY_FLAG_KEEP           10      /* set if key should not be removed */
-#define KEY_FLAG_ROOT_CAN_INVAL 11      /* set if key can be invalidated by root without permission */
-#define KEY_FLAG_KEEP           12      /* set if key should not be removed */
        /* the key type and key description string
         * - the desc is used to match a key against search criteria
@@ -205,6 +203,20 @@ struct key {
                };
                int reject_error;
        };
+        /* This is set on a keyring to restrict the addition of a link to a key
+         * to it.  If this method isn't provided then it is assumed that the
+         * keyring is open to any addition.  It is ignored for non-keyring
+         * keys.
+         *
+         * This is intended for use with rings of trusted keys whereby addition
+         * to the keyring needs to be controlled.  KEY_ALLOC_BYPASS_RESTRICTION
+         * overrides this, allowing the kernel to add extra keys without
+         * restriction.
+         */
+        int (*restrict_link)(struct key *keyring,
+                             const struct key_type *type,
+                             const union key_payload *payload);
 };
 extern struct key *key_alloc(struct key_type *type,
@@ -212,14 +224,17 @@ extern struct key *key_alloc(struct key_type *type,
                             kuid_t uid, kgid_t gid,
                             const struct cred *cred,
                             key_perm_t perm,
-                             unsigned long flags);
+                             unsigned long flags,
+                             int (*restrict_link)(struct key *,
+                                                  const struct key_type *,
+                                                  const union key_payload *));
-#define KEY_ALLOC_IN_QUOTA      0x0000  /* add to quota, reject if would overrun */
+#define KEY_ALLOC_IN_QUOTA              0x0000  /* add to quota, reject if would overrun */
-#define KEY_ALLOC_QUOTA_OVERRUN 0x0001  /* add to quota, permit even if overrun */
+#define KEY_ALLOC_QUOTA_OVERRUN         0x0001  /* add to quota, permit even if overrun */
-#define KEY_ALLOC_NOT_IN_QUOTA  0x0002  /* not in quota */
+#define KEY_ALLOC_NOT_IN_QUOTA          0x0002  /* not in quota */
-#define KEY_ALLOC_TRUSTED       0x0004  /* Key should be flagged as trusted */
+#define KEY_ALLOC_BUILT_IN              0x0004  /* Key is built into kernel */
-#define KEY_ALLOC_BUILT_IN      0x0008  /* Key is built into kernel */
+#define KEY_ALLOC_BYPASS_RESTRICTION    0x0008  /* Override the check on restricted keyrings */
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
@@ -288,8 +303,15 @@ extern struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid
                                 const struct cred *cred,
                                 key_perm_t perm,
                                 unsigned long flags,
+                                 int (*restrict_link)(struct key *,
+                                                      const struct key_type *,
+                                                      const union key_payload *),
                                 struct key *dest);
+extern int restrict_link_reject(struct key *keyring,
+                                const struct key_type *type,
+                                const union key_payload *payload);
 extern int keyring_clear(struct key *keyring);
 extern key_ref_t keyring_search(key_ref_t keyring,
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 512fd000562b..7ae397669d8b 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1805,7 +1805,6 @@ struct security_hook_heads {
        struct list_head tun_dev_attach_queue;
        struct list_head tun_dev_attach;
        struct list_head tun_dev_open;
-        struct list_head skb_owned_by;
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
        struct list_head xfrm_policy_alloc_security;
@@ -1894,5 +1893,10 @@ extern void __init yama_add_hooks(void);
 #else
 static inline void __init yama_add_hooks(void) { }
 #endif
+#ifdef CONFIG_SECURITY_LOADPIN
+void __init loadpin_add_hooks(void);
+#else
+static inline void loadpin_add_hooks(void) { };
+#endif
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/include/linux/string_helpers.h b/include/linux/string_helpers.h
index dabe643eb5fa..5ce9538f290e 100644
--- a/include/linux/string_helpers.h
+++ b/include/linux/string_helpers.h
@@ -3,6 +3,8 @@
 #include <linux/types.h>
+struct file;
 /* Descriptions of the types of units to
 * print in */
 enum string_size_units {
@@ -68,4 +70,8 @@ static inline int string_escape_str_any_np(const char *src, char *dst,
        return string_escape_str(src, dst, sz, ESCAPE_ANY_NP, only);
 }
+char *kstrdup_quotable(const char *src, gfp_t gfp);
+char *kstrdup_quotable_cmdline(struct task_struct *task, gfp_t gfp);
+char *kstrdup_quotable_file(struct file *file, gfp_t gfp);
 #endif
diff --git a/include/linux/verification.h b/include/linux/verification.h
new file mode 100644
index 000000000000..a10549a6c7cd
--- /dev/null
+++ b/include/linux/verification.h
@@ -0,0 +1,49 @@
+/* Signature verification
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#ifndef _LINUX_VERIFICATION_H
+#define _LINUX_VERIFICATION_H
+/*
+ * The use to which an asymmetric key is being put.
+ */
+enum key_being_used_for {
+        VERIFYING_MODULE_SIGNATURE,
+        VERIFYING_FIRMWARE_SIGNATURE,
+        VERIFYING_KEXEC_PE_SIGNATURE,
+        VERIFYING_KEY_SIGNATURE,
+        VERIFYING_KEY_SELF_SIGNATURE,
+        VERIFYING_UNSPECIFIED_SIGNATURE,
+        NR__KEY_BEING_USED_FOR
+};
+extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+struct key;
+extern int verify_pkcs7_signature(const void *data, size_t len,
+                                  const void *raw_pkcs7, size_t pkcs7_len,
+                                  struct key *trusted_keys,
+                                  enum key_being_used_for usage,
+                                  int (*view_content)(void *ctx,
+                                                      const void *data, size_t len,
+                                                      size_t asn1hdrlen),
+                                  void *ctx);
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
+                                   struct key *trusted_keys,
+                                   enum key_being_used_for usage);
+#endif
+#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+#endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h
deleted file mode 100644
index da2049b5161c..000000000000
--- a/include/linux/verify_pefile.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* Signed PE file verification
- *
- * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
- */
-#ifndef _LINUX_VERIFY_PEFILE_H
-#define _LINUX_VERIFY_PEFILE_H
-#include <crypto/public_key.h>
-extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
-                                   struct key *trusted_keyring,
-                                   enum key_being_used_for usage,
-                                   bool *_trusted);
-#endif /* _LINUX_VERIFY_PEFILE_H */

diff --git a/include/linux/fs.h b/include/linux/fs.h index 851390c8d75b..10d3d8f8a65b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h
@@ -2634,15 +2634,34 @@ static inline void i_readcount_inc(struct inode *inode)
2634	#endif	2634	#endif
2635	extern int do_pipe_flags(int *, int);	2635	extern int do_pipe_flags(int *, int);
2636		2636
		2637	#define __kernel_read_file_id(id) \
		2638	id(UNKNOWN, unknown) \
		2639	id(FIRMWARE, firmware) \
		2640	id(MODULE, kernel-module) \
		2641	id(KEXEC_IMAGE, kexec-image) \
		2642	id(KEXEC_INITRAMFS, kexec-initramfs) \
		2643	id(POLICY, security-policy) \
		2644	id(MAX_ID, )
		2645
		2646	#define __fid_enumify(ENUM, dummy) READING_ ## ENUM,
		2647	#define __fid_stringify(dummy, str) #str,
		2648
2637	enum kernel_read_file_id {	2649	enum kernel_read_file_id {
2638	READING_FIRMWARE = 1,	2650	__kernel_read_file_id(__fid_enumify)
2639	READING_MODULE,	2651	};
2640	READING_KEXEC_IMAGE,	2652
2641	READING_KEXEC_INITRAMFS,	2653	static const char * const kernel_read_file_str[] = {
2642	READING_POLICY,	2654	__kernel_read_file_id(__fid_stringify)
2643	READING_MAX_ID
2644	};	2655	};
2645		2656
		2657	static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id)
		2658	{
		2659	if (id < 0 \|\| id >= READING_MAX_ID)
		2660	return kernel_read_file_str[READING_UNKNOWN];
		2661
		2662	return kernel_read_file_str[id];
		2663	}
		2664
2646	extern int kernel_read(struct file , loff_t, char , unsigned long);	2665	extern int kernel_read(struct file , loff_t, char , unsigned long);
2647	extern int kernel_read_file(struct file , void , loff_t , loff_t,	2666	extern int kernel_read_file(struct file , void , loff_t , loff_t,
2648	enum kernel_read_file_id);	2667	enum kernel_read_file_id);


diff --git a/include/linux/ima.h b/include/linux/ima.h index e6516cbbe9bf..0eb7c2e7f0d6 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h
@@ -21,6 +21,7 @@ extern int ima_file_mmap(struct file *file, unsigned long prot);
21	extern int ima_read_file(struct file *file, enum kernel_read_file_id id);	21	extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
22	extern int ima_post_read_file(struct file file, void buf, loff_t size,	22	extern int ima_post_read_file(struct file file, void buf, loff_t size,
23	enum kernel_read_file_id id);	23	enum kernel_read_file_id id);
		24	extern void ima_post_path_mknod(struct dentry *dentry);
24		25
25	#else	26	#else
26	static inline int ima_bprm_check(struct linux_binprm *bprm)	27	static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -54,6 +55,11 @@ static inline int ima_post_read_file(struct file file, void buf, loff_t size,
54	return 0;	55	return 0;
55	}	56	}
56		57
		58	static inline void ima_post_path_mknod(struct dentry *dentry)
		59	{
		60	return;
		61	}
		62
57	#endif /* CONFIG_IMA */	63	#endif /* CONFIG_IMA */
58		64
59	#ifdef CONFIG_IMA_APPRAISE	65	#ifdef CONFIG_IMA_APPRAISE


diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7463355a198b..eaee981c5558 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h
@@ -45,7 +45,6 @@ struct key_preparsed_payload {
45	size_t datalen; /* Raw datalen */	45	size_t datalen; /* Raw datalen */
46	size_t quotalen; /* Quota length for proposed payload */	46	size_t quotalen; /* Quota length for proposed payload */
47	time_t expiry; /* Expiry time of key */	47	time_t expiry; /* Expiry time of key */
48	bool trusted; /* True if key is trusted */
49	};	48	};
50		49
51	typedef int (request_key_actor_t)(struct key_construction key,	50	typedef int (request_key_actor_t)(struct key_construction key,


diff --git a/include/linux/key.h b/include/linux/key.h index 5f5b1129dc92..722914798f37 100644 --- a/include/linux/key.h +++ b/include/linux/key.h
@@ -173,11 +173,9 @@ struct key {
173	#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */	173	#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */
174	#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */	174	#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */
175	#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */	175	#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
176	#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */	176	#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */
177	#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */	177	#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */
178	#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */	178	#define KEY_FLAG_KEEP 10 /* set if key should not be removed */
179	#define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */
180	#define KEY_FLAG_KEEP 12 /* set if key should not be removed */
181		179
182	/* the key type and key description string	180	/* the key type and key description string
183	* - the desc is used to match a key against search criteria	181	* - the desc is used to match a key against search criteria
@@ -205,6 +203,20 @@ struct key {
205	};	203	};
206	int reject_error;	204	int reject_error;
207	};	205	};
		206
		207	/* This is set on a keyring to restrict the addition of a link to a key
		208	* to it. If this method isn't provided then it is assumed that the
		209	* keyring is open to any addition. It is ignored for non-keyring
		210	* keys.
		211	*
		212	* This is intended for use with rings of trusted keys whereby addition
		213	* to the keyring needs to be controlled. KEY_ALLOC_BYPASS_RESTRICTION
		214	* overrides this, allowing the kernel to add extra keys without
		215	* restriction.
		216	*/
		217	int (restrict_link)(struct key keyring,
		218	const struct key_type *type,
		219	const union key_payload *payload);
208	};	220	};
209		221
210	extern struct key key_alloc(struct key_type type,	222	extern struct key key_alloc(struct key_type type,
@@ -212,14 +224,17 @@ extern struct key key_alloc(struct key_type type,
212	kuid_t uid, kgid_t gid,	224	kuid_t uid, kgid_t gid,
213	const struct cred *cred,	225	const struct cred *cred,
214	key_perm_t perm,	226	key_perm_t perm,
215	unsigned long flags);	227	unsigned long flags,
		228	int (restrict_link)(struct key ,
		229	const struct key_type *,
		230	const union key_payload *));
216		231
217		232
218	#define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */	233	#define KEY_ALLOC_IN_QUOTA 0x0000 /* add to quota, reject if would overrun */
219	#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */	234	#define KEY_ALLOC_QUOTA_OVERRUN 0x0001 /* add to quota, permit even if overrun */
220	#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */	235	#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
221	#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */	236	#define KEY_ALLOC_BUILT_IN 0x0004 /* Key is built into kernel */
222	#define KEY_ALLOC_BUILT_IN 0x0008 /* Key is built into kernel */	237	#define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */
223		238
224	extern void key_revoke(struct key *key);	239	extern void key_revoke(struct key *key);
225	extern void key_invalidate(struct key *key);	240	extern void key_invalidate(struct key *key);
@@ -288,8 +303,15 @@ extern struct key keyring_alloc(const char description, kuid_t uid, kgid_t gid
288	const struct cred *cred,	303	const struct cred *cred,
289	key_perm_t perm,	304	key_perm_t perm,
290	unsigned long flags,	305	unsigned long flags,
		306	int (restrict_link)(struct key ,
		307	const struct key_type *,
		308	const union key_payload *),
291	struct key *dest);	309	struct key *dest);
292		310
		311	extern int restrict_link_reject(struct key *keyring,
		312	const struct key_type *type,
		313	const union key_payload *payload);
		314
293	extern int keyring_clear(struct key *keyring);	315	extern int keyring_clear(struct key *keyring);
294		316
295	extern key_ref_t keyring_search(key_ref_t keyring,	317	extern key_ref_t keyring_search(key_ref_t keyring,


diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 512fd000562b..7ae397669d8b 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h
@@ -1805,7 +1805,6 @@ struct security_hook_heads {
1805	struct list_head tun_dev_attach_queue;	1805	struct list_head tun_dev_attach_queue;
1806	struct list_head tun_dev_attach;	1806	struct list_head tun_dev_attach;
1807	struct list_head tun_dev_open;	1807	struct list_head tun_dev_open;
1808	struct list_head skb_owned_by;
1809	#endif /* CONFIG_SECURITY_NETWORK */	1808	#endif /* CONFIG_SECURITY_NETWORK */
1810	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1809	#ifdef CONFIG_SECURITY_NETWORK_XFRM
1811	struct list_head xfrm_policy_alloc_security;	1810	struct list_head xfrm_policy_alloc_security;
@@ -1894,5 +1893,10 @@ extern void __init yama_add_hooks(void);
1894	#else	1893	#else
1895	static inline void __init yama_add_hooks(void) { }	1894	static inline void __init yama_add_hooks(void) { }
1896	#endif	1895	#endif
		1896	#ifdef CONFIG_SECURITY_LOADPIN
		1897	void __init loadpin_add_hooks(void);
		1898	#else
		1899	static inline void loadpin_add_hooks(void) { };
		1900	#endif
1897		1901
1898	#endif /* ! __LINUX_LSM_HOOKS_H */	1902	#endif /* ! __LINUX_LSM_HOOKS_H */


diff --git a/include/linux/string_helpers.h b/include/linux/string_helpers.h index dabe643eb5fa..5ce9538f290e 100644 --- a/include/linux/string_helpers.h +++ b/include/linux/string_helpers.h
@@ -3,6 +3,8 @@
3		3
4	#include <linux/types.h>	4	#include <linux/types.h>
5		5
		6	struct file;
		7
6	/* Descriptions of the types of units to	8	/* Descriptions of the types of units to
7	* print in */	9	* print in */
8	enum string_size_units {	10	enum string_size_units {
@@ -68,4 +70,8 @@ static inline int string_escape_str_any_np(const char src, char dst,
68	return string_escape_str(src, dst, sz, ESCAPE_ANY_NP, only);	70	return string_escape_str(src, dst, sz, ESCAPE_ANY_NP, only);
69	}	71	}
70		72
		73	char kstrdup_quotable(const char src, gfp_t gfp);
		74	char kstrdup_quotable_cmdline(struct task_struct task, gfp_t gfp);
		75	char kstrdup_quotable_file(struct file file, gfp_t gfp);
		76
71	#endif	77	#endif


diff --git a/include/linux/verification.h b/include/linux/verification.h new file mode 100644 index 000000000000..a10549a6c7cd --- /dev/null +++ b/include/linux/verification.h
@@ -0,0 +1,49 @@
		1	/* Signature verification
		2	*
		3	* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
		4	* Written by David Howells (dhowells@redhat.com)
		5	*
		6	* This program is free software; you can redistribute it and/or
		7	* modify it under the terms of the GNU General Public Licence
		8	* as published by the Free Software Foundation; either version
		9	* 2 of the Licence, or (at your option) any later version.
		10	*/
		11
		12	#ifndef _LINUX_VERIFICATION_H
		13	#define _LINUX_VERIFICATION_H
		14
		15	/*
		16	* The use to which an asymmetric key is being put.
		17	*/
		18	enum key_being_used_for {
		19	VERIFYING_MODULE_SIGNATURE,
		20	VERIFYING_FIRMWARE_SIGNATURE,
		21	VERIFYING_KEXEC_PE_SIGNATURE,
		22	VERIFYING_KEY_SIGNATURE,
		23	VERIFYING_KEY_SELF_SIGNATURE,
		24	VERIFYING_UNSPECIFIED_SIGNATURE,
		25	NR__KEY_BEING_USED_FOR
		26	};
		27	extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
		28
		29	#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
		30
		31	struct key;
		32
		33	extern int verify_pkcs7_signature(const void *data, size_t len,
		34	const void *raw_pkcs7, size_t pkcs7_len,
		35	struct key *trusted_keys,
		36	enum key_being_used_for usage,
		37	int (view_content)(void ctx,
		38	const void *data, size_t len,
		39	size_t asn1hdrlen),
		40	void *ctx);
		41
		42	#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
		43	extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
		44	struct key *trusted_keys,
		45	enum key_being_used_for usage);
		46	#endif
		47
		48	#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
		49	#endif /* _LINUX_VERIFY_PEFILE_H */


diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h deleted file mode 100644 index da2049b5161c..000000000000 --- a/include/linux/verify_pefile.h +++ /dev/null
@@ -1,22 +0,0 @@
1	/* Signed PE file verification
2	*
3	* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4	* Written by David Howells (dhowells@redhat.com)
5	*
6	* This program is free software; you can redistribute it and/or
7	* modify it under the terms of the GNU General Public Licence
8	* as published by the Free Software Foundation; either version
9	* 2 of the Licence, or (at your option) any later version.
10	*/
11
12	#ifndef _LINUX_VERIFY_PEFILE_H
13	#define _LINUX_VERIFY_PEFILE_H
14
15	#include <crypto/public_key.h>
16
17	extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
18	struct key *trusted_keyring,
19	enum key_being_used_for usage,
20	bool *_trusted);
21
22	#endif /* _LINUX_VERIFY_PEFILE_H */