modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option

Let the user explicitly provide a file containing trusted keys, instead of just automatically finding files matching *.x509 in the build tree and trusting whatever we find. This really ought to be an *explicit* configuration, and the build rules for dealing with the files were fairly painful too. Fix applied from James Morris that removes an '=' from a macro definition in kernel/Makefile as this is a feature that only exists from GNU make 3.82 onwards. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: David Howells <dhowells@redhat.com>
author: David Woodhouse <David.Woodhouse@intel.com> 2015-07-20 16:16:31 -0400
committer: David Howells <dhowells@redhat.com> 2015-08-07 11:26:14 -0400
commit: 99d27b1b52bd5cdf9bd9f7661ca8641e9a1b55e6 (patch)
tree: 8525b8bd99f20016d7e893fa4218951a0b249364 /init
parent: fb1179499134bc718dc7557c7a6a95dc72f224cb (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 2b119850784b..62b725653c36 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1752,6 +1752,19 @@ config SYSTEM_TRUSTED_KEYRING
          Keys in this keyring are used by module signature checking.
+config SYSTEM_TRUSTED_KEYS
+        string "Additional X.509 keys for default system keyring"
+        depends on SYSTEM_TRUSTED_KEYRING
+        help
+          If set, this option should be the filename of a PEM-formatted file
+          containing trusted X.509 certificates to be included in the default
+          system keyring. Any certificate used for module signing is implicitly
+          also trusted.
+          NOTE: If you previously provided keys for the system keyring in the
+          form of DER-encoded *.x509 files in the top-level build directory,
+          those are no longer used. You will need to set this option instead.
 config SYSTEM_DATA_VERIFICATION
        def_bool n
        select SYSTEM_TRUSTED_KEYRING
author	David Woodhouse <David.Woodhouse@intel.com>	2015-07-20 16:16:31 -0400
committer	David Howells <dhowells@redhat.com>	2015-08-07 11:26:14 -0400
commit	99d27b1b52bd5cdf9bd9f7661ca8641e9a1b55e6 (patch)
tree	8525b8bd99f20016d7e893fa4218951a0b249364 /init
parent	fb1179499134bc718dc7557c7a6a95dc72f224cb (diff)

diff --git a/init/Kconfig b/init/Kconfig index 2b119850784b..62b725653c36 100644 --- a/init/Kconfig +++ b/init/Kconfig
@@ -1752,6 +1752,19 @@ config SYSTEM_TRUSTED_KEYRING
1752		1752
1753	Keys in this keyring are used by module signature checking.	1753	Keys in this keyring are used by module signature checking.
1754		1754
		1755	config SYSTEM_TRUSTED_KEYS
		1756	string "Additional X.509 keys for default system keyring"
		1757	depends on SYSTEM_TRUSTED_KEYRING
		1758	help
		1759	If set, this option should be the filename of a PEM-formatted file
		1760	containing trusted X.509 certificates to be included in the default
		1761	system keyring. Any certificate used for module signing is implicitly
		1762	also trusted.
		1763
		1764	NOTE: If you previously provided keys for the system keyring in the
		1765	form of DER-encoded *.x509 files in the top-level build directory,
		1766	those are no longer used. You will need to set this option instead.
		1767
1755	config SYSTEM_DATA_VERIFICATION	1768	config SYSTEM_DATA_VERIFICATION
1756	def_bool n	1769	def_bool n
1757	select SYSTEM_TRUSTED_KEYRING	1770	select SYSTEM_TRUSTED_KEYRING