diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2017-09-13 16:21:08 -0400 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2017-10-11 08:24:24 -0400 |
| commit | 90a53e4432b12288316efaa5f308adafb8d304b0 (patch) | |
| tree | 0d284c2cc1e9c2749f0216031066ed64bd0417f2 /net/wireless/Kconfig | |
| parent | c8c240e284b3d821011b4f680b3eaa99569b3756 (diff) | |
cfg80211: implement regdb signature checking
Currently CRDA implements the signature checking, and the previous
commits added the ability to load the whole regulatory database
into the kernel.
However, we really can't lose the signature checking, so implement
it in the kernel by loading a detached signature (regulatory.db.p7s)
and check it against built-in keys.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/Kconfig')
| -rw-r--r-- | net/wireless/Kconfig | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig index f050030055c5..da91bb547db3 100644 --- a/net/wireless/Kconfig +++ b/net/wireless/Kconfig | |||
| @@ -83,6 +83,36 @@ config CFG80211_CERTIFICATION_ONUS | |||
| 83 | you are a wireless researcher and are working in a controlled | 83 | you are a wireless researcher and are working in a controlled |
| 84 | and approved environment by your local regulatory agency. | 84 | and approved environment by your local regulatory agency. |
| 85 | 85 | ||
| 86 | config CFG80211_REQUIRE_SIGNED_REGDB | ||
| 87 | bool "require regdb signature" if CFG80211_CERTIFICATION_ONUS | ||
| 88 | default y | ||
| 89 | select SYSTEM_DATA_VERIFICATION | ||
| 90 | help | ||
| 91 | Require that in addition to the "regulatory.db" file a | ||
| 92 | "regulatory.db.p7s" can be loaded with a valid PKCS#7 | ||
| 93 | signature for the regulatory.db file made by one of the | ||
| 94 | keys in the certs/ directory. | ||
| 95 | |||
| 96 | config CFG80211_USE_KERNEL_REGDB_KEYS | ||
| 97 | bool "allow regdb keys shipped with the kernel" if CFG80211_CERTIFICATION_ONUS | ||
| 98 | default y | ||
| 99 | depends on CFG80211_REQUIRE_SIGNED_REGDB | ||
| 100 | help | ||
| 101 | Allow the regulatory database to be signed by one of the keys for | ||
| 102 | which certificates are part of the kernel sources | ||
| 103 | (in net/wireless/certs/). | ||
| 104 | |||
| 105 | This is currently only Seth Forshee's key, who is the regulatory | ||
| 106 | database maintainer. | ||
| 107 | |||
| 108 | config CFG80211_EXTRA_REGDB_KEYDIR | ||
| 109 | string "additional regdb key directory" if CFG80211_CERTIFICATION_ONUS | ||
| 110 | depends on CFG80211_REQUIRE_SIGNED_REGDB | ||
| 111 | help | ||
| 112 | If selected, point to a directory with DER-encoded X.509 | ||
| 113 | certificates like in the kernel sources (net/wireless/certs/) | ||
| 114 | that shall be accepted for a signed regulatory database. | ||
| 115 | |||
| 86 | config CFG80211_REG_CELLULAR_HINTS | 116 | config CFG80211_REG_CELLULAR_HINTS |
| 87 | bool "cfg80211 regulatory support for cellular base station hints" | 117 | bool "cfg80211 regulatory support for cellular base station hints" |
| 88 | depends on CFG80211_CERTIFICATION_ONUS | 118 | depends on CFG80211_CERTIFICATION_ONUS |