13 files changed, 478 insertions, 54 deletions

diff --git a/include/crypto/hash_info.h b/include/crypto/hash_info.h
new file mode 100644
index 000000000000..e1e5a3e5dd1b
--- /dev/null
+++ b/include/crypto/hash_info.h
@@ -0,0 +1,40 @@
+/*
+ * Hash Info: Hash algorithms information
+ *
+ * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+#ifndef _CRYPTO_HASH_INFO_H
+#define _CRYPTO_HASH_INFO_H
+
+#include <crypto/sha.h>
+#include <crypto/md5.h>
+
+#include <uapi/linux/hash_info.h>
+
+/* not defined in include/crypto/ */
+#define RMD128_DIGEST_SIZE      16
+#define RMD160_DIGEST_SIZE      20
+#define RMD256_DIGEST_SIZE      32
+#define RMD320_DIGEST_SIZE      40
+
+/* not defined in include/crypto/ */
+#define WP512_DIGEST_SIZE       64
+#define WP384_DIGEST_SIZE       48
+#define WP256_DIGEST_SIZE       32
+
+/* not defined in include/crypto/ */
+#define TGR128_DIGEST_SIZE 16
+#define TGR160_DIGEST_SIZE 20
+#define TGR192_DIGEST_SIZE 24
+
+extern const char *const hash_algo_name[HASH_ALGO__LAST];
+extern const int hash_digest_size[HASH_ALGO__LAST];
+
+#endif /* _CRYPTO_HASH_INFO_H */
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index f5b0224c9967..fc09732613ad 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,6 +15,7 @@
 #define _LINUX_PUBLIC_KEY_H
 
 #include <linux/mpi.h>
+#include <crypto/hash_info.h>
 
 enum pkey_algo {
         PKEY_ALGO_DSA,
@@ -22,21 +23,11 @@ enum pkey_algo {
         PKEY_ALGO__LAST
 };
 
-extern const char *const pkey_algo[PKEY_ALGO__LAST];
+extern const char *const pkey_algo_name[PKEY_ALGO__LAST];
+extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST];
 
-enum pkey_hash_algo {
-        PKEY_HASH_MD4,
-        PKEY_HASH_MD5,
-        PKEY_HASH_SHA1,
-        PKEY_HASH_RIPE_MD_160,
-        PKEY_HASH_SHA256,
-        PKEY_HASH_SHA384,
-        PKEY_HASH_SHA512,
-        PKEY_HASH_SHA224,
-        PKEY_HASH__LAST
-};
-
-extern const char *const pkey_hash_algo[PKEY_HASH__LAST];
+/* asymmetric key implementation supports only up to SHA224 */
+#define PKEY_HASH__LAST         (HASH_ALGO_SHA224 + 1)
 
 enum pkey_id_type {
         PKEY_ID_PGP,            /* OpenPGP generated key ID */
@@ -44,7 +35,7 @@ enum pkey_id_type {
         PKEY_ID_TYPE__LAST
 };
 
-extern const char *const pkey_id_type[PKEY_ID_TYPE__LAST];
+extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST];
 
 /*
  * Cryptographic data for the public-key subtype of the asymmetric key type.
@@ -59,6 +50,7 @@ struct public_key {
 #define PKEY_CAN_DECRYPT        0x02
 #define PKEY_CAN_SIGN           0x04
 #define PKEY_CAN_VERIFY         0x08
+        enum pkey_algo pkey_algo : 8;
         enum pkey_id_type id_type : 8;
         union {
                 MPI     mpi[5];
@@ -88,7 +80,8 @@ struct public_key_signature {
         u8 *digest;
         u8 digest_size;                 /* Number of bytes in digest */
         u8 nr_mpi;                      /* Occupancy of mpi[] */
-        enum pkey_hash_algo pkey_hash_algo : 8;
+        enum pkey_algo pkey_algo : 8;
+        enum hash_algo pkey_hash_algo : 8;
         union {
                 MPI mpi[2];
                 struct {
diff --git a/include/keys/big_key-type.h b/include/keys/big_key-type.h
new file mode 100644
index 000000000000..d69bc8af3292
--- /dev/null
+++ b/include/keys/big_key-type.h
@@ -0,0 +1,25 @@
+/* Big capacity key type.
+ *
+ * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ */
+
+#ifndef _KEYS_BIG_KEY_TYPE_H
+#define _KEYS_BIG_KEY_TYPE_H
+
+#include <linux/key-type.h>
+
+extern struct key_type key_type_big_key;
+
+extern int big_key_instantiate(struct key *key, struct key_preparsed_payload *prep);
+extern void big_key_revoke(struct key *key);
+extern void big_key_destroy(struct key *key);
+extern void big_key_describe(const struct key *big_key, struct seq_file *m);
+extern long big_key_read(const struct key *key, char __user *buffer, size_t buflen);
+
+#endif /* _KEYS_BIG_KEY_TYPE_H */
diff --git a/include/keys/keyring-type.h b/include/keys/keyring-type.h
index cf49159b0e3a..fca5c62340a4 100644
--- a/include/keys/keyring-type.h
+++ b/include/keys/keyring-type.h
@@ -1,6 +1,6 @@
 /* Keyring key type
  *
- * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
+ * Copyright (C) 2008, 2013 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
  *
  * This program is free software; you can redistribute it and/or
@@ -13,19 +13,6 @@
 #define _KEYS_KEYRING_TYPE_H
 
 #include <linux/key.h>
-#include <linux/rcupdate.h>
-
-/*
- * the keyring payload contains a list of the keys to which the keyring is
- * subscribed
- */
-struct keyring_list {
-        struct rcu_head rcu;            /* RCU deletion hook */
-        unsigned short  maxkeys;        /* max keys this list can hold */
-        unsigned short  nkeys;          /* number of keys currently held */
-        unsigned short  delkey;         /* key to be unlinked by RCU */
-        struct key __rcu *keys[0];
-};
-
+#include <linux/assoc_array.h>
 
 #endif /* _KEYS_KEYRING_TYPE_H */
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
new file mode 100644
index 000000000000..8dabc399bd1d
--- /dev/null
+++ b/include/keys/system_keyring.h
@@ -0,0 +1,23 @@
+/* System keyring containing trusted public keys.
+ *
+ * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _KEYS_SYSTEM_KEYRING_H
+#define _KEYS_SYSTEM_KEYRING_H
+
+#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
+
+#include <linux/key.h>
+
+extern struct key *system_trusted_keyring;
+
+#endif
+
+#endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/include/linux/assoc_array.h b/include/linux/assoc_array.h
new file mode 100644
index 000000000000..9a193b84238a
--- /dev/null
+++ b/include/linux/assoc_array.h
@@ -0,0 +1,92 @@
+/* Generic associative array implementation.
+ *
+ * See Documentation/assoc_array.txt for information.
+ *
+ * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_ASSOC_ARRAY_H
+#define _LINUX_ASSOC_ARRAY_H
+
+#ifdef CONFIG_ASSOCIATIVE_ARRAY
+
+#include <linux/types.h>
+
+#define ASSOC_ARRAY_KEY_CHUNK_SIZE BITS_PER_LONG /* Key data retrieved in chunks of this size */
+
+/*
+ * Generic associative array.
+ */
+struct assoc_array {
+        struct assoc_array_ptr  *root;          /* The node at the root of the tree */
+        unsigned long           nr_leaves_on_tree;
+};
+
+/*
+ * Operations on objects and index keys for use by array manipulation routines.
+ */
+struct assoc_array_ops {
+        /* Method to get a chunk of an index key from caller-supplied data */
+        unsigned long (*get_key_chunk)(const void *index_key, int level);
+
+        /* Method to get a piece of an object's index key */
+        unsigned long (*get_object_key_chunk)(const void *object, int level);
+
+        /* Is this the object we're looking for? */
+        bool (*compare_object)(const void *object, const void *index_key);
+
+        /* How different are two objects, to a bit position in their keys? (or
+         * -1 if they're the same)
+         */
+        int (*diff_objects)(const void *a, const void *b);
+
+        /* Method to free an object. */
+        void (*free_object)(void *object);
+};
+
+/*
+ * Access and manipulation functions.
+ */
+struct assoc_array_edit;
+
+static inline void assoc_array_init(struct assoc_array *array)
+{
+        array->root = NULL;
+        array->nr_leaves_on_tree = 0;
+}
+
+extern int assoc_array_iterate(const struct assoc_array *array,
+                               int (*iterator)(const void *object,
+                                               void *iterator_data),
+                               void *iterator_data);
+extern void *assoc_array_find(const struct assoc_array *array,
+                              const struct assoc_array_ops *ops,
+                              const void *index_key);
+extern void assoc_array_destroy(struct assoc_array *array,
+                                const struct assoc_array_ops *ops);
+extern struct assoc_array_edit *assoc_array_insert(struct assoc_array *array,
+                                                   const struct assoc_array_ops *ops,
+                                                   const void *index_key,
+                                                   void *object);
+extern void assoc_array_insert_set_object(struct assoc_array_edit *edit,
+                                          void *object);
+extern struct assoc_array_edit *assoc_array_delete(struct assoc_array *array,
+                                                   const struct assoc_array_ops *ops,
+                                                   const void *index_key);
+extern struct assoc_array_edit *assoc_array_clear(struct assoc_array *array,
+                                                  const struct assoc_array_ops *ops);
+extern void assoc_array_apply_edit(struct assoc_array_edit *edit);
+extern void assoc_array_cancel_edit(struct assoc_array_edit *edit);
+extern int assoc_array_gc(struct assoc_array *array,
+                          const struct assoc_array_ops *ops,
+                          bool (*iterator)(void *object, void *iterator_data),
+                          void *iterator_data);
+
+#endif /* CONFIG_ASSOCIATIVE_ARRAY */
+#endif /* _LINUX_ASSOC_ARRAY_H */
diff --git a/include/linux/assoc_array_priv.h b/include/linux/assoc_array_priv.h
new file mode 100644
index 000000000000..711275e6681c
--- /dev/null
+++ b/include/linux/assoc_array_priv.h
@@ -0,0 +1,182 @@
+/* Private definitions for the generic associative array implementation.
+ *
+ * See Documentation/assoc_array.txt for information.
+ *
+ * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_ASSOC_ARRAY_PRIV_H
+#define _LINUX_ASSOC_ARRAY_PRIV_H
+
+#ifdef CONFIG_ASSOCIATIVE_ARRAY
+
+#include <linux/assoc_array.h>
+
+#define ASSOC_ARRAY_FAN_OUT             16      /* Number of slots per node */
+#define ASSOC_ARRAY_FAN_MASK            (ASSOC_ARRAY_FAN_OUT - 1)
+#define ASSOC_ARRAY_LEVEL_STEP          (ilog2(ASSOC_ARRAY_FAN_OUT))
+#define ASSOC_ARRAY_LEVEL_STEP_MASK     (ASSOC_ARRAY_LEVEL_STEP - 1)
+#define ASSOC_ARRAY_KEY_CHUNK_MASK      (ASSOC_ARRAY_KEY_CHUNK_SIZE - 1)
+#define ASSOC_ARRAY_KEY_CHUNK_SHIFT     (ilog2(BITS_PER_LONG))
+
+/*
+ * Undefined type representing a pointer with type information in the bottom
+ * two bits.
+ */
+struct assoc_array_ptr;
+
+/*
+ * An N-way node in the tree.
+ *
+ * Each slot contains one of four things:
+ *
+ *      (1) Nothing (NULL).
+ *
+ *      (2) A leaf object (pointer types 0).
+ *
+ *      (3) A next-level node (pointer type 1, subtype 0).
+ *
+ *      (4) A shortcut (pointer type 1, subtype 1).
+ *
+ * The tree is optimised for search-by-ID, but permits reasonable iteration
+ * also.
+ *
+ * The tree is navigated by constructing an index key consisting of an array of
+ * segments, where each segment is ilog2(ASSOC_ARRAY_FAN_OUT) bits in size.
+ *
+ * The segments correspond to levels of the tree (the first segment is used at
+ * level 0, the second at level 1, etc.).
+ */
+struct assoc_array_node {
+        struct assoc_array_ptr  *back_pointer;
+        u8                      parent_slot;
+        struct assoc_array_ptr  *slots[ASSOC_ARRAY_FAN_OUT];
+        unsigned long           nr_leaves_on_branch;
+};
+
+/*
+ * A shortcut through the index space out to where a collection of nodes/leaves
+ * with the same IDs live.
+ */
+struct assoc_array_shortcut {
+        struct assoc_array_ptr  *back_pointer;
+        int                     parent_slot;
+        int                     skip_to_level;
+        struct assoc_array_ptr  *next_node;
+        unsigned long           index_key[];
+};
+
+/*
+ * Preallocation cache.
+ */
+struct assoc_array_edit {
+        struct rcu_head                 rcu;
+        struct assoc_array              *array;
+        const struct assoc_array_ops    *ops;
+        const struct assoc_array_ops    *ops_for_excised_subtree;
+        struct assoc_array_ptr          *leaf;
+        struct assoc_array_ptr          **leaf_p;
+        struct assoc_array_ptr          *dead_leaf;
+        struct assoc_array_ptr          *new_meta[3];
+        struct assoc_array_ptr          *excised_meta[1];
+        struct assoc_array_ptr          *excised_subtree;
+        struct assoc_array_ptr          **set_backpointers[ASSOC_ARRAY_FAN_OUT];
+        struct assoc_array_ptr          *set_backpointers_to;
+        struct assoc_array_node         *adjust_count_on;
+        long                            adjust_count_by;
+        struct {
+                struct assoc_array_ptr  **ptr;
+                struct assoc_array_ptr  *to;
+        } set[2];
+        struct {
+                u8                      *p;
+                u8                      to;
+        } set_parent_slot[1];
+        u8                              segment_cache[ASSOC_ARRAY_FAN_OUT + 1];
+};
+
+/*
+ * Internal tree member pointers are marked in the bottom one or two bits to
+ * indicate what type they are so that we don't have to look behind every
+ * pointer to see what it points to.
+ *
+ * We provide functions to test type annotations and to create and translate
+ * the annotated pointers.
+ */
+#define ASSOC_ARRAY_PTR_TYPE_MASK 0x1UL
+#define ASSOC_ARRAY_PTR_LEAF_TYPE 0x0UL /* Points to leaf (or nowhere) */
+#define ASSOC_ARRAY_PTR_META_TYPE 0x1UL /* Points to node or shortcut */
+#define ASSOC_ARRAY_PTR_SUBTYPE_MASK    0x2UL
+#define ASSOC_ARRAY_PTR_NODE_SUBTYPE    0x0UL
+#define ASSOC_ARRAY_PTR_SHORTCUT_SUBTYPE 0x2UL
+
+static inline bool assoc_array_ptr_is_meta(const struct assoc_array_ptr *x)
+{
+        return (unsigned long)x & ASSOC_ARRAY_PTR_TYPE_MASK;
+}
+static inline bool assoc_array_ptr_is_leaf(const struct assoc_array_ptr *x)
+{
+        return !assoc_array_ptr_is_meta(x);
+}
+static inline bool assoc_array_ptr_is_shortcut(const struct assoc_array_ptr *x)
+{
+        return (unsigned long)x & ASSOC_ARRAY_PTR_SUBTYPE_MASK;
+}
+static inline bool assoc_array_ptr_is_node(const struct assoc_array_ptr *x)
+{
+        return !assoc_array_ptr_is_shortcut(x);
+}
+
+static inline void *assoc_array_ptr_to_leaf(const struct assoc_array_ptr *x)
+{
+        return (void *)((unsigned long)x & ~ASSOC_ARRAY_PTR_TYPE_MASK);
+}
+
+static inline
+unsigned long __assoc_array_ptr_to_meta(const struct assoc_array_ptr *x)
+{
+        return (unsigned long)x &
+                ~(ASSOC_ARRAY_PTR_SUBTYPE_MASK | ASSOC_ARRAY_PTR_TYPE_MASK);
+}
+static inline
+struct assoc_array_node *assoc_array_ptr_to_node(const struct assoc_array_ptr *x)
+{
+        return (struct assoc_array_node *)__assoc_array_ptr_to_meta(x);
+}
+static inline
+struct assoc_array_shortcut *assoc_array_ptr_to_shortcut(const struct assoc_array_ptr *x)
+{
+        return (struct assoc_array_shortcut *)__assoc_array_ptr_to_meta(x);
+}
+
+static inline
+struct assoc_array_ptr *__assoc_array_x_to_ptr(const void *p, unsigned long t)
+{
+        return (struct assoc_array_ptr *)((unsigned long)p | t);
+}
+static inline
+struct assoc_array_ptr *assoc_array_leaf_to_ptr(const void *p)
+{
+        return __assoc_array_x_to_ptr(p, ASSOC_ARRAY_PTR_LEAF_TYPE);
+}
+static inline
+struct assoc_array_ptr *assoc_array_node_to_ptr(const struct assoc_array_node *p)
+{
+        return __assoc_array_x_to_ptr(
+                p, ASSOC_ARRAY_PTR_META_TYPE | ASSOC_ARRAY_PTR_NODE_SUBTYPE);
+}
+static inline
+struct assoc_array_ptr *assoc_array_shortcut_to_ptr(const struct assoc_array_shortcut *p)
+{
+        return __assoc_array_x_to_ptr(
+                p, ASSOC_ARRAY_PTR_META_TYPE | ASSOC_ARRAY_PTR_SHORTCUT_SUBTYPE);
+}
+
+#endif /* CONFIG_ASSOCIATIVE_ARRAY */
+#endif /* _LINUX_ASSOC_ARRAY_PRIV_H */
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 518a53afb9ea..a74c3a84dfdd 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -45,6 +45,7 @@ struct key_preparsed_payload {
         const void      *data;          /* Raw data */
         size_t          datalen;        /* Raw datalen */
         size_t          quotalen;       /* Quota length for proposed payload */
+        bool            trusted;        /* True if key is trusted */
 };
 
 typedef int (*request_key_actor_t)(struct key_construction *key,
@@ -63,6 +64,11 @@ struct key_type {
          */
         size_t def_datalen;
 
+        /* Default key search algorithm. */
+        unsigned def_lookup_type;
+#define KEYRING_SEARCH_LOOKUP_DIRECT    0x0000  /* Direct lookup by description. */
+#define KEYRING_SEARCH_LOOKUP_ITERATE   0x0001  /* Iterative search. */
+
         /* vet a description */
         int (*vet_description)(const char *description);
 
diff --git a/include/linux/key.h b/include/linux/key.h
index 4dfde1161c5e..80d677483e31 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -22,6 +22,7 @@
 #include <linux/sysctl.h>
 #include <linux/rwsem.h>
 #include <linux/atomic.h>
+#include <linux/assoc_array.h>
 
 #ifdef __KERNEL__
 #include <linux/uidgid.h>
@@ -82,6 +83,12 @@ struct key_owner;
 struct keyring_list;
 struct keyring_name;
 
+struct keyring_index_key {
+        struct key_type         *type;
+        const char              *description;
+        size_t                  desc_len;
+};
+
 /*****************************************************************************/
 /*
  * key reference with possession attribute handling
@@ -99,7 +106,7 @@ struct keyring_name;
 typedef struct __key_reference_with_attributes *key_ref_t;
 
 static inline key_ref_t make_key_ref(const struct key *key,
-                                     unsigned long possession)
+                                     bool possession)
 {
         return (key_ref_t) ((unsigned long) key | possession);
 }
@@ -109,7 +116,7 @@ static inline struct key *key_ref_to_ptr(const key_ref_t key_ref)
         return (struct key *) ((unsigned long) key_ref & ~1UL);
 }
 
-static inline unsigned long is_key_possessed(const key_ref_t key_ref)
+static inline bool is_key_possessed(const key_ref_t key_ref)
 {
         return (unsigned long) key_ref & 1UL;
 }
@@ -129,7 +136,6 @@ struct key {
                 struct list_head graveyard_link;
                 struct rb_node  serial_node;
         };
-        struct key_type         *type;          /* type of key */
         struct rw_semaphore     sem;            /* change vs change sem */
         struct key_user         *user;          /* owner of this key */
         void                    *security;      /* security data for this key */
@@ -162,13 +168,21 @@ struct key {
 #define KEY_FLAG_NEGATIVE       5       /* set if key is negative */
 #define KEY_FLAG_ROOT_CAN_CLEAR 6       /* set if key can be cleared by root without permission */
 #define KEY_FLAG_INVALIDATED    7       /* set if key has been invalidated */
+#define KEY_FLAG_TRUSTED        8       /* set if key is trusted */
+#define KEY_FLAG_TRUSTED_ONLY   9       /* set if keyring only accepts links to trusted keys */
 
-        /* the description string
-         * - this is used to match a key against search criteria
-         * - this should be a printable string
+        /* the key type and key description string
+         * - the desc is used to match a key against search criteria
+         * - it should be a printable string
          * - eg: for krb5 AFS, this might be "afs@REDHAT.COM"
          */
-        char                    *description;
+        union {
+                struct keyring_index_key index_key;
+                struct {
+                        struct key_type *type;          /* type of key */
+                        char            *description;
+                };
+        };
 
         /* type specific data
          * - this is used by the keyring type to index the name
@@ -185,11 +199,14 @@ struct key {
          *   whatever
          */
         union {
-                unsigned long           value;
-                void __rcu              *rcudata;
-                void                    *data;
-                struct keyring_list __rcu *subscriptions;
-        } payload;
+                union {
+                        unsigned long           value;
+                        void __rcu              *rcudata;
+                        void                    *data;
+                        void                    *data2[2];
+                } payload;
+                struct assoc_array keys;
+        };
 };
 
 extern struct key *key_alloc(struct key_type *type,
@@ -203,18 +220,23 @@ extern struct key *key_alloc(struct key_type *type,
 #define KEY_ALLOC_IN_QUOTA      0x0000  /* add to quota, reject if would overrun */
 #define KEY_ALLOC_QUOTA_OVERRUN 0x0001  /* add to quota, permit even if overrun */
 #define KEY_ALLOC_NOT_IN_QUOTA  0x0002  /* not in quota */
+#define KEY_ALLOC_TRUSTED       0x0004  /* Key should be flagged as trusted */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
 extern void key_put(struct key *key);
 
-static inline struct key *key_get(struct key *key)
+static inline struct key *__key_get(struct key *key)
 {
-        if (key)
-                atomic_inc(&key->usage);
+        atomic_inc(&key->usage);
         return key;
 }
 
+static inline struct key *key_get(struct key *key)
+{
+        return key ? __key_get(key) : key;
+}
+
 static inline void key_ref_put(key_ref_t key_ref)
 {
         key_put(key_ref_to_ptr(key_ref));
diff --git a/include/linux/security.h b/include/linux/security.h
index 9d37e2b9d3ec..5623a7f965b7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1052,17 +1052,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  * @xfrm_policy_delete_security:
  *      @ctx contains the xfrm_sec_ctx.
  *      Authorize deletion of xp->security.
- * @xfrm_state_alloc_security:
+ * @xfrm_state_alloc:
  *      @x contains the xfrm_state being added to the Security Association
  *      Database by the XFRM system.
  *      @sec_ctx contains the security context information being provided by
  *      the user-level SA generation program (e.g., setkey or racoon).
- *      @secid contains the secid from which to take the mls portion of the context.
  *      Allocate a security structure to the x->security field; the security
  *      field is initialized to NULL when the xfrm_state is allocated. Set the
- *      context to correspond to either sec_ctx or polsec, with the mls portion
- *      taken from secid in the latter case.
- *      Return 0 if operation was successful (memory to allocate, legal context).
+ *      context to correspond to sec_ctx. Return 0 if operation was successful
+ *      (memory to allocate, legal context).
+ * @xfrm_state_alloc_acquire:
+ *      @x contains the xfrm_state being added to the Security Association
+ *      Database by the XFRM system.
+ *      @polsec contains the policy's security context.
+ *      @secid contains the secid from which to take the mls portion of the
+ *      context.
+ *      Allocate a security structure to the x->security field; the security
+ *      field is initialized to NULL when the xfrm_state is allocated. Set the
+ *      context to correspond to secid. Return 0 if operation was successful
+ *      (memory to allocate, legal context).
  * @xfrm_state_free_security:
  *      @x contains the xfrm_state.
  *      Deallocate x->security.
@@ -1679,9 +1687,11 @@ struct security_operations {
         int (*xfrm_policy_clone_security) (struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctx);
         void (*xfrm_policy_free_security) (struct xfrm_sec_ctx *ctx);
         int (*xfrm_policy_delete_security) (struct xfrm_sec_ctx *ctx);
-        int (*xfrm_state_alloc_security) (struct xfrm_state *x,
-                struct xfrm_user_sec_ctx *sec_ctx,
-                u32 secid);
+        int (*xfrm_state_alloc) (struct xfrm_state *x,
+                                 struct xfrm_user_sec_ctx *sec_ctx);
+        int (*xfrm_state_alloc_acquire) (struct xfrm_state *x,
+                                         struct xfrm_sec_ctx *polsec,
+                                         u32 secid);
         void (*xfrm_state_free_security) (struct xfrm_state *x);
         int (*xfrm_state_delete_security) (struct xfrm_state *x);
         int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 4db29859464f..4836ba3c1cd8 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -27,6 +27,12 @@ struct user_namespace {
         kuid_t                  owner;
         kgid_t                  group;
         unsigned int            proc_inum;
+
+        /* Register of per-UID persistent keyrings for this namespace */
+#ifdef CONFIG_PERSISTENT_KEYRINGS
+        struct key              *persistent_keyring_register;
+        struct rw_semaphore     persistent_keyring_register_sem;
+#endif
 };
 
 extern struct user_namespace init_user_ns;
diff --git a/include/uapi/linux/hash_info.h b/include/uapi/linux/hash_info.h
new file mode 100644
index 000000000000..ca18c45f8304
--- /dev/null
+++ b/include/uapi/linux/hash_info.h
@@ -0,0 +1,37 @@
+/*
+ * Hash Info: Hash algorithms information
+ *
+ * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+#ifndef _UAPI_LINUX_HASH_INFO_H
+#define _UAPI_LINUX_HASH_INFO_H
+
+enum hash_algo {
+        HASH_ALGO_MD4,
+        HASH_ALGO_MD5,
+        HASH_ALGO_SHA1,
+        HASH_ALGO_RIPE_MD_160,
+        HASH_ALGO_SHA256,
+        HASH_ALGO_SHA384,
+        HASH_ALGO_SHA512,
+        HASH_ALGO_SHA224,
+        HASH_ALGO_RIPE_MD_128,
+        HASH_ALGO_RIPE_MD_256,
+        HASH_ALGO_RIPE_MD_320,
+        HASH_ALGO_WP_256,
+        HASH_ALGO_WP_384,
+        HASH_ALGO_WP_512,
+        HASH_ALGO_TGR_128,
+        HASH_ALGO_TGR_160,
+        HASH_ALGO_TGR_192,
+        HASH_ALGO__LAST
+};
+
+#endif /* _UAPI_LINUX_HASH_INFO_H */
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index c9b7f4faf97a..840cb990abe2 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -56,5 +56,6 @@
 #define KEYCTL_REJECT                   19      /* reject a partially constructed key */
 #define KEYCTL_INSTANTIATE_IOV          20      /* instantiate a partially constructed key */
 #define KEYCTL_INVALIDATE               21      /* invalidate a key */
+#define KEYCTL_GET_PERSISTENT           22      /* get a user's persistent keyring */
 
 #endif /*  _LINUX_KEYCTL_H */