• Dmitry Kasatkin's avatar
    KEYS: validate certificate trust only with selected key · ffb70f61
    Dmitry Kasatkin authored
    Instead of allowing public keys, with certificates signed by any
    key on the system trusted keyring, to be added to a trusted keyring,
    this patch further restricts the certificates to those signed by a
    particular key on the system keyring.
    
    This patch defines a new kernel parameter 'ca_keys' to identify the
    specific key which must be used for trust validation of certificates.
    
    Simplified Mimi's "KEYS: define an owner trusted keyring" patch.
    
    Changelog:
    - support for builtin x509 public keys only
    - export "asymmetric_keyid_match"
    - remove ifndefs MODULE
    - rename kernel boot parameter from keys_ownerid to ca_keys
    Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    ffb70f61
x509_public_key.c 8.31 KB