1/* SPDX-License-Identifier: GPL-2.0-or-later */
  2/* System keyring containing trusted public keys.
  3 *
  4 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
  5 * Written by David Howells (dhowells@redhat.com)
  6 */
  7
  8#ifndef _KEYS_SYSTEM_KEYRING_H
  9#define _KEYS_SYSTEM_KEYRING_H
 10
 11#include <linux/key.h>
 12
 13enum blacklist_hash_type {
 14	/* TBSCertificate hash */
 15	BLACKLIST_HASH_X509_TBS = 1,
 16	/* Raw data hash */
 17	BLACKLIST_HASH_BINARY = 2,
 18};
 19
 20#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
 21
 22extern int restrict_link_by_builtin_trusted(struct key *keyring,
 23					    const struct key_type *type,
 24					    const union key_payload *payload,
 25					    struct key *restriction_key);
 26extern __init int load_module_cert(struct key *keyring);
 27
 28#else
 29#define restrict_link_by_builtin_trusted restrict_link_reject
 30
 31static inline __init int load_module_cert(struct key *keyring)
 32{
 33	return 0;
 34}
 35
 36#endif
 37
 38#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 39extern int restrict_link_by_builtin_and_secondary_trusted(
 40	struct key *keyring,
 41	const struct key_type *type,
 42	const union key_payload *payload,
 43	struct key *restriction_key);
 44#else
 45#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
 46#endif
 47
 48#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
 49extern int restrict_link_by_builtin_secondary_and_machine(
 50	struct key *dest_keyring,
 51	const struct key_type *type,
 52	const union key_payload *payload,
 53	struct key *restrict_key);
 54extern void __init set_machine_trusted_keys(struct key *keyring);
 55#else
 56#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
 57static inline void __init set_machine_trusted_keys(struct key *keyring)
 58{
 59}
 60#endif
 61
 62extern struct pkcs7_message *pkcs7;
 63#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 64extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
 65			       enum blacklist_hash_type hash_type);
 66extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
 67			       enum blacklist_hash_type hash_type);
 68extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
 69#else
 70static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
 71				      enum blacklist_hash_type hash_type)
 72{
 73	return 0;
 74}
 75
 76static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 77{
 78	return 0;
 79}
 80#endif
 81
 82#ifdef CONFIG_SYSTEM_REVOCATION_LIST
 83extern int add_key_to_revocation_list(const char *data, size_t size);
 84extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
 85#else
 86static inline int add_key_to_revocation_list(const char *data, size_t size)
 87{
 88	return 0;
 89}
 90static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
 91{
 92	return -ENOKEY;
 93}
 94#endif
 95
 96#ifdef CONFIG_IMA_BLACKLIST_KEYRING
 97extern struct key *ima_blacklist_keyring;
 98
 99static inline struct key *get_ima_blacklist_keyring(void)
100{
101	return ima_blacklist_keyring;
102}
103#else
104static inline struct key *get_ima_blacklist_keyring(void)
105{
106	return NULL;
107}
108#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
109
110#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
111	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
112extern void __init set_platform_trusted_keys(struct key *keyring);
113#else
114static inline void set_platform_trusted_keys(struct key *keyring)
115{
116}
117#endif
118
119#endif /* _KEYS_SYSTEM_KEYRING_H */