1 // SPDX-License-Identifier: GPL-2.0-or-later
16 #include <keys/asymmetric-type.h>
36  * restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA
40  * @restriction_key: A ring of keys that can be used to vouch for the new cert.
42  * Restrict the addition of keys into a keyring based on the key-to-be-added
55  * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions by the built-in keyring
59  * @restriction_key: A ring of keys that can be used to vouch for the new cert.
61  * Restrict the addition of keys into a keyring based on the key-to-be-added
76  * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
77  *   addition by both built-in and secondary keyrings.
81  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
83  * Restrict the addition of keys into a keyring based on the key-to-be-added
84  * being vouched for by a key in either the built-in or the secondary system
93 	/* If we have a secondary trusted keyring, then that contains a link  in restrict_link_by_builtin_and_secondary_trusted()
98 	    payload == &builtin_trusted_keys->payload)  in restrict_link_by_builtin_and_secondary_trusted()
99 		/* Allow the builtin keyring to be added to the secondary */  in restrict_link_by_builtin_and_secondary_trusted()
107  * restrict_link_by_digsig_builtin_and_secondary - Restrict by digitalSignature.
111  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
113  * Restrict the addition of keys into a keyring based on the key-to-be-added
114  * being vouched for by a key in either the built-in or the secondary system
122 	/* If we have a secondary trusted keyring, then that contains a link  in restrict_link_by_digsig_builtin_and_secondary()
127 	    payload == &builtin_trusted_keys->payload)  in restrict_link_by_digsig_builtin_and_secondary()
128 		/* Allow the builtin keyring to be added to the secondary */  in restrict_link_by_digsig_builtin_and_secondary()
136  * Allocate a struct key_restriction for the "builtin and secondary trust"
146 		panic("Can't allocate secondary trusted keyring restriction\n");  in get_builtin_and_secondary_restriction()
149 		restriction->check = restrict_link_by_builtin_secondary_and_machine;  in get_builtin_and_secondary_restriction()
151 		restriction->check = restrict_link_by_builtin_and_secondary_trusted;  in get_builtin_and_secondary_restriction()
157  * add_to_secondary_keyring - Add to secondary keyring.
162  * Add a key to the secondary keyring. The key must be vouched for by a key in the builtin,
163  * machine or secondary keyring itself.
177 		pr_err("Problem loading X.509 certificate from %s to secondary keyring %ld\n",  in add_to_secondary_keyring()
182 	pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description);  in add_to_secondary_keyring()
192 		panic("Can't link (machine) trusted keyrings\n");  in set_machine_trusted_keys()
196  * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
200  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
202  * Restrict the addition of keys into a keyring based on the key-to-be-added
203  * being vouched for by a key in either the built-in, the secondary, or
214 	    payload == &machine_trusted_keys->payload)  in restrict_link_by_builtin_secondary_and_machine()
215 		/* Allow the machine keyring to be added to the secondary */  in restrict_link_by_builtin_secondary_and_machine()
238 		panic("Can't allocate builtin trusted keyring\n");  in system_trusted_keyring_init()
251 		panic("Can't allocate secondary trusted keyring\n");  in system_trusted_keyring_init()
254 		panic("Can't link trusted keyrings\n");  in system_trusted_keyring_init()
270 	pr_notice("Loading compiled-in module X.509 certificates\n");  in load_module_cert()
277  * Load the compiled-in list of X.509 certificates.
284 	pr_notice("Loading compiled-in X.509 certificates\n");  in load_system_certificate_list()
291 	size = system_certificate_list_size - module_cert_size;  in load_system_certificate_list()
301  * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
322 	/* The data should be detached - so we need to supply it. */  in verify_pkcs7_message_sig()
324 		pr_err("PKCS#7 signature with non-detached data\n");  in verify_pkcs7_message_sig()
325 		ret = -EBADMSG;  in verify_pkcs7_message_sig()
334 	if (ret != -ENOKEY) {  in verify_pkcs7_message_sig()
354 			ret = -ENOKEY;  in verify_pkcs7_message_sig()
361 		if (ret == -ENOKEY)  in verify_pkcs7_message_sig()
371 			if (ret == -ENODATA)  in verify_pkcs7_message_sig()
385  * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.