KEYS: Separate the kernel signature checking keyring from module signing

Separate the kernel signature checking keyring from module signing so that it can be used by code other than the module-signing code. Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2013-01-15 18:39:54 +0000
committer: David Howells <dhowells@redhat.com> 2013-01-18 13:54:08 +0000
commit: ebe2e946f60e0012c02a27845bdab70e34cc4202 (patch)
tree: fececef0102cdee94777781e033f934ba3e9d237 /init
parent: ee70863519e4c9558c861bcf5e30c07803c3d4e9 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 7d30240e5bfe..65bcf1264e44 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1568,6 +1568,18 @@ config BASE_SMALL
 	default 0 if BASE_FULL
 	default 1 if !BASE_FULL
 
+config SYSTEM_TRUSTED_KEYRING
+	bool "Provide system-wide ring of trusted keys"
+	depends on KEYS
+	help
+	  Provide a system keyring to which trusted keys can be added.  Keys in
+	  the keyring are considered to be trusted.  Keys may be added at will
+	  by the kernel from compiled-in data and from hardware key stores, but
+	  userspace may only add extra keys if those keys can be verified by
+	  keys already in the keyring.
+
+	  Keys in this keyring are used by module signature checking.
+
 menuconfig MODULES
 	bool "Enable loadable module support"
 	help
@@ -1640,6 +1652,7 @@ config MODULE_SRCVERSION_ALL
 config MODULE_SIG
 	bool "Module signature verification"
 	depends on MODULES
+	select SYSTEM_TRUSTED_KEYRING
 	select KEYS
 	select CRYPTO
 	select ASYMMETRIC_KEY_TYPE
author	David Howells <dhowells@redhat.com>	2013-01-15 18:39:54 +0000
committer	David Howells <dhowells@redhat.com>	2013-01-18 13:54:08 +0000
commit	ebe2e946f60e0012c02a27845bdab70e34cc4202 (patch)
tree	fececef0102cdee94777781e033f934ba3e9d237 /init
parent	ee70863519e4c9558c861bcf5e30c07803c3d4e9 (diff)