mirror of
https://github.com/Fishwaldo/Star64_linux.git
synced 2025-06-21 06:01:23 +00:00
Move certificate handling to its own directory
Move certificate handling out of the kernel/ directory and into a certs/ directory to get all the weird stuff in one place and move the generated signing keys into this directory. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
David Howells
David Woodhouse
parent
0e38c35815
commit
cfc411e7ff
10 changed files with 212 additions and 195 deletions
39
init/Kconfig
39
init/Kconfig
|
|
@ -1740,31 +1740,6 @@ config MMAP_ALLOW_UNINITIALIZED
|
|||
|
||||
See Documentation/nommu-mmap.txt for more information.
|
||||
|
||||
config SYSTEM_TRUSTED_KEYRING
|
||||
bool "Provide system-wide ring of trusted keys"
|
||||
depends on KEYS
|
||||
help
|
||||
Provide a system keyring to which trusted keys can be added. Keys in
|
||||
the keyring are considered to be trusted. Keys may be added at will
|
||||
by the kernel from compiled-in data and from hardware key stores, but
|
||||
userspace may only add extra keys if those keys can be verified by
|
||||
keys already in the keyring.
|
||||
|
||||
Keys in this keyring are used by module signature checking.
|
||||
|
||||
config SYSTEM_TRUSTED_KEYS
|
||||
string "Additional X.509 keys for default system keyring"
|
||||
depends on SYSTEM_TRUSTED_KEYRING
|
||||
help
|
||||
If set, this option should be the filename of a PEM-formatted file
|
||||
containing trusted X.509 certificates to be included in the default
|
||||
system keyring. Any certificate used for module signing is implicitly
|
||||
also trusted.
|
||||
|
||||
NOTE: If you previously provided keys for the system keyring in the
|
||||
form of DER-encoded *.x509 files in the top-level build directory,
|
||||
those are no longer used. You will need to set this option instead.
|
||||
|
||||
config SYSTEM_DATA_VERIFICATION
|
||||
def_bool n
|
||||
select SYSTEM_TRUSTED_KEYRING
|
||||
|
|
@ -1965,20 +1940,6 @@ config MODULE_SIG_HASH
|
|||
default "sha384" if MODULE_SIG_SHA384
|
||||
default "sha512" if MODULE_SIG_SHA512
|
||||
|
||||
config MODULE_SIG_KEY
|
||||
string "File name or PKCS#11 URI of module signing key"
|
||||
default "signing_key.pem"
|
||||
depends on MODULE_SIG
|
||||
help
|
||||
Provide the file name of a private key/certificate in PEM format,
|
||||
or a PKCS#11 URI according to RFC7512. The file should contain, or
|
||||
the URI should identify, both the certificate and its corresponding
|
||||
private key.
|
||||
|
||||
If this option is unchanged from its default "signing_key.pem",
|
||||
then the kernel will automatically generate the private key and
|
||||
certificate as described in Documentation/module-signing.txt
|
||||
|
||||
config MODULE_COMPRESS
|
||||
bool "Compress modules on installation"
|
||||
depends on MODULES
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue