Mimi Zohar b46503068c certs: Only allow certs signed by keys on the builtin keyring ...

Originally the secondary trusted keyring provided a keyring to which extra
keys may be added, provided those keys were not blacklisted and were
vouched for by a key built into the kernel or already in the secondary
trusted keyring.

On systems with the machine keyring configured, additional keys may also
be vouched for by a key on the machine keyring.

Prevent loading additional certificates directly onto the secondary
keyring, vouched for by keys on the machine keyring, yet allow these
certificates to be loaded onto other trusted keyrings.

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

2023-10-31 08:22:36 -04:00

..

.gitignore

certs: fix and refactor CONFIG_SYSTEM_BLACKLIST_HASH_LIST build

2022-06-15 21:52:32 +03:00

blacklist_hashes.c

certs: unify blacklist_hashes.c and blacklist_nohashes.c

2022-07-27 21:17:59 +09:00

blacklist.c

certs: don't try to update blacklist keys

2023-02-13 10:11:20 +02:00

blacklist.h

certs: Add EFI_CERT_X509_GUID support for dbx entries

2021-03-11 16:31:28 +00:00

check-blacklist-hashes.awk

certs: move scripts/check-blacklist-hashes.awk to certs/

2022-07-27 21:17:59 +09:00

default_x509.genkey

certs: check-in the default x509 config file

2021-12-11 22:09:14 +09:00

extract-cert.c

kbuild: do not print extra logs for V=2

2023-01-22 23:43:32 +09:00

Kconfig

certs: Only allow certs signed by keys on the builtin keyring

2023-10-31 08:22:36 -04:00

Makefile

certs: Fix build error when PKCS#11 URI contains semicolon

2023-01-31 17:53:01 +09:00

revocation_certificates.S

certs: Add ability to preload revocation certs

2021-03-11 16:33:49 +00:00

system_certificates.S

certs: include certs/signing_key.x509 unconditionally

2022-03-03 08:16:19 +09:00

system_keyring.c

certs: Reference revocation list for all keyrings

2023-08-17 20:12:41 +00:00