1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/* System keyring containing trusted public keys.
3 *
4 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8#ifndef _KEYS_SYSTEM_KEYRING_H
9#define _KEYS_SYSTEM_KEYRING_H
10
11#include <linux/key.h>
12
13#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
14
15extern int restrict_link_by_builtin_trusted(struct key *keyring,
16					    const struct key_type *type,
17					    const union key_payload *payload,
18					    struct key *restriction_key);
19
20#else
21#define restrict_link_by_builtin_trusted restrict_link_reject
22#endif
23
24#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
25extern int restrict_link_by_builtin_and_secondary_trusted(
26	struct key *keyring,
27	const struct key_type *type,
28	const union key_payload *payload,
29	struct key *restriction_key);
30#else
31#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
32#endif
33
34extern struct pkcs7_message *pkcs7;
35#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
36extern int mark_hash_blacklisted(const char *hash);
37extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
38			       const char *type);
39extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
40#else
41static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
42				      const char *type)
43{
44	return 0;
45}
46
47static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
48{
49	return 0;
50}
51#endif
52
53#ifdef CONFIG_SYSTEM_REVOCATION_LIST
54extern int add_key_to_revocation_list(const char *data, size_t size);
55extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
56#else
57static inline int add_key_to_revocation_list(const char *data, size_t size)
58{
59	return 0;
60}
61static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
62{
63	return -ENOKEY;
64}
65#endif
66
67#ifdef CONFIG_IMA_BLACKLIST_KEYRING
68extern struct key *ima_blacklist_keyring;
69
70static inline struct key *get_ima_blacklist_keyring(void)
71{
72	return ima_blacklist_keyring;
73}
74#else
75static inline struct key *get_ima_blacklist_keyring(void)
76{
77	return NULL;
78}
79#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
80
81#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
82	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
83extern void __init set_platform_trusted_keys(struct key *keyring);
84#else
85static inline void set_platform_trusted_keys(struct key *keyring)
86{
87}
88#endif
89
90#endif /* _KEYS_SYSTEM_KEYRING_H */
91