| /Linux-v5.4/security/keys/ |
| D | keyring.c | 76 static int keyring_instantiate(struct key *keyring,
78 static void keyring_revoke(struct key *keyring);
79 static void keyring_destroy(struct key *keyring);
80 static void keyring_describe(const struct key *keyring, struct seq_file *m);
81 static long keyring_read(const struct key *keyring,
107 static void keyring_publish_name(struct key *keyring) in keyring_publish_name() argument
111 if (keyring->description && in keyring_publish_name()
112 keyring->description[0] && in keyring_publish_name()
113 keyring->description[0] != '.') { in keyring_publish_name()
115 list_add_tail(&keyring->name_link, &ns->keyring_name_list); in keyring_publish_name()
[all …]
|
| D | process_keys.c | 223 struct key *keyring; in install_thread_keyring_to_cred() local
228 keyring = keyring_alloc("_tid", new->uid, new->gid, new, in install_thread_keyring_to_cred()
232 if (IS_ERR(keyring)) in install_thread_keyring_to_cred()
233 return PTR_ERR(keyring); in install_thread_keyring_to_cred()
235 new->thread_keyring = keyring; in install_thread_keyring_to_cred()
270 struct key *keyring; in install_process_keyring_to_cred() local
275 keyring = keyring_alloc("_pid", new->uid, new->gid, new, in install_process_keyring_to_cred()
279 if (IS_ERR(keyring)) in install_process_keyring_to_cred()
280 return PTR_ERR(keyring); in install_process_keyring_to_cred()
282 new->process_keyring = keyring; in install_process_keyring_to_cred()
[all …]
|
| D | key.c | 423 struct key *keyring, in __key_instantiate_and_link() argument
430 key_check(keyring); in __key_instantiate_and_link()
451 if (keyring) { in __key_instantiate_and_link()
452 if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) in __key_instantiate_and_link()
497 struct key *keyring, in key_instantiate_and_link() argument
515 if (keyring) { in key_instantiate_and_link()
516 ret = __key_link_lock(keyring, &key->index_key); in key_instantiate_and_link()
520 ret = __key_link_begin(keyring, &key->index_key, &edit); in key_instantiate_and_link()
524 if (keyring->restrict_link && keyring->restrict_link->check) { in key_instantiate_and_link()
525 struct key_restriction *keyres = keyring->restrict_link; in key_instantiate_and_link()
[all …]
|
| D | internal.h | 92 extern int __key_link_lock(struct key *keyring,
96 extern int __key_link_begin(struct key *keyring,
99 extern int __key_link_check_live_key(struct key *keyring, struct key *key);
101 extern void __key_link_end(struct key *keyring,
108 extern struct key *keyring_search_instkey(struct key *keyring,
111 extern int iterate_over_keyring(const struct key *keyring,
173 extern void keyring_gc(struct key *keyring, time64_t limit);
174 extern void keyring_restriction_gc(struct key *keyring,
|
| D | request_key.c | 79 struct key *keyring = info->data; in umh_keys_init() local
81 return install_session_keyring_to_cred(cred, keyring); in umh_keys_init()
89 struct key *keyring = info->data; in umh_keys_cleanup() local
90 key_put(keyring); in umh_keys_cleanup()
121 struct key *key = rka->target_key, *keyring, *session, *user_session; in call_sbin_request_key() local
137 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred, in call_sbin_request_key()
141 if (IS_ERR(keyring)) { in call_sbin_request_key()
142 ret = PTR_ERR(keyring); in call_sbin_request_key()
147 ret = key_link(keyring, authkey); in call_sbin_request_key()
193 ret = call_usermodehelper_keys(request_key, argv, envp, keyring, in call_sbin_request_key()
[all …]
|
| /Linux-v5.4/security/integrity/ |
| D | digsig.c | 23 static struct key *keyring[INTEGRITY_KEYRING_MAX]; variable
47 if (!keyring[id]) { in integrity_keyring_from_id()
48 keyring[id] = in integrity_keyring_from_id()
50 if (IS_ERR(keyring[id])) { in integrity_keyring_from_id()
51 int err = PTR_ERR(keyring[id]); in integrity_keyring_from_id()
53 keyring[id] = NULL; in integrity_keyring_from_id()
58 return keyring[id]; in integrity_keyring_from_id()
64 struct key *keyring; in integrity_digsig_verify() local
69 keyring = integrity_keyring_from_id(id); in integrity_digsig_verify()
70 if (IS_ERR(keyring)) in integrity_digsig_verify()
[all …]
|
| D | digsig_asymmetric.c | 24 static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) in request_asymmetric_key() argument
45 if (keyring) { in request_asymmetric_key()
49 kref = keyring_search(make_key_ref(keyring, 1), in request_asymmetric_key()
78 int asymmetric_verify(struct key *keyring, const char *sig, in asymmetric_verify() argument
97 key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid)); in asymmetric_verify()
|
| D | integrity.h | 193 int asymmetric_verify(struct key *keyring, const char *sig,
196 static inline int asymmetric_verify(struct key *keyring, const char *sig, in asymmetric_verify() argument
204 int ima_modsig_verify(struct key *keyring, const struct modsig *modsig);
206 static inline int ima_modsig_verify(struct key *keyring, in ima_modsig_verify() argument
|
| D | Kconfig | 29 to "lock" certain keyring to prevent adding new keys.
53 keyring.
56 bool "Provide keyring for platform/firmware trusted keys"
60 Provide a separate, distinct keyring for platform trusted keys, which
|
| /Linux-v5.4/certs/ |
| D | Kconfig | 23 Provide a system keyring to which trusted keys can be added. Keys in
24 the keyring are considered to be trusted. Keys may be added at will
27 keys already in the keyring.
29 Keys in this keyring are used by module signature checking.
32 string "Additional X.509 keys for default system keyring"
37 system keyring. Any certificate used for module signing is implicitly
40 NOTE: If you previously provided keys for the system keyring in the
50 system keyring without recompiling the kernel.
61 bool "Provide a keyring to which extra trustable keys may be added"
64 If set, provide a keyring to which extra keys may be added, provided
[all …]
|
| /Linux-v5.4/Documentation/ |
| D | digsig.txt | 63 * @keyring: keyring to search key in
75 int digsig_verify(struct key *keyring, const char *sig, int siglen,
82 to generate signatures, to load keys into the kernel keyring.
84 When the key is added to the kernel keyring, the keyid defines the name
91 -3 --alswrv 0 0 keyring: _ses
92 603976250 --alswrv 0 -1 \_ keyring: _uid.0
95 170323636 --alswrv 0 0 \_ keyring: _module
96 548221616 --alswrv 0 0 \_ keyring: _ima
97 128198054 --alswrv 0 0 \_ keyring: _evm
100 1 key in keyring:
|
| /Linux-v5.4/fs/cifs/ |
| D | cifs_spnego.c | 193 struct key *keyring; in init_cifs_spnego() local
208 keyring = keyring_alloc(".cifs_spnego", in init_cifs_spnego()
213 if (IS_ERR(keyring)) { in init_cifs_spnego()
214 ret = PTR_ERR(keyring); in init_cifs_spnego()
226 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); in init_cifs_spnego()
227 cred->thread_keyring = keyring; in init_cifs_spnego()
231 cifs_dbg(FYI, "cifs spnego keyring: %d\n", key_serial(keyring)); in init_cifs_spnego()
235 key_put(keyring); in init_cifs_spnego()
|
| /Linux-v5.4/Documentation/security/keys/ |
| D | request-key.rst | 46 does not need to link the key to a keyring to prevent it from being immediately
63 The userspace interface links the key to a keyring associated with the process
96 keyring that contains a link to auth key V.
104 Kerberos TGT key). It just requests the appropriate key, and the keyring
105 search notes that the session keyring has auth key V in its bottom level.
152 A search of any particular keyring proceeds in the following fashion:
155 firstly calls key_permission(SEARCH) on the keyring it's starting with,
158 2) It considers all the non-keyring keys within that keyring and, if any key
164 3) It then considers all the keyring-type keys in the keyring it's currently
165 searching. It calls key_permission(SEARCH) on each keyring, and if this
[all …]
|
| D | core.rst | 10 other keys. Processes each have three standard keyring subscriptions that a
68 actual "key". In the case of a keyring, this is a list of keys to which
69 the keyring links; in the case of a user-defined key, it's an arbitrary
116 (+) "keyring"
140 * Each process subscribes to three keyrings: a thread-specific keyring, a
141 process-specific keyring, and a session-specific keyring.
143 The thread-specific keyring is discarded from the child when any sort of
144 clone, fork, vfork or execve occurs. A new keyring is created only when
147 The process-specific keyring is replaced with an empty one in the child on
149 shared. execve also discards the process's process keyring and creates a
[all …]
|
| /Linux-v5.4/include/keys/ |
| D | system_keyring.h | 15 extern int restrict_link_by_builtin_trusted(struct key *keyring,
26 struct key *keyring,
62 extern void __init set_platform_trusted_keys(struct key *keyring);
64 static inline void set_platform_trusted_keys(struct key *keyring) in set_platform_trusted_keys() argument
|
| /Linux-v5.4/scripts/ |
| D | extract-sys-certs.pl | 21 my $keyring = $ARGV[1];
154 open FD, ">$keyring" || die $keyring;
157 die "$keyring" if (!defined($len));
158 die "Short write on $keyring\n" if ($len != $size);
159 close(FD) || die $keyring;
|
| /Linux-v5.4/fs/crypto/ |
| D | keyring.c | 131 static struct key *search_fscrypt_keyring(struct key *keyring, in search_fscrypt_keyring() argument
139 key_ref_t keyref = make_key_ref(keyring, true /* possessed */); in search_fscrypt_keyring()
199 struct key *keyring; in allocate_filesystem_keyring() local
205 keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, in allocate_filesystem_keyring()
209 if (IS_ERR(keyring)) in allocate_filesystem_keyring()
210 return PTR_ERR(keyring); in allocate_filesystem_keyring()
213 smp_store_release(&sb->s_master_keys, keyring); in allocate_filesystem_keyring()
230 struct key *keyring; in fscrypt_find_master_key() local
234 keyring = READ_ONCE(sb->s_master_keys); in fscrypt_find_master_key()
235 if (keyring == NULL) in fscrypt_find_master_key()
[all …]
|
| /Linux-v5.4/net/dns_resolver/ |
| D | dns_key.c | 331 struct key *keyring; in init_dns_resolver() local
344 keyring = keyring_alloc(".dns_resolver", in init_dns_resolver()
349 if (IS_ERR(keyring)) { in init_dns_resolver()
350 ret = PTR_ERR(keyring); in init_dns_resolver()
360 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags); in init_dns_resolver()
361 cred->thread_keyring = keyring; in init_dns_resolver()
365 kdebug("DNS resolver keyring: %d\n", key_serial(keyring)); in init_dns_resolver()
369 key_put(keyring); in init_dns_resolver()
|
| /Linux-v5.4/include/linux/ |
| D | key.h | 362 extern key_ref_t key_create_or_update(key_ref_t keyring,
374 extern int key_link(struct key *keyring,
382 extern int key_unlink(struct key *keyring,
392 extern int restrict_link_reject(struct key *keyring,
397 extern int keyring_clear(struct key *keyring);
399 extern key_ref_t keyring_search(key_ref_t keyring,
404 extern int keyring_add_key(struct key *keyring,
407 extern int keyring_restrict(key_ref_t keyring, const char *type,
|
| D | key-type.h | 172 struct key *keyring,
177 struct key *keyring,
183 struct key *keyring, in key_negate_and_link() argument
186 return key_reject_and_link(key, timeout, ENOKEY, keyring, authkey); in key_negate_and_link()
|
| D | digsig.h | 47 int digsig_verify(struct key *keyring, const char *sig, int siglen,
52 static inline int digsig_verify(struct key *keyring, const char *sig, in digsig_verify() argument
|
| /Linux-v5.4/Documentation/crypto/ |
| D | asymmetric-keys.txt | 343 (1) Restrict using the kernel builtin trusted keyring
348 The kernel builtin trusted keyring will be searched for the signing key.
349 If the builtin trusted keyring is not configured, all links will be
359 signing key. If the secondary trusted keyring is not configured, this
364 (3) Restrict using a separate key or keyring
367 - "key_or_keyring:<key or keyring serial number>[:chain]"
373 serial number for a keyring.
376 within the destination keyring will also be searched for signing keys.
378 certificate in order (starting closest to the root) to a keyring. For
379 instance, one keyring can be populated with links to a set of root
[all …]
|
| /Linux-v5.4/security/integrity/ima/ |
| D | Kconfig | 202 keyring.
214 and verified by a public key on the trusted IMA keyring.
226 and verified by a key on the trusted IMA keyring.
250 bool "Require all keys on the .ima keyring be signed (deprecated)"
257 keyring be signed by a key on the system trusted keyring.
274 IMA keys to be added may be added to the system secondary keyring,
284 This option creates an IMA blacklist keyring, which contains all
285 revoked IMA keys. It is consulted before any other keyring. If
290 bool "Load X509 certificate onto the '.ima' trusted keyring"
295 loaded on the .ima trusted keyring. These public keys are
[all …]
|
| /Linux-v5.4/security/integrity/evm/ |
| D | Kconfig | 59 bool "Load an X509 certificate onto the '.evm' trusted keyring"
63 Load an X509 certificate onto the '.evm' trusted keyring.
66 onto the '.evm' trusted keyring. A public key can be used to
|
| /Linux-v5.4/Documentation/driver-api/nvdimm/ |
| D | security.rst | 49 all the keys are in the kernel user keyring for unlock.
61 retrieve the key from the kernel user keyring. This is the only time
64 relevant encrypted-keys into the kernel user keyring during the initramfs phase.
72 the kernel user keyring and reinjected as different (old) key. It's irrelevant
94 in the kernel user keyring.
102 in the kernel user keyring.
|
