certs: Only allow certs signed by keys on the builtin keyring - linux-crypto.git

diff options

author	Mimi Zohar <zohar@linux.ibm.com>	2023-10-15 20:18:03 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	2023-10-31 08:22:36 -0400
commit	0b59cd533b2029039172edcfdabe5240bfa9904c (patch)
tree	0b9f66f1fdd9ab113e5abeaa32abed61bd51004c /crypto/deflate.c
parent	af0da410464fb21bd9b7d70b7dad70ece687a017 (diff)
download	linux-crypto-0b59cd533b2029039172edcfdabe5240bfa9904c.tar.gz linux-crypto-0b59cd533b2029039172edcfdabe5240bfa9904c.zip

certs: Only allow certs signed by keys on the builtin keyring

Originally the secondary trusted keyring provided a keyring to which extra keys may be added, provided those keys were not blacklisted and were vouched for by a key built into the kernel or already in the secondary trusted keyring. On systems with the machine keyring configured, additional keys may also be vouched for by a key on the machine keyring. Prevent loading additional certificates directly onto the secondary keyring, vouched for by keys on the machine keyring, yet allow these certificates to be loaded onto other trusted keyrings. Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Diffstat (limited to 'crypto/deflate.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: