summaryrefslogtreecommitdiff
path: root/security/integrity/integrity.h
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>2015-10-22 21:26:10 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2015-11-23 14:30:02 -0500
commitf4dc37785e9b3373d0cb93125d5579fed2af3a43 (patch)
treeb1bed1b8038d92770cc9881a1ad57b97e1b57dc3 /security/integrity/integrity.h
parentebd68df3f24b318d391d15c458d6f43f340ba36a (diff)
downloadlwn-f4dc37785e9b3373d0cb93125d5579fed2af3a43.tar.gz
lwn-f4dc37785e9b3373d0cb93125d5579fed2af3a43.zip
integrity: define '.evm' as a builtin 'trusted' keyring
Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/integrity.h')
-rw-r--r--security/integrity/integrity.h5
1 files changed, 2 insertions, 3 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 9c6168709d3b..07726a731727 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -125,8 +125,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
int __init integrity_read_file(const char *path, char **data);
#define INTEGRITY_KEYRING_EVM 0
-#define INTEGRITY_KEYRING_MODULE 1
-#define INTEGRITY_KEYRING_IMA 2
+#define INTEGRITY_KEYRING_IMA 1
+#define INTEGRITY_KEYRING_MODULE 2
#define INTEGRITY_KEYRING_MAX 3
#ifdef CONFIG_INTEGRITY_SIGNATURE
@@ -149,7 +149,6 @@ static inline int integrity_init_keyring(const unsigned int id)
{
return 0;
}
-
#endif /* CONFIG_INTEGRITY_SIGNATURE */
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS