Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

[linux-block.git] / certs / Kconfig

diff --git a/certs/Kconfig b/certs/Kconfig
index 73d1350c223a8c757dff74a3ce1dbc5d6a9e9a11..476755703cf8b44c9c12425f7b347409baef7170 100644 (file)
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -104,8 +104,11 @@ config SYSTEM_BLACKLIST_HASH_LIST
        help
          If set, this option should be the filename of a list of hashes in the
          form "<hash>", "<hash>", ... .  This will be included into a C
-         wrapper to incorporate the list into the kernel.  Each <hash> should
-         be a string of hex digits.
+         wrapper to incorporate the list into the kernel.  Each <hash> must be a
+         string starting with a prefix ("tbs" or "bin"), then a colon (":"), and
+         finally an even number of hexadecimal lowercase characters (up to 128).
+         Certificate hashes can be generated with
+         tools/certs/print-cert-tbs-hash.sh .
 
 config SYSTEM_REVOCATION_LIST
        bool "Provide system-wide ring of revocation certificates"
@@ -124,4 +127,14 @@ config SYSTEM_REVOCATION_KEYS
          containing X.509 certificates to be included in the default blacklist
          keyring.
 
+config SYSTEM_BLACKLIST_AUTH_UPDATE
+       bool "Allow root to add signed blacklist keys"
+       depends on SYSTEM_BLACKLIST_KEYRING
+       depends on SYSTEM_DATA_VERIFICATION
+       help
+         If set, provide the ability to load new blacklist keys at run time if
+         they are signed and vouched by a certificate from the builtin trusted
+         keyring.  The PKCS#7 signature of the description is set in the key
+         payload.  Blacklist keys cannot be removed.
+
 endmenu