certs/system_keyring.c
Source file repositories/reference/linux-study-clean/certs/system_keyring.c
File Facts
- System
- Linux kernel
- Corpus path
certs/system_keyring.c- Extension
.c- Size
- 13358 bytes
- Lines
- 429
- Domain
- Core OS
- Bucket
- Core Kernel Interface
- Inferred role
- Core OS: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/export.hlinux/kernel.hlinux/sched.hlinux/cred.hlinux/err.hlinux/slab.hlinux/uidgid.hlinux/verification.hkeys/asymmetric-type.hkeys/system_keyring.hcrypto/pkcs7.h
Detected Declarations
function restrict_link_by_builtin_trustedfunction restrict_link_by_digsig_builtinfunction restrict_link_by_builtin_and_secondary_trustedfunction restrict_link_by_digsig_builtin_and_secondaryfunction add_to_secondary_keyringfunction set_machine_trusted_keysfunction restrict_link_by_builtin_secondary_and_machinefunction system_trusted_keyring_initfunction load_module_certfunction load_system_certificate_listfunction verify_pkcs7_message_sigfunction verify_pkcs7_signaturefunction set_platform_trusted_keysmodule init system_trusted_keyring_initexport verify_pkcs7_signature
Annotated Snippet
device_initcall(system_trusted_keyring_init);
__init int load_module_cert(struct key *keyring)
{
if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
return 0;
pr_notice("Loading compiled-in module X.509 certificates\n");
return x509_load_certificate_list(system_certificate_list,
module_cert_size, keyring);
}
/*
* Load the compiled-in list of X.509 certificates.
*/
static __init int load_system_certificate_list(void)
{
const u8 *p;
unsigned long size;
pr_notice("Loading compiled-in X.509 certificates\n");
#ifdef CONFIG_MODULE_SIG
p = system_certificate_list;
size = system_certificate_list_size;
#else
p = system_certificate_list + module_cert_size;
size = system_certificate_list_size - module_cert_size;
#endif
return x509_load_certificate_list(p, size, builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
/**
* verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
* @data: The data to be verified (NULL if expecting internal data).
* @len: Size of @data.
* @pkcs7: The PKCS#7 message that is the signature.
* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
* (void *)1UL for all trusted keys).
* @usage: The use to which the key is being put.
* @view_content: Callback to gain access to content.
* @ctx: Context for callback.
*/
int verify_pkcs7_message_sig(const void *data, size_t len,
struct pkcs7_message *pkcs7,
struct key *trusted_keys,
enum key_being_used_for usage,
int (*view_content)(void *ctx,
const void *data, size_t len,
size_t asn1hdrlen),
void *ctx)
{
int ret;
/* The data should be detached - so we need to supply it. */
if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
pr_err("PKCS#7 signature with non-detached data\n");
ret = -EBADMSG;
goto error;
}
ret = pkcs7_verify(pkcs7, usage);
if (ret < 0)
goto error;
ret = is_key_on_revocation_list(pkcs7);
if (ret != -ENOKEY) {
pr_devel("PKCS#7 key is on revocation list\n");
goto error;
}
if (!trusted_keys) {
trusted_keys = builtin_trusted_keys;
} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
trusted_keys = secondary_trusted_keys;
#else
trusted_keys = builtin_trusted_keys;
#endif
} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
trusted_keys = platform_trusted_keys;
#else
trusted_keys = NULL;
#endif
Annotation
- Immediate include surface: `linux/export.h`, `linux/kernel.h`, `linux/sched.h`, `linux/cred.h`, `linux/err.h`, `linux/slab.h`, `linux/uidgid.h`, `linux/verification.h`.
- Detected declarations: `function restrict_link_by_builtin_trusted`, `function restrict_link_by_digsig_builtin`, `function restrict_link_by_builtin_and_secondary_trusted`, `function restrict_link_by_digsig_builtin_and_secondary`, `function add_to_secondary_keyring`, `function set_machine_trusted_keys`, `function restrict_link_by_builtin_secondary_and_machine`, `function system_trusted_keyring_init`, `function load_module_cert`, `function load_system_certificate_list`.
- Atlas domain: Core OS / Core Kernel Interface.
- Implementation status: integration implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.