ipv4: convert dst_metrics.refcnt from atomic_t to refcount_t

[mirror_ubuntu-artful-kernel.git] / certs / Kconfig

diff --git a/certs/Kconfig b/certs/Kconfig
index 6ce51ede9e9b4617f62a5e2f3cc3aeda75f9a77f..edf9f75e9c8b47b89ab076462353f261ae234bfc 100644 (file)
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -82,4 +82,28 @@ config SYSTEM_BLACKLIST_HASH_LIST
          wrapper to incorporate the list into the kernel.  Each <hash> should
          be a string of hex digits.
 
+config EFI_SIGNATURE_LIST_PARSER
+       bool "EFI signature list parser"
+       depends on EFI
+       select X509_CERTIFICATE_PARSER
+       help
+         This option provides support for parsing EFI signature lists for
+         X.509 certificates and turning them into keys.
+
+config LOAD_UEFI_KEYS
+       bool "Load certs and blacklist from UEFI db for module checking"
+       depends on SYSTEM_BLACKLIST_KEYRING
+       depends on SECONDARY_TRUSTED_KEYRING
+       depends on EFI
+       depends on EFI_SIGNATURE_LIST_PARSER
+       help
+         If the kernel is booted in secure boot mode, this option will cause
+         the kernel to load the certificates from the UEFI db and MokListRT
+         into the secondary trusted keyring.  It will also load any X.509
+         SHA256 hashes in the dbx list into the blacklist.
+
+         The effect of this is that, if the kernel is booted in secure boot
+         mode, modules signed with UEFI-stored keys will be permitted to be
+         loaded and keys that match the blacklist will be rejected.
+
 endmenu