X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=certs%2FKconfig;h=edf9f75e9c8b47b89ab076462353f261ae234bfc;hb=2870173854e09ae0da1195c0d1b360e601db5dec;hp=6ce51ede9e9b4617f62a5e2f3cc3aeda75f9a77f;hpb=837c194a4dfedd69ddbd5a586401380190776f48;p=mirror_ubuntu-artful-kernel.git

diff --git a/certs/Kconfig b/certs/Kconfig
index 6ce51ede9e9b..edf9f75e9c8b 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -82,4 +82,28 @@ config SYSTEM_BLACKLIST_HASH_LIST
 	  wrapper to incorporate the list into the kernel.  Each <hash> should
 	  be a string of hex digits.
 
+config EFI_SIGNATURE_LIST_PARSER
+	bool "EFI signature list parser"
+	depends on EFI
+	select X509_CERTIFICATE_PARSER
+	help
+	  This option provides support for parsing EFI signature lists for
+	  X.509 certificates and turning them into keys.
+
+config LOAD_UEFI_KEYS
+	bool "Load certs and blacklist from UEFI db for module checking"
+	depends on SYSTEM_BLACKLIST_KEYRING
+	depends on SECONDARY_TRUSTED_KEYRING
+	depends on EFI
+	depends on EFI_SIGNATURE_LIST_PARSER
+	help
+	  If the kernel is booted in secure boot mode, this option will cause
+	  the kernel to load the certificates from the UEFI db and MokListRT
+	  into the secondary trusted keyring.  It will also load any X.509
+	  SHA256 hashes in the dbx list into the blacklist.
+
+	  The effect of this is that, if the kernel is booted in secure boot
+	  mode, modules signed with UEFI-stored keys will be permitted to be
+	  loaded and keys that match the blacklist will be rejected.
+
 endmenu