Add encrypted file support

In certain cases, such as network booting over an untrusted connection,
it may be useful to fully encrypt and sign the kernel files.

Enable fully encrypted boot using builtin keyring via the addition of
the string "ENCRYPTED" to the first line of the /etc/pb-lockdown file.
This disables detached (plaintext) signature verification.

Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/lib/security/gpg.h b/lib/security/gpg.h
index fb418bb..6efc3d2 100644
--- a/lib/security/gpg.h
+++ b/lib/security/gpg.h
@@ -23,6 +23,7 @@
 enum {
 	PB_LOCKDOWN_NONE	= 0,
 	PB_LOCKDOWN_SIGN	= 1,
+	PB_LOCKDOWN_DECRYPT	= 2,
 };
 
 #if defined(HAVE_LIBGPGME)
@@ -37,6 +38,9 @@ int verify_file_signature(const char *plaintext_filename,
 	const char *signature_filename, FILE *authorized_signatures_handle,
 	const char *keyring_path);
 
+int decrypt_file(const char * filename,
+	FILE * authorized_signatures_handle, const char * keyring_path);
+
 int gpg_validate_boot_files(struct boot_task *boot_task);
 
 void gpg_validate_boot_files_cleanup(struct boot_task *boot_task);
@@ -59,6 +63,13 @@ int verify_file_signature(const char *plaintext_filename __attribute__((unused))
 	return -1;
 }
 
+int decrypt_file(const char * filename __attribute__((unused)),
+	FILE * authorized_signatures_handle __attribute__((unused)),
+	const char * keyring_path __attribute__((unused)))
+{
+	return -1;
+}
+
 int gpg_validate_boot_files(struct boot_task *boot_task __attribute__((unused)))
 {
 	return 0;