From ccb478ac2e5b1e24ebb6af4130fdd37e1b36babb Mon Sep 17 00:00:00 2001 From: "tpearson@raptorengineering.com" Date: Thu, 18 Aug 2016 04:46:47 -0500 Subject: Add encrypted file support In certain cases, such as network booting over an untrusted connection, it may be useful to fully encrypt and sign the kernel files. Enable fully encrypted boot using builtin keyring via the addition of the string "ENCRYPTED" to the first line of the /etc/pb-lockdown file. This disables detached (plaintext) signature verification. Signed-off-by: Timothy Pearson Signed-off-by: Samuel Mendoza-Jonas --- lib/security/gpg.h | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'lib/security/gpg.h') diff --git a/lib/security/gpg.h b/lib/security/gpg.h index fb418bb..6efc3d2 100644 --- a/lib/security/gpg.h +++ b/lib/security/gpg.h @@ -23,6 +23,7 @@ enum { PB_LOCKDOWN_NONE = 0, PB_LOCKDOWN_SIGN = 1, + PB_LOCKDOWN_DECRYPT = 2, }; #if defined(HAVE_LIBGPGME) @@ -37,6 +38,9 @@ int verify_file_signature(const char *plaintext_filename, const char *signature_filename, FILE *authorized_signatures_handle, const char *keyring_path); +int decrypt_file(const char * filename, + FILE * authorized_signatures_handle, const char * keyring_path); + int gpg_validate_boot_files(struct boot_task *boot_task); void gpg_validate_boot_files_cleanup(struct boot_task *boot_task); @@ -59,6 +63,13 @@ int verify_file_signature(const char *plaintext_filename __attribute__((unused)) return -1; } +int decrypt_file(const char * filename __attribute__((unused)), + FILE * authorized_signatures_handle __attribute__((unused)), + const char * keyring_path __attribute__((unused))) +{ + return -1; +} + int gpg_validate_boot_files(struct boot_task *boot_task __attribute__((unused))) { return 0; -- cgit v1.2.1