certs: Only allow certs signed by keys on the builtin keyring

	help

	  If set, provide a keyring to which extra keys may be added, provided

	  those keys are not blacklisted and are vouched for by a key built

	  into the kernel or already in the secondary trusted keyring.

	  into the kernel, machine keyring (if configured), or already in the

	  secondary trusted keyring.

config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN

	bool "Only allow additional certs signed by keys on the builtin trusted keyring"

	depends on SECONDARY_TRUSTED_KEYRING

	help

	  If set, only certificates signed by keys on the builtin trusted

	  keyring may be loaded onto the secondary trusted keyring.

	  Note: The machine keyring, if configured, will be linked to the

	  secondary keyring.  When enabling this option, it is recommended

	  to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent

	  linking code signing keys with imputed trust to the secondary

	  trusted keyring.

config SYSTEM_BLACKLIST_KEYRING

	bool "Provide system-wide ring of blacklisted keys"

	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))

		ret = -ENOKEY;

	else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) &&

		 !strcmp(dest_keyring->description, ".secondary_trusted_keys") &&

		 !test_bit(KEY_FLAG_BUILTIN, &key->flags))

		ret = -ENOKEY;

	else

		ret = verify_signature(key, sig);

	key_put(key);