| Message ID | 20210907160110.2699645-13-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Enroll kernel keys thru MOK | expand |
On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > With the introduction of uefi_check_trust_mok_keys, it signifies the end- > user wants to trust the machine keyring as trusted keys. If they have > chosen to trust the machine keyring, load the qualifying keys into it > during boot, then link it to the secondary keyring . If the user has not > chosen to trust the machine keyring, it will be empty and not linked to > the secondary keyring. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> I would not worry too much applying the code changes if the story part made sense (to *almost anyone*) in the cover letter. /Jarkko
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 0dce2775f3c2..d495c4e49240 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -116,7 +116,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MACHINE) + if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 730771eececd..2e214c761158 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 445d413aec74..d78dd66fb048 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -82,7 +82,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 635ab2b9e289..eaef1efdb261 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -8,6 +8,8 @@ #include <linux/efi.h> #include "../integrity.h" +bool trust_mok; + static __init int machine_keyring_init(void) { int rc; @@ -67,3 +69,17 @@ static __init bool uefi_check_trust_mok_keys(void) */ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +}
With the introduction of uefi_check_trust_mok_keys, it signifies the end- user wants to trust the machine keyring as trusted keys. If they have chosen to trust the machine keyring, load the qualifying keys into it during boot, then link it to the secondary keyring . If the user has not chosen to trust the machine keyring, it will be empty and not linked to the secondary keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v4: Initial version v5: Rename to machine keyring --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++++ .../integrity/platform_certs/keyring_handler.c | 2 +- .../integrity/platform_certs/machine_keyring.c | 16 ++++++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-)