diff options
| author | Eric Snowberg <eric.snowberg@oracle.com> | 2022-01-26 03:58:34 +0100 |
|---|---|---|
| committer | Jarkko Sakkinen <jarkko@kernel.org> | 2022-03-08 12:55:52 +0100 |
| commit | 3d6ae1a5d0c2019d274284859f556dcb64aa98a7 (patch) | |
| tree | adba80c2bffd87b1e986a0d0ecb93ba18407d3ba /security/integrity/platform_certs | |
| parent | integrity: Trust MOK keys if MokListTrustedRT found (diff) | |
| download | linux-3d6ae1a5d0c2019d274284859f556dcb64aa98a7.tar.xz linux-3d6ae1a5d0c2019d274284859f556dcb64aa98a7.zip | |
integrity: Only use machine keyring when uefi_check_trust_mok_keys is true
With the introduction of uefi_check_trust_mok_keys, it signifies the end-
user wants to trust the machine keyring as trusted keys. If they have
chosen to trust the machine keyring, load the qualifying keys into it
during boot, then link it to the secondary keyring . If the user has not
chosen to trust the machine keyring, it will be empty and not linked to
the secondary keyring.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'security/integrity/platform_certs')
| -rw-r--r-- | security/integrity/platform_certs/keyring_handler.c | 2 | ||||
| -rw-r--r-- | security/integrity/platform_certs/machine_keyring.c | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 4872850d081f..1db4d3b4356d 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 09fd8f20c756..7aaed7950b6e 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -8,6 +8,8 @@ #include <linux/efi.h> #include "../integrity.h" +static bool trust_mok; + static __init int machine_keyring_init(void) { int rc; @@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void) return false; } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +} |