1
2
3
4
5
6
7
8#include <linux/efi.h>
9#include "../integrity.h"
10
11static bool trust_mok;
12
13static __init int machine_keyring_init(void)
14{
15 int rc;
16
17 rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
18 if (rc)
19 return rc;
20
21 pr_notice("Machine keyring initialized\n");
22 return 0;
23}
24device_initcall(machine_keyring_init);
25
26void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
27{
28 key_perm_t perm;
29 int rc;
30
31 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
32 rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
33
34
35
36
37
38
39 if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
40 rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
41 data, len, perm);
42
43 if (rc)
44 pr_info("Error adding keys to machine keyring %s\n", source);
45}
46
47
48
49
50
51
52
53static __init bool uefi_check_trust_mok_keys(void)
54{
55 struct efi_mokvar_table_entry *mokvar_entry;
56
57 mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
58
59 if (mokvar_entry)
60 return true;
61
62 return false;
63}
64
65bool __init trust_moklist(void)
66{
67 static bool initialized;
68
69 if (!initialized) {
70 initialized = true;
71
72 if (uefi_check_trust_mok_keys())
73 trust_mok = true;
74 }
75
76 return trust_mok;
77}
78