linux/security/integrity/platform_certs/machine_keyring.c
<<
>>
Prefs 
   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * Machine keyring routines.
   4 *
   5 * Copyright (c) 2021, Oracle and/or its affiliates.
   6 */
   7
   8#include <linux/efi.h>
   9#include "../integrity.h"
  10
  11static bool trust_mok;
  12
  13static __init int machine_keyring_init(void)
  14{
  15        int rc;
  16
  17        rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
  18        if (rc)
  19                return rc;
  20
  21        pr_notice("Machine keyring initialized\n");
  22        return 0;
  23}
  24device_initcall(machine_keyring_init);
  25
  26void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
  27{
  28        key_perm_t perm;
  29        int rc;
  30
  31        perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
  32        rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
  33
  34        /*
  35         * Some MOKList keys may not pass the machine keyring restrictions.
  36         * If the restriction check does not pass and the platform keyring
  37         * is configured, try to add it into that keyring instead.
  38         */
  39        if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
  40                rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
  41                                         data, len, perm);
  42
  43        if (rc)
  44                pr_info("Error adding keys to machine keyring %s\n", source);
  45}
  46
  47/*
  48 * Try to load the MokListTrustedRT MOK variable to see if we should trust
  49 * the MOK keys within the kernel. It is not an error if this variable
  50 * does not exist.  If it does not exist, MOK keys should not be trusted
  51 * within the machine keyring.
  52 */
  53static __init bool uefi_check_trust_mok_keys(void)
  54{
  55        struct efi_mokvar_table_entry *mokvar_entry;
  56
  57        mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
  58
  59        if (mokvar_entry)
  60                return true;
  61
  62        return false;
  63}
  64
  65bool __init trust_moklist(void)
  66{
  67        static bool initialized;
  68
  69        if (!initialized) {
  70                initialized = true;
  71
  72                if (uefi_check_trust_mok_keys())
  73                        trust_mok = true;
  74        }
  75
  76        return trust_mok;
  77}
  78
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.