[RFC PATCH 0/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
From: Kairui Song
Date: Tue Jan 08 2019 - 03:13:00 EST
Hi, as the subject, this is a patch that links the new introduced
.platform keyring into .secondary_trusted_keys keyring. This is
mainly for the kexec_file_load, make kexec_file_load be able to verify
the kernel image agains keys provided by platform or firmware.
kexec_file_load already could verify the image agains secondary_trusted_keys
if secondary_trusted_keys exits, so this will make kexec_file_load be ware
of platform keys as well.
This may also useful for things like module sign verify that are using
secondary_trusted_keys. I'm not sure if it will be better to move the
INTEGRITY_PLATFORM_KEYRING to certs/ and let integrity subsystem use
the keyring there, so just linked the .platform keyring into kernel's
.secondary_trusted_keys keyring.
It workd for my case, tested in a VM, I signed the kernel image locally
with pesign and imported the cert to EFI's MokList variable.
Kairui Song (1):
KEYS, integrity: Link .platform keyring to .secondary_trusted_keys
certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++
include/keys/platform_keyring.h | 12 ++++++++++++
security/integrity/digsig.c | 7 +++++++
3 files changed, 49 insertions(+)
create mode 100644 include/keys/platform_keyring.h
--
2.20.1