Documentation/admin-guide/module-signing.rst: Does the function of adding a key to ‘Builtin_trusted_key’ work?

From: Chunxin Zang
Date: Mon May 24 2021 - 05:02:16 EST


Recently, I am learning how to use module signature.
But I got 'Permission denied' when I trying to add a
public key to the 'builtin_trusted_keys' keyring.

root@:~# cat /proc/keys
3471e123 I------ 1 perm 1f030000 0 0 asymmetri Build time autogenerated kernel key: xxxx: X509.rsa xxxx []
37e8db03 I------ 1 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 1
root@:~# keyctl padd asymmetric "" 0x37e8db03 < ./signing_key_test_sign.x509
add_key: Permission denied

The reason is the 'builtin_trusted_keys' keyring's perm was set
'1f0b0000' by below operate when kernel starting.

builtin_trusted_keys =
keyring_alloc(".builtin_trusted_keys",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA,
NULL, NULL);

And, 'add_key' interface pass the KEY_NEED_WRITE
perm to lookup_user_key.
So -EACCES returned in key_task_permission check.

Is there something wrong in module-signing.rst ?
Or I missed some information about it.

Best wishes
Chunxin