[PATCH RFC 11/12] integrity: move keys from the mok keyring into the secondary keyring
From: Eric Snowberg
Date: Tue Jul 06 2021 - 22:45:43 EST
Keys added to the mok keyring are only stored there temporarily. After
passing the permissions check, move the key from the mok keyring into
the secondary trusted keyring.
Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
---
security/integrity/digsig.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 07547f1a4806..e301cee037bf 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -175,8 +175,13 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
rc = PTR_ERR(key);
pr_err("Problem loading X.509 certificate %d\n", rc);
} else {
- pr_notice("Loaded X.509 cert '%s'\n",
- key_ref_to_ptr(key)->description);
+ if (id == INTEGRITY_KEYRING_MOK)
+ rc = move_to_trusted_secondary_keyring(key_ref_to_ptr(key),
+ keyring[id]);
+ else
+ pr_notice("Loaded X.509 cert '%s'\n",
+ key_ref_to_ptr(key)->description);
+
key_ref_put(key);
}
--
2.18.4