[PATCH RFC 07/12] integrity: add add_to_mok_keyring
From: Eric Snowberg
Date: Tue Jul 06 2021 - 22:45:47 EST
Add the ability to load MOK keys to the mok keyring. If the permssions
do not allow the key to be added to the MOK keyring this is not an
error, add it to the platform keyring instead.
Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
---
security/integrity/integrity.h | 4 ++++
.../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 5126c80bd0d4..68720fa6454f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -284,6 +284,7 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
void __init add_to_platform_keyring(const char *source, const void *data,
size_t len);
void __init destroy_mok_keyring(void);
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
#else
static inline void __init add_to_platform_keyring(const char *source,
const void *data, size_t len)
@@ -292,4 +293,7 @@ static inline void __init add_to_platform_keyring(const char *source,
static inline void __init destroy_mok_keyring(void)
{
}
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+}
#endif
diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
index 666fa355996d..a5644a8a834c 100644
--- a/security/integrity/platform_certs/mok_keyring.c
+++ b/security/integrity/platform_certs/mok_keyring.c
@@ -28,6 +28,27 @@ void __init destroy_mok_keyring(void)
return integrity_destroy_keyring(INTEGRITY_KEYRING_MOK);
}
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+ key_perm_t perm;
+ int rc;
+
+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
+ rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
+
+ /*
+ * If the mok keyring restrictions prevented the cert from loading,
+ * this is not an error. Just load it into the platform keyring
+ * instead.
+ */
+ if (rc)
+ rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
+ data, len, perm);
+
+ if (rc)
+ pr_info("Error adding keys to mok keyring %s\n", source);
+}
+
/*
* Try to load the MokListTrustedRT UEFI variable to see if we should trust
* the mok keys within the kernel. It is not an error if this variable
--
2.18.4