Re: [PATCH v3 04/14] integrity: add add_to_mok_keyring

From: Jarkko Sakkinen
Date: Thu Aug 12 2021 - 15:32:53 EST


On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote:
> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
> If the permissions do not allow the key to be added to the mok keyring
> this is not an error, add it to the platform keyring instead.

Should state why it isn't an error for clarity.

/Jarkko

>
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> ---
> v1: Initial version
> v3: Unmodified from v1
> ---
> security/integrity/integrity.h | 4 ++++
> .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
> 2 files changed, 25 insertions(+)
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e0e17ccba2e6..60d5c7ba05b2 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
> #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> void __init add_to_platform_keyring(const char *source, const void *data,
> size_t len);
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
> #else
> static inline void __init add_to_platform_keyring(const char *source,
> const void *data, size_t len)
> {
> }
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +}
> #endif
> diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
> index fe4f2d336260..f260edac0863 100644
> --- a/security/integrity/platform_certs/mok_keyring.c
> +++ b/security/integrity/platform_certs/mok_keyring.c
> @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
> }
> device_initcall(mok_keyring_init);
>
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> + key_perm_t perm;
> + int rc;
> +
> + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
> +
> + /*
> + * If the mok keyring restrictions prevented the cert from loading,
> + * this is not an error. Just load it into the platform keyring
> + * instead.
> + */
> + if (rc)
> + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
> + data, len, perm);
> +
> + if (rc)
> + pr_info("Error adding keys to mok keyring %s\n", source);
> +}
> +
> /*
> * Try to load the MokListTrustedRT UEFI variable to see if we should trust
> * the mok keys within the kernel. It is not an error if this variable
> --
> 2.18.4
>
>