Re: [PATCH v9 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

From: Jarkko Sakkinen
Date: Sat Jan 08 2022 - 17:30:17 EST


On Wed, Jan 05, 2022 at 06:50:12PM -0500, Eric Snowberg wrote:
> With the introduction of uefi_check_trust_mok_keys, it signifies the end-
> user wants to trust the machine keyring as trusted keys. If they have
> chosen to trust the machine keyring, load the qualifying keys into it
> during boot, then link it to the secondary keyring . If the user has not
> chosen to trust the machine keyring, it will be empty and not linked to
> the secondary keyring.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> ---
> v4: Initial version
> v5: Rename to machine keyring
> v6: Unmodified from v5
> v7: Made trust_mok static
> v8: Unmodified from v7
> ---
> security/integrity/digsig.c | 2 +-
> security/integrity/integrity.h | 5 +++++
> .../integrity/platform_certs/keyring_handler.c | 2 +-
> .../integrity/platform_certs/machine_keyring.c | 16 ++++++++++++++++
> 4 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 7b719aa76188..c8c8a4a4e7a0 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -112,7 +112,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
> } else {
> if (id == INTEGRITY_KEYRING_PLATFORM)
> set_platform_trusted_keys(keyring[id]);
> - if (id == INTEGRITY_KEYRING_MACHINE)
> + if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
> set_machine_trusted_keys(keyring[id]);
> if (id == INTEGRITY_KEYRING_IMA)
> load_module_cert(keyring[id]);
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 730771eececd..2e214c761158 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source,
>
> #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
> +bool __init trust_moklist(void);
> #else
> static inline void __init add_to_machine_keyring(const char *source,
> const void *data, size_t len)
> {
> }
> +static inline bool __init trust_moklist(void)
> +{
> + return false;
> +}
> #endif
> diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
> index 4872850d081f..1db4d3b4356d 100644
> --- a/security/integrity/platform_certs/keyring_handler.c
> +++ b/security/integrity/platform_certs/keyring_handler.c
> @@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
> __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
> {
> if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
> - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
> return add_to_machine_keyring;
> else
> return add_to_platform_keyring;
> diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
> index 09fd8f20c756..7aaed7950b6e 100644
> --- a/security/integrity/platform_certs/machine_keyring.c
> +++ b/security/integrity/platform_certs/machine_keyring.c
> @@ -8,6 +8,8 @@
> #include <linux/efi.h>
> #include "../integrity.h"
>
> +static bool trust_mok;
> +
> static __init int machine_keyring_init(void)
> {
> int rc;
> @@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void)
>
> return false;
> }
> +
> +bool __init trust_moklist(void)
> +{
> + static bool initialized;
> +
> + if (!initialized) {
> + initialized = true;
> +
> + if (uefi_check_trust_mok_keys())
> + trust_mok = true;
> + }
> +
> + return trust_mok;
> +}
> --
> 2.18.4
>

Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>

Mimi, have you tested these patches already?

/Jarkko