Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/integrity/platform_certs/machine_keyring.c
26424 views
1
// SPDX-License-Identifier: GPL-2.0

2
/*

3
 * Machine keyring routines.

4
 *

5
 * Copyright (c) 2021, Oracle and/or its affiliates.

6
 */

7


8
#include <linux/efi.h>

9
#include "../integrity.h"

10


11
static __init int machine_keyring_init(void)

12
{

13
	int rc;

14


15
	rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);

16
	if (rc)

17
		return rc;

18


19
	pr_notice("Machine keyring initialized\n");

20
	return 0;

21
}

22
device_initcall(machine_keyring_init);

23


24
void __init add_to_machine_keyring(const char *source, const void *data, size_t len)

25
{

26
	key_perm_t perm;

27
	int rc;

28


29
	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;

30
	rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);

31


32
	/*

33
	 * Some MOKList keys may not pass the machine keyring restrictions.

34
	 * If the restriction check does not pass and the platform keyring

35
	 * is configured, try to add it into that keyring instead.

36
	 */

37
	if (rc && efi_enabled(EFI_BOOT) &&

38
	    IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))

39
		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,

40
					 data, len, perm);

41


42
	if (rc)

43
		pr_info("Error adding keys to machine keyring %s\n", source);

44
}

45


46
/*

47
 * Try to load the MokListTrustedRT MOK variable to see if we should trust

48
 * the MOK keys within the kernel. It is not an error if this variable

49
 * does not exist.  If it does not exist, MOK keys should not be trusted

50
 * within the machine keyring.

51
 */

52
static __init bool uefi_check_trust_mok_keys(void)

53
{

54
	struct efi_mokvar_table_entry *mokvar_entry;

55


56
	mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");

57


58
	if (mokvar_entry)

59
		return true;

60


61
	return false;

62
}

63


64
static bool __init trust_moklist(void)

65
{

66
	static bool initialized;

67
	static bool trust_mok;

68


69
	if (!initialized) {

70
		initialized = true;

71
		trust_mok = false;

72


73
		if (uefi_check_trust_mok_keys())

74
			trust_mok = true;

75
	}

76


77
	return trust_mok;

78
}

79


80
/*

81
 * Provides platform specific check for trusting imputed keys before loading

82
 * on .machine keyring. UEFI systems enable this trust based on a variable,

83
 * and for other platforms, it is always enabled.

84
 */

85
bool __init imputed_trust_enabled(void)

86
{

87
	if (efi_enabled(EFI_BOOT))

88
		return trust_moklist();

89


90
	return true;

91
}

92


93