[PATCH RFC 02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring

Eric Snowberg eric.snowberg at oracle.com
Wed Jul 7 02:43:53 UTC 2021


Allow keys to be moved into the secondary keyring without checking its
trust chain.  This is available only during kernel initialization.

This will allow keys in the MOK list to be added during boot.

Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
---
 certs/system_keyring.c        | 25 +++++++++++++++++++++++++
 include/keys/system_keyring.h |  7 +++++++
 2 files changed, 32 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 692365dee2bd..f02bc5832684 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -90,6 +90,31 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
 
 	return restriction;
 }
+
+/**
+ * move_to_trusted_secondary_keyring - Move to the secondary trusted
+ * keyring with no validation.
+ * @key: The key to add to the secondary trusted keyring
+ * @from_keyring: The keyring containing the key to move from
+ *
+ * Move key to the secondary keyring without checking its trust chain.  This
+ * is available only during kernel initialization.
+ */
+__init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring)
+{
+	int ret;
+
+	ret = key_move(key, from_keyring, secondary_trusted_keys,
+		       KEY_ALLOC_BYPASS_RESTRICTION);
+
+	if (ret)
+		pr_err("Problem loading X.509 certificate %d\n", ret);
+	else
+		pr_notice("Loaded X.509 cert '%s' linked to secondary sys keyring\n",
+			  key->description);
+
+	return ret;
+}
 #endif
 
 /*
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 6acd3cf13a18..f40837026d6d 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -34,8 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 	const struct key_type *type,
 	const union key_payload *payload,
 	struct key *restriction_key);
+extern __init int move_to_trusted_secondary_keyring(struct key *key,
+						    struct key *from_keyring);
 #else
 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+static inline __init int move_to_trusted_secondary_keyring(struct key *key,
+							   struct key *from_keyring)
+{
+	return -EKEYREVOKED;
+}
 #endif
 
 extern struct pkcs7_message *pkcs7;
-- 
2.18.4



More information about the Linux-security-module-archive mailing list