[PATCH RFC 11/12] integrity: move keys from the mok keyring into the secondary keyring

Eric Snowberg eric.snowberg at oracle.com
Wed Jul 7 02:44:02 UTC 2021


Keys added to the mok keyring are only stored there temporarily. After
passing the permissions check, move the key from the mok keyring into
the secondary trusted keyring.

Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
---
 security/integrity/digsig.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 07547f1a4806..e301cee037bf 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -175,8 +175,13 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
 		rc = PTR_ERR(key);
 		pr_err("Problem loading X.509 certificate %d\n", rc);
 	} else {
-		pr_notice("Loaded X.509 cert '%s'\n",
-			  key_ref_to_ptr(key)->description);
+		if (id == INTEGRITY_KEYRING_MOK)
+			rc = move_to_trusted_secondary_keyring(key_ref_to_ptr(key),
+							       keyring[id]);
+		else
+			pr_notice("Loaded X.509 cert '%s'\n",
+				  key_ref_to_ptr(key)->description);
+
 		key_ref_put(key);
 	}
 
-- 
2.18.4



More information about the Linux-security-module-archive mailing list