[PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys
Eric Snowberg
eric.snowberg at oracle.com
Mon Jul 26 17:13:17 UTC 2021
Allow the .mok keyring to be linked to either the builtin_trusted_keys
or the secondary_trusted_keys. If CONFIG_SECONDARY_TRUSTED_KEYRING is
enabled, mok keys are linked to the secondary_trusted_keys. Otherwise
they are linked to the builtin_trusted_keys. After the link is created,
keys contained in the .mok keyring will automatically be searched when
searching either builtin_trusted_keys or secondary_trusted_keys.
Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
---
v2: Initial version
---
certs/system_keyring.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index dcaf74102ab2..b27ae30eaadc 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -45,6 +45,15 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
const union key_payload *payload,
struct key *restriction_key)
{
+ /* If the secondary trusted keyring is not enabled, we may link
+ * through to the mok keyring and the search may follow that link.
+ */
+ if (mok_trusted_keys && type == &key_type_keyring &&
+ dest_keyring == builtin_trusted_keys &&
+ payload == &mok_trusted_keys->payload)
+ /* Allow the mok keyring to be added to the builtin */
+ return 0;
+
return restrict_link_by_signature(dest_keyring, type, payload,
builtin_trusted_keys);
}
@@ -91,6 +100,15 @@ int restrict_link_by_builtin_and_secondary_trusted(
/* Allow the builtin keyring to be added to the secondary */
return 0;
+ /* If we have a secondary trusted keyring, it may contain a link
+ * through to the mok keyring and the search may follow that link.
+ */
+ if (mok_trusted_keys && type == &key_type_keyring &&
+ dest_keyring == secondary_trusted_keys &&
+ payload == &mok_trusted_keys->payload)
+ /* Allow the mok keyring to be added to the secondary */
+ return 0;
+
return restrict_link_by_signature(dest_keyring, type, payload,
secondary_trusted_keys);
}
@@ -321,5 +339,8 @@ void __init set_platform_trusted_keys(struct key *keyring)
void __init set_mok_trusted_keys(struct key *keyring)
{
mok_trusted_keys = keyring;
+
+ if (key_link(system_trusted_keys, mok_trusted_keys) < 0)
+ panic("Can't link (mok) trusted keyrings\n");
}
#endif
--
2.18.4
More information about the Linux-security-module-archive
mailing list