integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

author Eric Snowberg <eric.snowberg@oracle.com>

Wed, 26 Jan 2022 02:58:34 +0000 (21:58 -0500)

committer Jarkko Sakkinen <jarkko@kernel.org>

Tue, 8 Mar 2022 11:55:52 +0000 (13:55 +0200)
author Eric Snowberg <eric.snowberg@oracle.com>
Wed, 26 Jan 2022 02:58:34 +0000 (21:58 -0500)
committer Jarkko Sakkinen <jarkko@kernel.org>
Tue, 8 Mar 2022 11:55:52 +0000 (13:55 +0200)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c

index 7b719aa..c8c8a4a 100644 (file)
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -112,7 +112,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
         } else {
                 if (id == INTEGRITY_KEYRING_PLATFORM)
                         set_platform_trusted_keys(keyring[id]);
-               if (id == INTEGRITY_KEYRING_MACHINE)
+               if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
                         set_machine_trusted_keys(keyring[id]);
                 if (id == INTEGRITY_KEYRING_IMA)
                         load_module_cert(keyring[id]);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h

index 730771e..2e214c7 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source,
  
  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
  void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
+bool __init trust_moklist(void);
  #else
  static inline void __init add_to_machine_keyring(const char *source,
                                                   const void *data, size_t len)
  {
  }
+static inline bool __init trust_moklist(void)
+{
+       return false;
+}
  #endif
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c

index 4872850..1db4d3b 100644 (file)
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
  __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
  {
         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
-               if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
+               if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
                         return add_to_machine_keyring;
                 else
                         return add_to_platform_keyring;
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c

index 09fd8f2..7aaed79 100644 (file)
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -8,6 +8,8 @@
  #include <linux/efi.h>
  #include "../integrity.h"
  
+static bool trust_mok;
+
  static __init int machine_keyring_init(void)
  {
         int rc;
@@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void)
  
         return false;
  }
+
+bool __init trust_moklist(void)
+{
+       static bool initialized;
+
+       if (!initialized) {
+               initialized = true;
+
+               if (uefi_check_trust_mok_keys())
+                       trust_mok = true;
+       }
+
+       return trust_mok;
+}
author	Eric Snowberg <eric.snowberg@oracle.com>
	Wed, 26 Jan 2022 02:58:34 +0000 (21:58 -0500)
committer	Jarkko Sakkinen <jarkko@kernel.org>
	Tue, 8 Mar 2022 11:55:52 +0000 (13:55 +0200)
security/integrity/digsig.c		patch \| blob \| history
security/integrity/integrity.h		patch \| blob \| history
security/integrity/platform_certs/keyring_handler.c		patch \| blob \| history
security/integrity/platform_certs/machine_keyring.c		patch \| blob \| history