diff mbox series

[v3,04/14] integrity: add add_to_mok_keyring

Message ID 20210812021855.3083178-5-eric.snowberg@oracle.com
State New
Headers show
Series Enroll kernel keys thru MOK | expand

Commit Message

Eric Snowberg Aug. 12, 2021, 2:18 a.m. UTC
Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
If the permissions do not allow the key to be added to the mok keyring
this is not an error, add it to the platform keyring instead.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v1: Initial version
v3: Unmodified from v1
---
 security/integrity/integrity.h                |  4 ++++
 .../integrity/platform_certs/mok_keyring.c    | 21 +++++++++++++++++++
 2 files changed, 25 insertions(+)

Comments

Jarkko Sakkinen Aug. 12, 2021, 7:32 p.m. UTC | #1
On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote:
> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
> If the permissions do not allow the key to be added to the mok keyring
> this is not an error, add it to the platform keyring instead.

Should state why it isn't an error for clarity.

/Jarkko

> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
> v1: Initial version
> v3: Unmodified from v1
> ---
>  security/integrity/integrity.h                |  4 ++++
>  .../integrity/platform_certs/mok_keyring.c    | 21 +++++++++++++++++++
>  2 files changed, 25 insertions(+)
> 
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e0e17ccba2e6..60d5c7ba05b2 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
>  #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  void __init add_to_platform_keyring(const char *source, const void *data,
>  				    size_t len);
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
>  #else
>  static inline void __init add_to_platform_keyring(const char *source,
>  						  const void *data, size_t len)
>  {
>  }
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +}
>  #endif
> diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
> index fe4f2d336260..f260edac0863 100644
> --- a/security/integrity/platform_certs/mok_keyring.c
> +++ b/security/integrity/platform_certs/mok_keyring.c
> @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
>  }
>  device_initcall(mok_keyring_init);
>  
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +	key_perm_t perm;
> +	int rc;
> +
> +	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> +	rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
> +
> +	/*
> +	 * If the mok keyring restrictions prevented the cert from loading,
> +	 * this is not an error.  Just load it into the platform keyring
> +	 * instead.
> +	 */
> +	if (rc)
> +		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
> +					 data, len, perm);
> +
> +	if (rc)
> +		pr_info("Error adding keys to mok keyring %s\n", source);
> +}
> +
>  /*
>   * Try to load the MokListTrustedRT UEFI variable to see if we should trust
>   * the mok keys within the kernel. It is not an error if this variable
> -- 
> 2.18.4
> 
>
diff mbox series

Patch

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e0e17ccba2e6..60d5c7ba05b2 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -278,9 +278,13 @@  integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
 void __init add_to_platform_keyring(const char *source, const void *data,
 				    size_t len);
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
 #else
 static inline void __init add_to_platform_keyring(const char *source,
 						  const void *data, size_t len)
 {
 }
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+}
 #endif
diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
index fe4f2d336260..f260edac0863 100644
--- a/security/integrity/platform_certs/mok_keyring.c
+++ b/security/integrity/platform_certs/mok_keyring.c
@@ -21,6 +21,27 @@  static __init int mok_keyring_init(void)
 }
 device_initcall(mok_keyring_init);
 
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+	key_perm_t perm;
+	int rc;
+
+	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
+	rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
+
+	/*
+	 * If the mok keyring restrictions prevented the cert from loading,
+	 * this is not an error.  Just load it into the platform keyring
+	 * instead.
+	 */
+	if (rc)
+		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
+					 data, len, perm);
+
+	if (rc)
+		pr_info("Error adding keys to mok keyring %s\n", source);
+}
+
 /*
  * Try to load the MokListTrustedRT UEFI variable to see if we should trust
  * the mok keys within the kernel. It is not an error if this variable