machine_keyring.c (1774B)
1// SPDX-License-Identifier: GPL-2.0 2/* 3 * Machine keyring routines. 4 * 5 * Copyright (c) 2021, Oracle and/or its affiliates. 6 */ 7 8#include <linux/efi.h> 9#include "../integrity.h" 10 11static bool trust_mok; 12 13static __init int machine_keyring_init(void) 14{ 15 int rc; 16 17 rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); 18 if (rc) 19 return rc; 20 21 pr_notice("Machine keyring initialized\n"); 22 return 0; 23} 24device_initcall(machine_keyring_init); 25 26void __init add_to_machine_keyring(const char *source, const void *data, size_t len) 27{ 28 key_perm_t perm; 29 int rc; 30 31 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; 32 rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); 33 34 /* 35 * Some MOKList keys may not pass the machine keyring restrictions. 36 * If the restriction check does not pass and the platform keyring 37 * is configured, try to add it into that keyring instead. 38 */ 39 if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) 40 rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, 41 data, len, perm); 42 43 if (rc) 44 pr_info("Error adding keys to machine keyring %s\n", source); 45} 46 47/* 48 * Try to load the MokListTrustedRT MOK variable to see if we should trust 49 * the MOK keys within the kernel. It is not an error if this variable 50 * does not exist. If it does not exist, MOK keys should not be trusted 51 * within the machine keyring. 52 */ 53static __init bool uefi_check_trust_mok_keys(void) 54{ 55 struct efi_mokvar_table_entry *mokvar_entry; 56 57 mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT"); 58 59 if (mokvar_entry) 60 return true; 61 62 return false; 63} 64 65bool __init trust_moklist(void) 66{ 67 static bool initialized; 68 69 if (!initialized) { 70 initialized = true; 71 72 if (uefi_check_trust_mok_keys()) 73 trust_mok = true; 74 } 75 76 return trust_mok; 77}