Message ID | 20210812021855.3083178-5-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Enroll kernel keys thru MOK | expand |
On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote: > Add the ability to load Machine Owner Key (MOK) keys to the mok keyring. > If the permissions do not allow the key to be added to the mok keyring > this is not an error, add it to the platform keyring instead. Should state why it isn't an error for clarity. /Jarkko > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > v1: Initial version > v3: Unmodified from v1 > --- > security/integrity/integrity.h | 4 ++++ > .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ > 2 files changed, 25 insertions(+) > > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > index e0e17ccba2e6..60d5c7ba05b2 100644 > --- a/security/integrity/integrity.h > +++ b/security/integrity/integrity.h > @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > void __init add_to_platform_keyring(const char *source, const void *data, > size_t len); > +void __init add_to_mok_keyring(const char *source, const void *data, size_t len); > #else > static inline void __init add_to_platform_keyring(const char *source, > const void *data, size_t len) > { > } > +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) > +{ > +} > #endif > diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c > index fe4f2d336260..f260edac0863 100644 > --- a/security/integrity/platform_certs/mok_keyring.c > +++ b/security/integrity/platform_certs/mok_keyring.c > @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void) > } > device_initcall(mok_keyring_init); > > +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) > +{ > + key_perm_t perm; > + int rc; > + > + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; > + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm); > + > + /* > + * If the mok keyring restrictions prevented the cert from loading, > + * this is not an error. Just load it into the platform keyring > + * instead. > + */ > + if (rc) > + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, > + data, len, perm); > + > + if (rc) > + pr_info("Error adding keys to mok keyring %s\n", source); > +} > + > /* > * Try to load the MokListTrustedRT UEFI variable to see if we should trust > * the mok keys within the kernel. It is not an error if this variable > -- > 2.18.4 > >
> On Aug 12, 2021, at 1:32 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote: >> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring. >> If the permissions do not allow the key to be added to the mok keyring >> this is not an error, add it to the platform keyring instead. > > Should state why it isn't an error for clarity. I’ll add that in the next round, thanks.
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index e0e17ccba2e6..60d5c7ba05b2 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING void __init add_to_platform_keyring(const char *source, const void *data, size_t len); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) { } +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index fe4f2d336260..f260edac0863 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void) } device_initcall(mok_keyring_init); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm); + + /* + * If the mok keyring restrictions prevented the cert from loading, + * this is not an error. Just load it into the platform keyring + * instead. + */ + if (rc) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to mok keyring %s\n", source); +} + /* * Try to load the MokListTrustedRT UEFI variable to see if we should trust * the mok keys within the kernel. It is not an error if this variable
Add the ability to load Machine Owner Key (MOK) keys to the mok keyring. If the permissions do not allow the key to be added to the mok keyring this is not an error, add it to the platform keyring instead. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v1: Initial version v3: Unmodified from v1 --- security/integrity/integrity.h | 4 ++++ .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+)