Message ID | 20211124044124.998170-11-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Enroll kernel keys thru MOK | expand |
On Tuesday, 2021-11-23 at 23:41:17 -05, Eric Snowberg wrote: > Expose the .machine keyring created in integrity code by adding > a reference. This makes the machine keyring accessible for keyring > restrictions in the future. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> > --- > v2: Initial version > v3: set_mok_trusted_keys only available when secondary is enabled > v4: Moved code under CONFIG_INTEGRITY_MOK_KEYRING > v5: Rename to machine keyring > v8: Unmodified from v5 > --- > certs/system_keyring.c | 9 +++++++++ > include/keys/system_keyring.h | 8 ++++++++ > 2 files changed, 17 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index 8f1f87579819..bc7e44fc82c2 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > static struct key *secondary_trusted_keys; > #endif > +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +static struct key *machine_trusted_keys; > +#endif > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > static struct key *platform_trusted_keys; > #endif > @@ -91,6 +94,12 @@ static __init struct key_restriction *get_secondary_restriction(void) > return restriction; > } > #endif > +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +void __init set_machine_trusted_keys(struct key *keyring) > +{ > + machine_trusted_keys = keyring; > +} > +#endif > > /* > * Create the trusted keyrings > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > index 6acd3cf13a18..98c9b10cdc17 100644 > --- a/include/keys/system_keyring.h > +++ b/include/keys/system_keyring.h > @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( > #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted > #endif > > +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +extern void __init set_machine_trusted_keys(struct key *keyring); > +#else > +static inline void __init set_machine_trusted_keys(struct key *keyring) > +{ > +} > +#endif > + > extern struct pkcs7_message *pkcs7; > #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING > extern int mark_hash_blacklisted(const char *hash); > -- > 2.18.4
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 8f1f87579819..bc7e44fc82c2 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +static struct key *machine_trusted_keys; +#endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; #endif @@ -91,6 +94,12 @@ static __init struct key_restriction *get_secondary_restriction(void) return restriction; } #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +void __init set_machine_trusted_keys(struct key *keyring) +{ + machine_trusted_keys = keyring; +} +#endif /* * Create the trusted keyrings diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..98c9b10cdc17 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern void __init set_machine_trusted_keys(struct key *keyring); +#else +static inline void __init set_machine_trusted_keys(struct key *keyring) +{ +} +#endif + extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash);
Expose the .machine keyring created in integrity code by adding a reference. This makes the machine keyring accessible for keyring restrictions in the future. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v2: Initial version v3: set_mok_trusted_keys only available when secondary is enabled v4: Moved code under CONFIG_INTEGRITY_MOK_KEYRING v5: Rename to machine keyring v8: Unmodified from v5 --- certs/system_keyring.c | 9 +++++++++ include/keys/system_keyring.h | 8 ++++++++ 2 files changed, 17 insertions(+)