diff mbox series

[RFC,11/12] integrity: move keys from the mok keyring into the secondary keyring

Message ID 20210707024403.1083977-12-eric.snowberg@oracle.com (mailing list archive)
State Not Applicable
Delegated to: Herbert Xu
Headers show
Series Enroll kernel keys thru MOK | expand

Commit Message

Eric Snowberg July 7, 2021, 2:44 a.m. UTC 
Keys added to the mok keyring are only stored there temporarily. After
passing the permissions check, move the key from the mok keyring into
the secondary trusted keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/digsig.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 07547f1a4806..e301cee037bf 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -175,8 +175,13 @@  static int __init integrity_add_key(const unsigned int id, const void *data,
 		rc = PTR_ERR(key);
 		pr_err("Problem loading X.509 certificate %d\n", rc);
 	} else {
-		pr_notice("Loaded X.509 cert '%s'\n",
-			  key_ref_to_ptr(key)->description);
+		if (id == INTEGRITY_KEYRING_MOK)
+			rc = move_to_trusted_secondary_keyring(key_ref_to_ptr(key),
+							       keyring[id]);
+		else
+			pr_notice("Loaded X.509 cert '%s'\n",
+				  key_ref_to_ptr(key)->description);
+
 		key_ref_put(key);
 	}