integrity, KEYS: add a reference to platform keyring

commit 9dc92c45177a ("integrity: Define a trusted platform keyring") introduced a .platform keyring for storing preboot keys, used for verifying kernel image signatures. Currently only IMA-appraisal is able to use the keyring to verify kernel images that have their signature stored in xattr. This patch exposes the .platform keyring, making it accessible for verifying PE signed kernel images as well. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Kairui Song <kasong@redhat.com> Cc: David Howells <dhowells@redhat.com> [zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Kairui Song <kasong@redhat.com> 2019-01-21 17:59:28 +0800
committer: Mimi Zohar <zohar@linux.ibm.com> 2019-02-04 17:29:19 -0500
commit: 219a3e8676f3132d27b530c7d2d6bcab89536b57 (patch)
tree: a79baecc80144b604d059a6828057210c7a06b9e /security
parent: 2181e084b26bddca22bc3f23364c15809cfed28b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index f45d6edecf99..e19c2eb72c51 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
 		pr_info("Can't allocate %s keyring (%d)\n",
 			keyring_name[id], err);
 		keyring[id] = NULL;
+	} else {
+		if (id == INTEGRITY_KEYRING_PLATFORM)
+			set_platform_trusted_keys(keyring[id]);
 	}
 
 	return err;
author	Kairui Song <kasong@redhat.com>	2019-01-21 17:59:28 +0800
committer	Mimi Zohar <zohar@linux.ibm.com>	2019-02-04 17:29:19 -0500
commit	219a3e8676f3132d27b530c7d2d6bcab89536b57 (patch)
tree	a79baecc80144b604d059a6828057210c7a06b9e /security
parent	2181e084b26bddca22bc3f23364c15809cfed28b (diff)