1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
// SPDX-License-Identifier: GPL-2.0
/*
* Machine keyring routines.
*
* Copyright (c) 2021, Oracle and/or its affiliates.
*/
#include <linux/efi.h>
#include "../integrity.h"
static __init int machine_keyring_init(void)
{
int rc;
rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
if (rc)
return rc;
pr_notice("Machine keyring initialized\n");
return 0;
}
device_initcall(machine_keyring_init);
void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
{
key_perm_t perm;
int rc;
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
/*
* Some MOKList keys may not pass the machine keyring restrictions.
* If the restriction check does not pass and the platform keyring
* is configured, try to add it into that keyring instead.
*/
if (rc && efi_enabled(EFI_BOOT) &&
IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
data, len, perm);
if (rc)
pr_info("Error adding keys to machine keyring %s\n", source);
}
/*
* Try to load the MokListTrustedRT MOK variable to see if we should trust
* the MOK keys within the kernel. It is not an error if this variable
* does not exist. If it does not exist, MOK keys should not be trusted
* within the machine keyring.
*/
static __init bool uefi_check_trust_mok_keys(void)
{
struct efi_mokvar_table_entry *mokvar_entry;
mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
if (mokvar_entry)
return true;
return false;
}
static bool __init trust_moklist(void)
{
static bool initialized;
static bool trust_mok;
if (!initialized) {
initialized = true;
trust_mok = false;
if (uefi_check_trust_mok_keys())
trust_mok = true;
}
return trust_mok;
}
/*
* Provides platform specific check for trusting imputed keys before loading
* on .machine keyring. UEFI systems enable this trust based on a variable,
* and for other platforms, it is always enabled.
*/
bool __init imputed_trust_enabled(void)
{
if (efi_enabled(EFI_BOOT))
return trust_moklist();
return true;
}
|
