Back to home page

OSCL-LXR
 
 

     

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * Machine keyring routines.
0004  *
0005  * Copyright (c) 2021, Oracle and/or its affiliates.
0006  */
0007 
0008 #include <linux/efi.h>
0009 #include "../integrity.h"
0010 
0011 static bool trust_mok;
0012 
0013 static __init int machine_keyring_init(void)
0014 {
0015     int rc;
0016 
0017     rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
0018     if (rc)
0019         return rc;
0020 
0021     pr_notice("Machine keyring initialized\n");
0022     return 0;
0023 }
0024 device_initcall(machine_keyring_init);
0025 
0026 void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
0027 {
0028     key_perm_t perm;
0029     int rc;
0030 
0031     perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
0032     rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
0033 
0034     /*
0035      * Some MOKList keys may not pass the machine keyring restrictions.
0036      * If the restriction check does not pass and the platform keyring
0037      * is configured, try to add it into that keyring instead.
0038      */
0039     if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
0040         rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
0041                      data, len, perm);
0042 
0043     if (rc)
0044         pr_info("Error adding keys to machine keyring %s\n", source);
0045 }
0046 
0047 /*
0048  * Try to load the MokListTrustedRT MOK variable to see if we should trust
0049  * the MOK keys within the kernel. It is not an error if this variable
0050  * does not exist.  If it does not exist, MOK keys should not be trusted
0051  * within the machine keyring.
0052  */
0053 static __init bool uefi_check_trust_mok_keys(void)
0054 {
0055     struct efi_mokvar_table_entry *mokvar_entry;
0056 
0057     mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
0058 
0059     if (mokvar_entry)
0060         return true;
0061 
0062     return false;
0063 }
0064 
0065 bool __init trust_moklist(void)
0066 {
0067     static bool initialized;
0068 
0069     if (!initialized) {
0070         initialized = true;
0071 
0072         if (uefi_check_trust_mok_keys())
0073             trust_mok = true;
0074     }
0075 
0076     return trust_mok;
0077 }
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!