Linux/security/integrity/platform_certs/machine

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Machine keyring routines. 4 * 5 * Copyright (c) 2021, Oracle and/or its affiliates. 6 */ 7 8 #include <linux/efi.h> 9 #include "../integrity.h" 10 11 static __init int machine_keyring_init(void) 12 { 13 int rc; 14 15 rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); 16 if (rc) 17 return rc; 18 19 pr_notice("Machine keyring initialized\n"); 20 return 0; 21 } 22 device_initcall(machine_keyring_init); 23 24 void __init add_to_machine_keyring(const char *source, const void *data, size_t len) 25 { 26 key_perm_t perm; 27 int rc; 28 29 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; 30 rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); 31 32 /* 33 * Some MOKList keys may not pass the machine keyring restrictions. 34 * If the restriction check does not pass and the platform keyring 35 * is configured, try to add it into that keyring instead. 36 */ 37 if (rc && efi_enabled(EFI_BOOT) && 38 IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) 39 rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, 40 data, len, perm); 41 42 if (rc) 43 pr_info("Error adding keys to machine keyring %s\n", source); 44 } 45 46 /* 47 * Try to load the MokListTrustedRT MOK variable to see if we should trust 48 * the MOK keys within the kernel. It is not an error if this variable 49 * does not exist. If it does not exist, MOK keys should not be trusted 50 * within the machine keyring. 51 */ 52 static __init bool uefi_check_trust_mok_keys(void) 53 { 54 struct efi_mokvar_table_entry *mokvar_entry; 55 56 mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT"); 57 58 if (mokvar_entry) 59 return true; 60 61 return false; 62 } 63 64 static bool __init trust_moklist(void) 65 { 66 static bool initialized; 67 static bool trust_mok; 68 69 if (!initialized) { 70 initialized = true; 71 trust_mok = false; 72 73 if (uefi_check_trust_mok_keys()) 74 trust_mok = true; 75 } 76 77 return trust_mok; 78 } 79 80 /* 81 * Provides platform specific check for trusting imputed keys before loading 82 * on .machine keyring. UEFI systems enable this trust based on a variable, 83 * and for other platforms, it is always enabled. 84 */ 85 bool __init imputed_trust_enabled(void) 86 { 87 if (efi_enabled(EFI_BOOT)) 88 return trust_moklist(); 89 90 return true; 91 } 92

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/security/integrity/platform_certs/machine_keyring.c

TOMOYO Linux Cross Reference
Linux/security/integrity/platform_certs/machine_keyring.c