diff options
Diffstat (limited to 'security/integrity/platform_certs')
-rw-r--r-- | security/integrity/platform_certs/keyring_handler.c | 2 | ||||
-rw-r--r-- | security/integrity/platform_certs/machine_keyring.c | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 4872850d081f..1db4d3b4356d 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 09fd8f20c756..7aaed7950b6e 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -8,6 +8,8 @@ #include <linux/efi.h> #include "../integrity.h" +static bool trust_mok; + static __init int machine_keyring_init(void) { int rc; @@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void) return false; } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +} |