diff options
| author |   Eric Snowberg <eric.snowberg@oracle.com> | 2022-01-25 21:58:30 -0500 |
|---|---|---|
| committer |   Jarkko Sakkinen <jarkko@kernel.org> | 2022-03-08 13:55:52 +0200 |
| commit | 56edb6c25f11f25df153f4804f2d5bced2b49a9e (patch) | |
| tree | 385a1e2f53f72f4c4ba2a198dcc8db85b1775784 | |
| parent | integrity: add new keyring handler for mok keys (diff) | |
| download | wireguard-linux-56edb6c25f11f25df153f4804f2d5bced2b49a9e.tar.xz wireguard-linux-56edb6c25f11f25df153f4804f2d5bced2b49a9e.zip | |
KEYS: store reference to machine keyring
Expose the .machine keyring created in integrity code by adding
a reference. Store a reference to the machine keyring in
system keyring code. The system keyring code needs this to complete
the keyring link to the machine keyring.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
| -rw-r--r-- | certs/system_keyring.c | 9 | ||||
| -rw-r--r-- | include/keys/system_keyring.h | 8 | ||||
| -rw-r--r-- | security/integrity/digsig.c | 2 |
3 files changed, 19 insertions, 0 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..08ea542c8096 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +static struct key *machine_trusted_keys; +#endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; #endif @@ -91,6 +94,12 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +void __init set_machine_trusted_keys(struct key *keyring) +{ + machine_trusted_keys = keyring; +} +#endif /* * Create the trusted keyrings diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..98c9b10cdc17 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern void __init set_machine_trusted_keys(struct key *keyring); +#else +static inline void __init set_machine_trusted_keys(struct key *keyring) +{ +} +#endif + extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 2b7fa85613c0..7b719aa76188 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -112,6 +112,8 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_MACHINE) + set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); } |