From: Darren Kenny <darren.kenny@oracle.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
torvalds@linux-foundation.org, weiyongjun1@huawei.com,
nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
konrad.wilk@oracle.com
Subject: Re: [PATCH v8 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true
Date: Mon, 14 Feb 2022 12:37:01 +0000 [thread overview]
Message-ID: <m27d9xtyj6.fsf@oracle.com> (raw)
In-Reply-To: <20211124044124.998170-18-eric.snowberg@oracle.com>
On Tuesday, 2021-11-23 at 23:41:24 -05, Eric Snowberg wrote:
> With the introduction of uefi_check_trust_mok_keys, it signifies the end-
> user wants to trust the machine keyring as trusted keys. If they have
> chosen to trust the machine keyring, load the qualifying keys into it
> during boot, then link it to the secondary keyring . If the user has not
> chosen to trust the machine keyring, it will be empty and not linked to
> the secondary keyring.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> ---
> v4: Initial version
> v5: Rename to machine keyring
> v6: Unmodified from v5
> v7: Made trust_mok static
> v8: Unmodified from v7
> ---
> security/integrity/digsig.c | 2 +-
> security/integrity/integrity.h | 5 +++++
> .../integrity/platform_certs/keyring_handler.c | 2 +-
> .../integrity/platform_certs/machine_keyring.c | 16 ++++++++++++++++
> 4 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 109b58840d45..1de09c7b5f93 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -116,7 +116,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
> } else {
> if (id == INTEGRITY_KEYRING_PLATFORM)
> set_platform_trusted_keys(keyring[id]);
> - if (id == INTEGRITY_KEYRING_MACHINE)
> + if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
> set_machine_trusted_keys(keyring[id]);
> if (id == INTEGRITY_KEYRING_IMA)
> load_module_cert(keyring[id]);
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 730771eececd..2e214c761158 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source,
>
> #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
> +bool __init trust_moklist(void);
> #else
> static inline void __init add_to_machine_keyring(const char *source,
> const void *data, size_t len)
> {
> }
> +static inline bool __init trust_moklist(void)
> +{
> + return false;
> +}
> #endif
> diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
> index 4872850d081f..1db4d3b4356d 100644
> --- a/security/integrity/platform_certs/keyring_handler.c
> +++ b/security/integrity/platform_certs/keyring_handler.c
> @@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
> __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
> {
> if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
> - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
> return add_to_machine_keyring;
> else
> return add_to_platform_keyring;
> diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
> index 09fd8f20c756..7aaed7950b6e 100644
> --- a/security/integrity/platform_certs/machine_keyring.c
> +++ b/security/integrity/platform_certs/machine_keyring.c
> @@ -8,6 +8,8 @@
> #include <linux/efi.h>
> #include "../integrity.h"
>
> +static bool trust_mok;
> +
> static __init int machine_keyring_init(void)
> {
> int rc;
> @@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void)
>
> return false;
> }
> +
> +bool __init trust_moklist(void)
> +{
> + static bool initialized;
> +
> + if (!initialized) {
> + initialized = true;
> +
> + if (uefi_check_trust_mok_keys())
> + trust_mok = true;
> + }
> +
> + return trust_mok;
> +}
> --
> 2.18.4
next prev parent reply other threads:[~2022-02-14 12:38 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-24 4:41 [PATCH v8 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 01/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 02/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-25 2:49 ` Mimi Zohar
2021-11-29 22:50 ` Eric Snowberg
2021-11-27 0:39 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 04/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-27 0:42 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 05/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-27 0:43 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 06/17] KEYS: CA link restriction Eric Snowberg
2021-11-27 0:44 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2022-02-14 12:42 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-27 0:46 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-27 0:49 ` Jarkko Sakkinen
2021-11-30 17:21 ` Eric Snowberg
2021-12-01 10:27 ` Jarkko Sakkinen
2021-12-01 13:46 ` Mimi Zohar
2021-12-04 17:39 ` Jarkko Sakkinen
2021-12-15 18:14 ` Eric Snowberg
2021-12-15 19:54 ` Mimi Zohar
2021-11-24 4:41 ` [PATCH v8 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2022-02-14 12:18 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-02-14 12:23 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 13/17] integrity: store reference to " Eric Snowberg
2022-02-14 12:27 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 14/17] KEYS: link machine trusted keys to secondary_trusted_keys Eric Snowberg
2022-02-14 12:28 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 15/17] efi/mokvar: move up init order Eric Snowberg
2022-02-14 12:29 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-02-14 12:31 ` Darren Kenny
2022-11-10 0:01 ` Morten Linderud
2022-11-10 0:54 ` Eric Snowberg
2022-11-10 15:06 ` Morten Linderud
2022-11-10 15:27 ` James Bottomley
2022-11-10 15:30 ` Ard Biesheuvel
2022-11-10 7:42 ` Ard Biesheuvel
2022-11-10 14:27 ` Morten Linderud
2022-11-10 14:15 ` James Bottomley
2021-11-24 4:41 ` [PATCH v8 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-02-14 12:37 ` Darren Kenny [this message]
2022-02-20 23:23 ` [PATCH v8 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m27d9xtyj6.fsf@oracle.com \
--to=darren.kenny@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=eric.snowberg@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jason@zx2c4.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.