linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
	gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
	scott.branden@broadcom.com, weiyongjun1@huawei.com,
	nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
	nramas@linux.microsoft.com, lszubowi@redhat.com,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	James.Bottomley@HansenPartnership.com, pjones@redhat.com,
	glin@suse.com, konrad.wilk@oracle.com
Subject: [PATCH RFC 07/12] integrity: add add_to_mok_keyring
Date: Tue,  6 Jul 2021 22:43:58 -0400	[thread overview]
Message-ID: <20210707024403.1083977-8-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com>

Add the ability to load MOK keys to the mok keyring. If the permssions
do not allow the key to be added to the MOK keyring this is not an
error, add it to the platform keyring instead.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/integrity.h                |  4 ++++
 .../integrity/platform_certs/mok_keyring.c    | 21 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 5126c80bd0d4..68720fa6454f 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -284,6 +284,7 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
 void __init add_to_platform_keyring(const char *source, const void *data,
 				    size_t len);
 void __init destroy_mok_keyring(void);
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
 #else
 static inline void __init add_to_platform_keyring(const char *source,
 						  const void *data, size_t len)
@@ -292,4 +293,7 @@ static inline void __init add_to_platform_keyring(const char *source,
 static inline void __init destroy_mok_keyring(void)
 {
 }
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+}
 #endif
diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
index 666fa355996d..a5644a8a834c 100644
--- a/security/integrity/platform_certs/mok_keyring.c
+++ b/security/integrity/platform_certs/mok_keyring.c
@@ -28,6 +28,27 @@ void __init destroy_mok_keyring(void)
 	return integrity_destroy_keyring(INTEGRITY_KEYRING_MOK);
 }
 
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+	key_perm_t perm;
+	int rc;
+
+	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
+	rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
+
+	/*
+	 * If the mok keyring restrictions prevented the cert from loading,
+	 * this is not an error.  Just load it into the platform keyring
+	 * instead.
+	 */
+	if (rc)
+		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
+					 data, len, perm);
+
+	if (rc)
+		pr_info("Error adding keys to mok keyring %s\n", source);
+}
+
 /*
  * Try to load the MokListTrustedRT UEFI variable to see if we should trust
  * the mok keys within the kernel. It is not an error if this variable
-- 
2.18.4


  parent reply	other threads:[~2021-07-07  2:45 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-07  2:43 [PATCH RFC 00/12] Enroll kernel keys thru MOK Eric Snowberg
2021-07-07  2:43 ` [PATCH RFC 01/12] KEYS: Add KEY_ALLOC_BYPASS_RESTRICTION option to key_move Eric Snowberg
2021-07-07  2:43 ` [PATCH RFC 02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring Eric Snowberg
2021-07-07  2:43 ` [PATCH RFC 03/12] KEYS: CA link restriction Eric Snowberg
2021-07-07  2:43 ` [PATCH RFC 04/12] integrity: add integrity_destroy_keyring Eric Snowberg
2021-07-07  2:43 ` [PATCH RFC 05/12] integrity: Introduce mok keyring Eric Snowberg
2021-07-07 19:31   ` Linus Torvalds
2021-07-07 21:26     ` Jarkko Sakkinen
2021-07-07 22:32       ` Eric Snowberg
2021-07-07  2:43 ` [PATCH RFC 06/12] integrity: Trust mok keys if MokListTrustedRT found Eric Snowberg
2021-07-07  2:43 ` Eric Snowberg [this message]
2021-07-07  2:43 ` [PATCH RFC 08/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_secondary_trusted_or_ca Eric Snowberg
2021-07-07  2:44 ` [PATCH RFC 09/12] integrity: accessor function to get trust_moklist Eric Snowberg
2021-07-07  2:44 ` [PATCH RFC 10/12] integrity: add new keyring handler Eric Snowberg
2021-07-07  2:44 ` [PATCH RFC 11/12] integrity: move keys from the mok keyring into the secondary keyring Eric Snowberg
2021-07-07  2:44 ` [PATCH RFC 12/12] integrity: Suppress error message for keys added to the mok keyring Eric Snowberg
2021-07-07  6:46 ` [PATCH RFC 00/12] Enroll kernel keys thru MOK Christoph Hellwig
2021-07-07 16:23   ` Eric Snowberg
2021-07-07 16:28     ` Christoph Hellwig
2021-07-07 16:45       ` Eric Snowberg
2021-07-07 12:39 ` Mimi Zohar
2021-07-07 16:28   ` Eric Snowberg
2021-07-07 17:00     ` Mimi Zohar
2021-07-07 22:10       ` Eric Snowberg
2021-07-08 13:56         ` Mimi Zohar
2021-07-08 17:59           ` Eric Snowberg
2021-07-08 19:31             ` Mimi Zohar
2021-07-08 23:17               ` Eric Snowberg
2021-07-09  1:10                 ` Mimi Zohar
2021-07-09 15:59                   ` Nayna

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210707024403.1083977-8-eric.snowberg@oracle.com \
    --to=eric.snowberg@oracle.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@google.com \
    --cc=glin@suse.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=nayna@linux.ibm.com \
    --cc=nramas@linux.microsoft.com \
    --cc=pjones@redhat.com \
    --cc=scott.branden@broadcom.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).