[PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys

From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
	gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
	scott.branden@broadcom.com, weiyongjun1@huawei.com,
	nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
	nramas@linux.microsoft.com, lszubowi@redhat.com,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	James.Bottomley@HansenPartnership.com, pjones@redhat.com,
	glin@suse.com, konrad.wilk@oracle.com
Subject: [PATCH RFC v2 10/12] KEYS: link system_trusted_keys to mok_trusted_keys
Date: Mon, 26 Jul 2021 13:13:17 -0400	[thread overview]
Message-ID: <20210726171319.3133879-11-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210726171319.3133879-1-eric.snowberg@oracle.com>

Allow the .mok keyring to be linked to either the builtin_trusted_keys
or the secondary_trusted_keys. If CONFIG_SECONDARY_TRUSTED_KEYRING is
enabled, mok keys are linked to the secondary_trusted_keys.  Otherwise
they are linked to the builtin_trusted_keys.  After the link is created,
keys contained in the .mok keyring will automatically be searched when
searching either builtin_trusted_keys or secondary_trusted_keys.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v2: Initial version
---
 certs/system_keyring.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index dcaf74102ab2..b27ae30eaadc 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -45,6 +45,15 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
 				     const union key_payload *payload,
 				     struct key *restriction_key)
 {
+	/* If the secondary trusted keyring is not enabled, we may link
+	 * through to the mok keyring and the search may follow that link.
+	 */
+	if (mok_trusted_keys && type == &key_type_keyring &&
+	    dest_keyring == builtin_trusted_keys &&
+	    payload == &mok_trusted_keys->payload)
+		/* Allow the mok keyring to be added to the builtin */
+		return 0;
+
 	return restrict_link_by_signature(dest_keyring, type, payload,
 					  builtin_trusted_keys);
 }
@@ -91,6 +100,15 @@ int restrict_link_by_builtin_and_secondary_trusted(
 		/* Allow the builtin keyring to be added to the secondary */
 		return 0;
 
+	/* If we have a secondary trusted keyring, it may contain a link
+	 * through to the mok keyring and the search may follow that link.
+	 */
+	if (mok_trusted_keys && type == &key_type_keyring &&
+	    dest_keyring == secondary_trusted_keys &&
+	    payload == &mok_trusted_keys->payload)
+		/* Allow the mok keyring to be added to the secondary */
+		return 0;
+
 	return restrict_link_by_signature(dest_keyring, type, payload,
 					  secondary_trusted_keys);
 }
@@ -321,5 +339,8 @@ void __init set_platform_trusted_keys(struct key *keyring)
 void __init set_mok_trusted_keys(struct key *keyring)
 {
 	mok_trusted_keys = keyring;
+
+	if (key_link(system_trusted_keys, mok_trusted_keys) < 0)
+		panic("Can't link (mok) trusted keyrings\n");
 }
 #endif
-- 
2.18.4

