From: Nayna Jain <nayna@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
Nayna Jain <nayna@linux.ibm.com>,
linux-security-module@vger.kernel.org,
Mimi Zohar <zohar@linux.ibm.com>,
linux-kernel@vger.kernel.org, Jarkko Sakkinen <jarkko@kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
Subject: [PATCH 4/6] integrity: check whether imputed trust is enabled
Date: Fri, 14 Jul 2023 11:34:33 -0400 [thread overview]
Message-ID: <20230714153435.28155-5-nayna@linux.ibm.com> (raw)
In-Reply-To: <20230714153435.28155-1-nayna@linux.ibm.com>
trust_moklist() is specific to UEFI enabled systems. Other platforms
rely only on the Kconfig.
Define a generic wrapper named imputed_trust_enabled().
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
security/integrity/digsig.c | 2 +-
security/integrity/integrity.h | 5 +++--
.../integrity/platform_certs/keyring_handler.c | 2 +-
.../integrity/platform_certs/machine_keyring.c | 15 ++++++++++++++-
4 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f31ffe23c48..48d505cacd81 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
} else {
if (id == INTEGRITY_KEYRING_PLATFORM)
set_platform_trusted_keys(keyring[id]);
- if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
+ if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled())
set_machine_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_IMA)
load_module_cert(keyring[id]);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 7167a6e99bdc..d7553c93f5c0 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -320,13 +320,14 @@ static inline void __init add_to_platform_keyring(const char *source,
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
-bool __init trust_moklist(void);
+bool __init imputed_trust_enabled(void);
#else
static inline void __init add_to_machine_keyring(const char *source,
const void *data, size_t len)
{
}
-static inline bool __init trust_moklist(void)
+
+static inline bool __init imputed_trust_enabled(void)
{
return false;
}
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 1649d047e3b8..b3e5df136e50 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
{
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && imputed_trust_enabled())
return add_to_machine_keyring;
else
return add_to_platform_keyring;
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 9482e16cb2ca..58cd72b193e6 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -60,7 +60,7 @@ static __init bool uefi_check_trust_mok_keys(void)
return false;
}
-bool __init trust_moklist(void)
+static bool __init trust_moklist(void)
{
static bool initialized;
static bool trust_mok;
@@ -75,3 +75,16 @@ bool __init trust_moklist(void)
return trust_mok;
}
+
+/*
+ * Provides platform specific check for trusting imputed keys before loading
+ * on .machine keyring. UEFI systems enable this trust based on a variable,
+ * and for other platforms, it is always enabled.
+ */
+bool __init imputed_trust_enabled(void)
+{
+ if (efi_enabled(EFI_BOOT))
+ return trust_moklist();
+
+ return true;
+}
--
2.31.1
next prev parent reply other threads:[~2023-07-14 15:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-14 15:34 [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain
2023-07-14 15:34 ` [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain
2023-08-02 22:58 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain
2023-08-02 22:59 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain
2023-08-02 22:58 ` Mimi Zohar
2023-07-14 15:34 ` Nayna Jain [this message]
2023-08-02 22:59 ` [PATCH 4/6] integrity: check whether imputed trust is enabled Mimi Zohar
2023-07-14 15:34 ` [PATCH 5/6] integrity: PowerVM machine keyring enablement Nayna Jain
2023-08-02 22:59 ` Mimi Zohar
2023-07-14 15:34 ` [PATCH 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain
2023-08-02 22:58 ` [PATCH 0/6] Enable loading local and third party keys on PowerVM guest Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230714153435.28155-5-nayna@linux.ibm.com \
--to=nayna@linux.ibm.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paul@paul-moore.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).