From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
scott.branden@broadcom.com, weiyongjun1@huawei.com,
nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
nramas@linux.microsoft.com, lszubowi@redhat.com,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
glin@suse.com, konrad.wilk@oracle.com
Subject: [PATCH RFC 10/12] integrity: add new keyring handler
Date: Tue, 6 Jul 2021 22:44:01 -0400 [thread overview]
Message-ID: <20210707024403.1083977-11-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210707024403.1083977-1-eric.snowberg@oracle.com>
Add a new keyring handler for the mok keyring. If the Secondary trusted
keyring is enabled and the end-user trusts the MOK keys, this new
keyring handler is used.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
.../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++-
.../integrity/platform_certs/keyring_handler.h | 5 +++++
security/integrity/platform_certs/load_uefi.c | 4 ++--
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 5604bd57c990..b6daeb1e3de5 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source,
/*
* Return the appropriate handler for particular signature list types found in
- * the UEFI db and MokListRT tables.
+ * the UEFI db tables.
*/
__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
{
@@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
return 0;
}
+/*
+ * Return the appropriate handler for particular signature list types found in
+ * the MokListRT tables.
+ */
+__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
+{
+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
+ if (IS_ENABLED(CONFIG_SECONDARY_TRUSTED_KEYRING) && trust_moklist())
+ return add_to_mok_keyring;
+ else
+ return add_to_platform_keyring;
+ }
+ return 0;
+}
+
/*
* Return the appropriate handler for particular signature list types found in
* the UEFI dbx and MokListXRT tables.
diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
index 2462bfa08fe3..284558f30411 100644
--- a/security/integrity/platform_certs/keyring_handler.h
+++ b/security/integrity/platform_certs/keyring_handler.h
@@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len);
*/
efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
+/*
+ * Return the handler for particular signature list types found in the mok.
+ */
+efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
+
/*
* Return the handler for particular signature list types found in the dbx.
*/
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 94faa4b32441..f021dd81f080 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -94,7 +94,7 @@ static int __init load_moklist_certs(void)
rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)",
mokvar_entry->data,
mokvar_entry->data_size,
- get_handler_for_db);
+ get_handler_for_mok);
/* All done if that worked. */
if (!rc)
return rc;
@@ -109,7 +109,7 @@ static int __init load_moklist_certs(void)
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
if (mok) {
rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
+ mok, moksize, get_handler_for_mok);
kfree(mok);
if (rc)
pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
--
2.18.4
next prev parent reply other threads:[~2021-07-07 2:45 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 2:43 [PATCH RFC 00/12] Enroll kernel keys thru MOK Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 01/12] KEYS: Add KEY_ALLOC_BYPASS_RESTRICTION option to key_move Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 03/12] KEYS: CA link restriction Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 04/12] integrity: add integrity_destroy_keyring Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 05/12] integrity: Introduce mok keyring Eric Snowberg
2021-07-07 19:31 ` Linus Torvalds
2021-07-07 21:26 ` Jarkko Sakkinen
2021-07-07 22:32 ` Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 06/12] integrity: Trust mok keys if MokListTrustedRT found Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 07/12] integrity: add add_to_mok_keyring Eric Snowberg
2021-07-07 2:43 ` [PATCH RFC 08/12] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_secondary_trusted_or_ca Eric Snowberg
2021-07-07 2:44 ` [PATCH RFC 09/12] integrity: accessor function to get trust_moklist Eric Snowberg
2021-07-07 2:44 ` Eric Snowberg [this message]
2021-07-07 2:44 ` [PATCH RFC 11/12] integrity: move keys from the mok keyring into the secondary keyring Eric Snowberg
2021-07-07 2:44 ` [PATCH RFC 12/12] integrity: Suppress error message for keys added to the mok keyring Eric Snowberg
2021-07-07 6:46 ` [PATCH RFC 00/12] Enroll kernel keys thru MOK Christoph Hellwig
2021-07-07 16:23 ` Eric Snowberg
2021-07-07 16:28 ` Christoph Hellwig
2021-07-07 16:45 ` Eric Snowberg
2021-07-07 12:39 ` Mimi Zohar
2021-07-07 16:28 ` Eric Snowberg
2021-07-07 17:00 ` Mimi Zohar
2021-07-07 22:10 ` Eric Snowberg
2021-07-08 13:56 ` Mimi Zohar
2021-07-08 17:59 ` Eric Snowberg
2021-07-08 19:31 ` Mimi Zohar
2021-07-08 23:17 ` Eric Snowberg
2021-07-09 1:10 ` Mimi Zohar
2021-07-09 15:59 ` Nayna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210707024403.1083977-11-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=glin@suse.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=scott.branden@broadcom.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.