From: Eric Snowberg <eric.snowberg@oracle.com>
To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
scott.branden@broadcom.com, weiyongjun1@huawei.com,
nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
nramas@linux.microsoft.com, lszubowi@redhat.com,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
konrad.wilk@oracle.com
Subject: [PATCH v5 05/12] integrity: add new keyring handler for mok keys
Date: Tue, 7 Sep 2021 12:01:03 -0400 [thread overview]
Message-ID: <20210907160110.2699645-6-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210907160110.2699645-1-eric.snowberg@oracle.com>
Currently both Secure Boot DB and Machine Owner Keys (MOK) go through
the same keyring handler (get_handler_for_db). With the addition of the
new machine keyring, the end-user may choose to trust MOK keys.
Introduce a new keyring handler specific for MOK keys. If MOK keys are
trusted by the end-user, use the new keyring handler instead.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v1: Initial version
v3: Only change the keyring handler if the secondary is enabled
v4: Removed trust_moklist check
v5: Rename to machine keyring
---
.../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++-
.../integrity/platform_certs/keyring_handler.h | 5 +++++
security/integrity/platform_certs/load_uefi.c | 4 ++--
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 5604bd57c990..445d413aec74 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source,
/*
* Return the appropriate handler for particular signature list types found in
- * the UEFI db and MokListRT tables.
+ * the UEFI db tables.
*/
__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
{
@@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
return 0;
}
+/*
+ * Return the appropriate handler for particular signature list types found in
+ * the MokListRT tables.
+ */
+__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
+{
+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
+ return add_to_machine_keyring;
+ else
+ return add_to_platform_keyring;
+ }
+ return 0;
+}
+
/*
* Return the appropriate handler for particular signature list types found in
* the UEFI dbx and MokListXRT tables.
diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
index 2462bfa08fe3..284558f30411 100644
--- a/security/integrity/platform_certs/keyring_handler.h
+++ b/security/integrity/platform_certs/keyring_handler.h
@@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len);
*/
efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
+/*
+ * Return the handler for particular signature list types found in the mok.
+ */
+efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
+
/*
* Return the handler for particular signature list types found in the dbx.
*/
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index f290f78c3f30..c1bfd1cd7cc3 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -94,7 +94,7 @@ static int __init load_moklist_certs(void)
rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)",
mokvar_entry->data,
mokvar_entry->data_size,
- get_handler_for_db);
+ get_handler_for_mok);
/* All done if that worked. */
if (!rc)
return rc;
@@ -109,7 +109,7 @@ static int __init load_moklist_certs(void)
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
if (mok) {
rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
+ mok, moksize, get_handler_for_mok);
kfree(mok);
if (rc)
pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
--
2.18.4
next prev parent reply other threads:[~2021-09-07 16:02 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-07 16:00 [PATCH v5 00/12] Enroll kernel keys thru MOK Eric Snowberg
2021-09-07 16:00 ` [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-09-09 13:55 ` Jarkko Sakkinen
2021-09-09 15:19 ` Mimi Zohar
2021-09-09 17:32 ` Eric Snowberg
2021-09-07 16:01 ` [PATCH v5 02/12] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-09-09 13:43 ` Jarkko Sakkinen
2021-09-07 16:01 ` [PATCH v5 03/12] KEYS: CA link restriction Eric Snowberg
2021-09-07 16:01 ` [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2021-09-09 13:49 ` Jarkko Sakkinen
2021-09-09 17:25 ` Mimi Zohar
2021-09-09 17:53 ` Eric Snowberg
2021-09-09 18:19 ` Mimi Zohar
2021-09-07 16:01 ` Eric Snowberg [this message]
2021-09-07 16:01 ` [PATCH v5 06/12] KEYS: add a reference to machine keyring Eric Snowberg
2021-09-07 16:01 ` [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys Eric Snowberg
2021-09-09 17:26 ` Mimi Zohar
2021-09-09 18:03 ` Eric Snowberg
2021-09-09 18:19 ` Mimi Zohar
2021-09-07 16:01 ` [PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-09-09 17:27 ` Mimi Zohar
2021-09-07 16:01 ` [PATCH v5 09/12] KEYS: link secondary_trusted_keys to machine trusted keys Eric Snowberg
2021-09-07 16:01 ` [PATCH v5 10/12] integrity: store reference to machine keyring Eric Snowberg
2021-09-07 16:01 ` [PATCH v5 11/12] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-09-07 16:01 ` [PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-09-09 13:58 ` Jarkko Sakkinen
2021-09-08 16:03 ` [PATCH v5 00/12] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-09-08 16:49 ` Jarkko Sakkinen
2021-09-08 22:25 ` Eric Snowberg
2021-09-09 13:02 ` Mimi Zohar
2021-09-08 17:09 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210907160110.2699645-6-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=scott.branden@broadcom.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.