From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Mimi Zohar <zohar@linux.ibm.com>, Jarkko Sakkinen <jarkko@kernel.org>, Eric Snowberg <eric.snowberg@oracle.com>, Paul Moore <paul@paul-moore.com>, linuxppc-dev <linuxppc-dev@lists.ozlabs.org>, linux-security-module@vger.kernel.org, inux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com> Subject: [PATCH v4 4/6] integrity: check whether imputed trust is enabled Date: Tue, 15 Aug 2023 07:27:20 -0400 [thread overview] Message-ID: <20230815112722.1591829-5-nayna@linux.ibm.com> (raw) In-Reply-To: <20230815112722.1591829-1-nayna@linux.ibm.com> trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++-- .../integrity/platform_certs/keyring_handler.c | 3 ++- .../integrity/platform_certs/machine_keyring.c | 18 ++++++++++++++++-- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index d0704b1597d4..df387de29bfa 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) + if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7167a6e99bdc..d7553c93f5c0 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -320,13 +320,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); -bool __init trust_moklist(void); +bool __init imputed_trust_enabled(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } -static inline bool __init trust_moklist(void) + +static inline bool __init imputed_trust_enabled(void) { return false; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 1649d047e3b8..586027b9a3f5 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,7 +61,8 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && + imputed_trust_enabled()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 9482e16cb2ca..a401640a63cd 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -34,7 +34,8 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t * If the restriction check does not pass and the platform keyring * is configured, try to add it into that keyring instead. */ - if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + if (rc && efi_enabled(EFI_BOOT) && + IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len, perm); @@ -60,7 +61,7 @@ static __init bool uefi_check_trust_mok_keys(void) return false; } -bool __init trust_moklist(void) +static bool __init trust_moklist(void) { static bool initialized; static bool trust_mok; @@ -75,3 +76,16 @@ bool __init trust_moklist(void) return trust_mok; } + +/* + * Provides platform specific check for trusting imputed keys before loading + * on .machine keyring. UEFI systems enable this trust based on a variable, + * and for other platforms, it is always enabled. + */ +bool __init imputed_trust_enabled(void) +{ + if (efi_enabled(EFI_BOOT)) + return trust_moklist(); + + return true; +} -- 2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Nayna Jain <nayna@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: Eric Snowberg <eric.snowberg@oracle.com>, Paul Moore <paul@paul-moore.com>, inux-kernel@vger.kernel.org, Nayna Jain <nayna@linux.ibm.com>, linux-security-module@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, Jarkko Sakkinen <jarkko@kernel.org>, linuxppc-dev <linuxppc-dev@lists.ozlabs.org> Subject: [PATCH v4 4/6] integrity: check whether imputed trust is enabled Date: Tue, 15 Aug 2023 07:27:20 -0400 [thread overview] Message-ID: <20230815112722.1591829-5-nayna@linux.ibm.com> (raw) In-Reply-To: <20230815112722.1591829-1-nayna@linux.ibm.com> trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 5 +++-- .../integrity/platform_certs/keyring_handler.c | 3 ++- .../integrity/platform_certs/machine_keyring.c | 18 ++++++++++++++++-- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index d0704b1597d4..df387de29bfa 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); - if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) + if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) set_machine_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7167a6e99bdc..d7553c93f5c0 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -320,13 +320,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); -bool __init trust_moklist(void); +bool __init imputed_trust_enabled(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } -static inline bool __init trust_moklist(void) + +static inline bool __init imputed_trust_enabled(void) { return false; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 1649d047e3b8..586027b9a3f5 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,7 +61,8 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && + imputed_trust_enabled()) return add_to_machine_keyring; else return add_to_platform_keyring; diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index 9482e16cb2ca..a401640a63cd 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -34,7 +34,8 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t * If the restriction check does not pass and the platform keyring * is configured, try to add it into that keyring instead. */ - if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + if (rc && efi_enabled(EFI_BOOT) && + IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len, perm); @@ -60,7 +61,7 @@ static __init bool uefi_check_trust_mok_keys(void) return false; } -bool __init trust_moklist(void) +static bool __init trust_moklist(void) { static bool initialized; static bool trust_mok; @@ -75,3 +76,16 @@ bool __init trust_moklist(void) return trust_mok; } + +/* + * Provides platform specific check for trusting imputed keys before loading + * on .machine keyring. UEFI systems enable this trust based on a variable, + * and for other platforms, it is always enabled. + */ +bool __init imputed_trust_enabled(void) +{ + if (efi_enabled(EFI_BOOT)) + return trust_moklist(); + + return true; +} -- 2.31.1
next prev parent reply other threads:[~2023-08-15 11:46 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-08-15 11:27 [PATCH v4 0/6] Enable loading local and third party keys on PowerVM guest Nayna Jain 2023-08-15 11:27 ` Nayna Jain 2023-08-15 11:27 ` [PATCH v4 1/6] integrity: PowerVM support for loading CA keys on machine keyring Nayna Jain 2023-08-15 11:27 ` Nayna Jain 2023-08-16 14:40 ` R Nageswara Sastry 2023-08-16 14:40 ` R Nageswara Sastry 2023-08-16 20:34 ` Jarkko Sakkinen 2023-08-16 20:34 ` Jarkko Sakkinen 2023-08-15 11:27 ` [PATCH v4 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform Nayna Jain 2023-08-15 11:27 ` Nayna Jain 2023-08-16 14:41 ` R Nageswara Sastry 2023-08-16 14:41 ` R Nageswara Sastry 2023-08-15 11:27 ` [PATCH v4 3/6] integrity: remove global variable from machine_keyring.c Nayna Jain 2023-08-15 11:27 ` Nayna Jain 2023-08-16 14:41 ` R Nageswara Sastry 2023-08-16 14:41 ` R Nageswara Sastry 2023-08-15 11:27 ` Nayna Jain [this message] 2023-08-15 11:27 ` [PATCH v4 4/6] integrity: check whether imputed trust is enabled Nayna Jain 2023-08-16 14:41 ` R Nageswara Sastry 2023-08-16 14:41 ` R Nageswara Sastry 2023-08-15 11:27 ` [PATCH v4 5/6] integrity: PowerVM machine keyring enablement Nayna Jain 2023-08-15 11:27 ` Nayna Jain 2023-08-16 14:42 ` R Nageswara Sastry 2023-08-16 14:42 ` R Nageswara Sastry 2023-08-15 11:27 ` [PATCH v4 6/6] integrity: PowerVM support for loading third party code signing keys Nayna Jain 2023-08-15 11:27 ` Nayna Jain 2023-08-15 20:30 ` Mimi Zohar 2023-08-15 20:30 ` Mimi Zohar 2023-08-16 14:42 ` R Nageswara Sastry 2023-08-16 14:42 ` R Nageswara Sastry 2023-08-16 20:36 ` Jarkko Sakkinen 2023-08-16 20:36 ` Jarkko Sakkinen 2023-08-16 21:06 ` Mimi Zohar 2023-08-16 21:06 ` Mimi Zohar 2023-08-16 21:11 ` Jarkko Sakkinen 2023-08-16 21:11 ` Jarkko Sakkinen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230815112722.1591829-5-nayna@linux.ibm.com \ --to=nayna@linux.ibm.com \ --cc=eric.snowberg@oracle.com \ --cc=inux-kernel@vger.kernel.org \ --cc=jarkko@kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=paul@paul-moore.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.