Add an accessor function to see if the mok list should be trusted. Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> --- v1: Initial version v2: Added trust_moklist function --- security/integrity/integrity.h | 5 +++++ security/integrity/platform_certs/mok_keyring.c | 16 ++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 60d5c7ba05b2..1fcefceb0da1 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -279,6 +279,7 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) void __init add_to_platform_keyring(const char *source, const void *data, size_t len); void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) @@ -287,4 +288,8 @@ static inline void __init add_to_platform_keyring(const char *source, void __init add_to_mok_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index f260edac0863..c7820d9136f3 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -8,6 +8,8 @@ #include <linux/efi.h> #include "../integrity.h" +bool trust_mok; + static __init int mok_keyring_init(void) { int rc; @@ -67,3 +69,17 @@ static __init bool uefi_check_trust_mok_keys(void) */ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +} -- 2.18.4