Introduce a new link restriction that includes the trusted builtin, secondary and mok keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> --- v3: Initial version --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 29 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 2baf5447b116..cb773e09ea67 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -74,6 +74,29 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +/** + * restrict_link_by_builtin_secondary_and_ca_trusted + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the mok keyrings. + */ +int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (mok_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &mok_trusted_keys->payload) + /* Allow the mok keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} + /** * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 4fe9cca58685..c9fcbfada567 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,9 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_mok_trusted_keys(struct key *keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_builtin_secondary_and_ca_trusted restrict_link_by_builtin_trusted static inline void __init set_mok_trusted_keys(struct key *keyring) { } -- 2.18.4