Expose the .mok keyring created in integrity code by adding a reference. This makes the mok keyring accessible for keyring restrictions in the future. Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> --- v2: Initial version v3: set_mok_trusted_keys only available when secondary is enabled --- certs/system_keyring.c | 5 +++++ include/keys/system_keyring.h | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..2baf5447b116 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -21,6 +21,7 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; +static struct key *mok_trusted_keys; #endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; @@ -90,6 +91,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } +void __init set_mok_trusted_keys(struct key *keyring) +{ + mok_trusted_keys = keyring; +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..4fe9cca58685 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,8 +34,12 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern void __init set_mok_trusted_keys(struct key *keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +static inline void __init set_mok_trusted_keys(struct key *keyring) +{ +} #endif extern struct pkcs7_message *pkcs7; -- 2.18.4