Nit: in the short summary mok -> MOK Otherwise LGTM. /Jarkko On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote: > Currently both Secure Boot DB and Machine Owner Keys (MOK) go through > the same keyring handler (get_handler_for_db). With the addition of the > new machine keyring, the end-user may choose to trust MOK keys. > > Introduce a new keyring handler specific for MOK keys. If MOK keys are > trusted by the end-user, use the new keyring handler instead. > > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > v1: Initial version > v3: Only change the keyring handler if the secondary is enabled > v4: Removed trust_moklist check > v5: Rename to machine keyring > v7: Unmodified from v5 > v8: Code unmodified from v7 added Mimi's Reviewed-by > --- > .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- > .../integrity/platform_certs/keyring_handler.h | 5 +++++ > security/integrity/platform_certs/load_uefi.c | 4 ++-- > 3 files changed, 23 insertions(+), 3 deletions(-) > > diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c > index e9791be98fd9..4872850d081f 100644 > --- a/security/integrity/platform_certs/keyring_handler.c > +++ b/security/integrity/platform_certs/keyring_handler.c > @@ -67,7 +67,7 @@ static __init void uefi_revocation_list_x509(const char *source, > > /* > * Return the appropriate handler for particular signature list types found in > - * the UEFI db and MokListRT tables. > + * the UEFI db tables. > */ > __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) > { > @@ -76,6 +76,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) > return 0; > } > > +/* > + * Return the appropriate handler for particular signature list types found in > + * the MokListRT tables. > + */ > +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) > +{ > + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { > + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) > + return add_to_machine_keyring; > + else > + return add_to_platform_keyring; > + } > + return 0; > +} > + > /* > * Return the appropriate handler for particular signature list types found in > * the UEFI dbx and MokListXRT tables. > diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h > index 2462bfa08fe3..284558f30411 100644 > --- a/security/integrity/platform_certs/keyring_handler.h > +++ b/security/integrity/platform_certs/keyring_handler.h > @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); > */ > efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); > > +/* > + * Return the handler for particular signature list types found in the mok. > + */ > +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); > + > /* > * Return the handler for particular signature list types found in the dbx. > */ > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index f290f78c3f30..c1bfd1cd7cc3 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) > rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", > mokvar_entry->data, > mokvar_entry->data_size, > - get_handler_for_db); > + get_handler_for_mok); > /* All done if that worked. */ > if (!rc) > return rc; > @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) > mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); > if (mok) { > rc = parse_efi_signature_list("UEFI:MokListRT", > - mok, moksize, get_handler_for_db); > + mok, moksize, get_handler_for_mok); > kfree(mok); > if (rc) > pr_err("Couldn't parse MokListRT signatures: %d\n", rc);