On Wed, Jan 05, 2022 at 06:50:08PM -0500, Eric Snowberg wrote: > Expose the .machine keyring created in integrity code by adding > a reference. Store a reference to the machine keyring in > system keyring code. The system keyring code needs this to complete > the keyring link to the machine keyring. > > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > --- > v2: Initial version > v3: Unmodified from v2 > v4: Removed trust_moklist check > v5: Rename to machine keyring > v8: Unmodified from v5 > v9: Combine with "add reference to machine keyring" patch > --- > certs/system_keyring.c | 9 +++++++++ > include/keys/system_keyring.h | 8 ++++++++ > security/integrity/digsig.c | 2 ++ > 3 files changed, 19 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index 692365dee2bd..08ea542c8096 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > static struct key *secondary_trusted_keys; > #endif > +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +static struct key *machine_trusted_keys; > +#endif > #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > static struct key *platform_trusted_keys; > #endif > @@ -91,6 +94,12 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void > return restriction; > } > #endif > +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +void __init set_machine_trusted_keys(struct key *keyring) > +{ > + machine_trusted_keys = keyring; > +} > +#endif > > /* > * Create the trusted keyrings > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > index 6acd3cf13a18..98c9b10cdc17 100644 > --- a/include/keys/system_keyring.h > +++ b/include/keys/system_keyring.h > @@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( > #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted > #endif > > +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +extern void __init set_machine_trusted_keys(struct key *keyring); > +#else > +static inline void __init set_machine_trusted_keys(struct key *keyring) > +{ > +} > +#endif > + > extern struct pkcs7_message *pkcs7; > #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING > extern int mark_hash_blacklisted(const char *hash); > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 2b7fa85613c0..7b719aa76188 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -112,6 +112,8 @@ static int __init __integrity_init_keyring(const unsigned int id, > } else { > if (id == INTEGRITY_KEYRING_PLATFORM) > set_platform_trusted_keys(keyring[id]); > + if (id == INTEGRITY_KEYRING_MACHINE) > + set_machine_trusted_keys(keyring[id]); > if (id == INTEGRITY_KEYRING_IMA) > load_module_cert(keyring[id]); > } > -- > 2.18.4 > Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> BR, Jarkko