On Wed, Jan 05, 2022 at 06:50:12PM -0500, Eric Snowberg wrote: > With the introduction of uefi_check_trust_mok_keys, it signifies the end- > user wants to trust the machine keyring as trusted keys. If they have > chosen to trust the machine keyring, load the qualifying keys into it > during boot, then link it to the secondary keyring . If the user has not > chosen to trust the machine keyring, it will be empty and not linked to > the secondary keyring. > > Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> > --- > v4: Initial version > v5: Rename to machine keyring > v6: Unmodified from v5 > v7: Made trust_mok static > v8: Unmodified from v7 > --- > security/integrity/digsig.c | 2 +- > security/integrity/integrity.h | 5 +++++ > .../integrity/platform_certs/keyring_handler.c | 2 +- > .../integrity/platform_certs/machine_keyring.c | 16 ++++++++++++++++ > 4 files changed, 23 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 7b719aa76188..c8c8a4a4e7a0 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -112,7 +112,7 @@ static int __init __integrity_init_keyring(const unsigned int id, > } else { > if (id == INTEGRITY_KEYRING_PLATFORM) > set_platform_trusted_keys(keyring[id]); > - if (id == INTEGRITY_KEYRING_MACHINE) > + if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) > set_machine_trusted_keys(keyring[id]); > if (id == INTEGRITY_KEYRING_IMA) > load_module_cert(keyring[id]); > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > index 730771eececd..2e214c761158 100644 > --- a/security/integrity/integrity.h > +++ b/security/integrity/integrity.h > @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source, > > #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > void __init add_to_machine_keyring(const char *source, const void *data, size_t len); > +bool __init trust_moklist(void); > #else > static inline void __init add_to_machine_keyring(const char *source, > const void *data, size_t len) > { > } > +static inline bool __init trust_moklist(void) > +{ > + return false; > +} > #endif > diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c > index 4872850d081f..1db4d3b4356d 100644 > --- a/security/integrity/platform_certs/keyring_handler.c > +++ b/security/integrity/platform_certs/keyring_handler.c > @@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) > __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) > { > if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { > - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) > + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) > return add_to_machine_keyring; > else > return add_to_platform_keyring; > diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c > index 09fd8f20c756..7aaed7950b6e 100644 > --- a/security/integrity/platform_certs/machine_keyring.c > +++ b/security/integrity/platform_certs/machine_keyring.c > @@ -8,6 +8,8 @@ > #include <linux/efi.h> > #include "../integrity.h" > > +static bool trust_mok; > + > static __init int machine_keyring_init(void) > { > int rc; > @@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void) > > return false; > } > + > +bool __init trust_moklist(void) > +{ > + static bool initialized; > + > + if (!initialized) { > + initialized = true; > + > + if (uefi_check_trust_mok_keys()) > + trust_mok = true; > + } > + > + return trust_mok; > +} > -- > 2.18.4 > Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> Mimi, have you tested these patches already? /Jarkko