Set the restriction check for INTEGRITY_KEYRING_MOK keys to restrict_link_by_secondary_trusted_or_ca. This will only allow keys into the mok keyring that are either a CA or trusted by a key contained within the secondary trusted keyring. Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> --- security/integrity/digsig.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 56800a5f1e10..07547f1a4806 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -140,6 +140,11 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MOK) + restriction->check = restrict_link_by_secondary_trusted_or_ca; + else + restriction->check = restrict_link_to_ima; + perm |= KEY_USR_WRITE; out: -- 2.18.4
