Re: [PATCH v3 04/14] integrity: add add_to_mok_keyring

Jarkko Sakkinen <jarkko@xxxxxxxxxx> · Thu, 12 Aug 2021 22:32:45 +0300

On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote:
> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
> If the permissions do not allow the key to be added to the mok keyring
> this is not an error, add it to the platform keyring instead.

Should state why it isn't an error for clarity.

/Jarkko

> 
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> ---
> v1: Initial version
> v3: Unmodified from v1
> ---
>  security/integrity/integrity.h                |  4 ++++
>  .../integrity/platform_certs/mok_keyring.c    | 21 +++++++++++++++++++
>  2 files changed, 25 insertions(+)
> 
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e0e17ccba2e6..60d5c7ba05b2 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
>  #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  void __init add_to_platform_keyring(const char *source, const void *data,
>  				    size_t len);
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
>  #else
>  static inline void __init add_to_platform_keyring(const char *source,
>  						  const void *data, size_t len)
>  {
>  }
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +}
>  #endif
> diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
> index fe4f2d336260..f260edac0863 100644
> --- a/security/integrity/platform_certs/mok_keyring.c
> +++ b/security/integrity/platform_certs/mok_keyring.c
> @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
>  }
>  device_initcall(mok_keyring_init);
>  
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +	key_perm_t perm;
> +	int rc;
> +
> +	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> +	rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
> +
> +	/*
> +	 * If the mok keyring restrictions prevented the cert from loading,
> +	 * this is not an error.  Just load it into the platform keyring
> +	 * instead.
> +	 */
> +	if (rc)
> +		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
> +					 data, len, perm);
> +
> +	if (rc)
> +		pr_info("Error adding keys to mok keyring %s\n", source);
> +}
> +
>  /*
>   * Try to load the MokListTrustedRT UEFI variable to see if we should trust
>   * the mok keys within the kernel. It is not an error if this variable
> -- 
> 2.18.4
> 
> 