Some firmware support secure boot by embedding static keys to verify the Linux kernel during boot. However, these firmware do not expose an interface for the kernel to load firmware keys onto the ".platform" keyring, preventing the kernel from verifying the kexec kernel image signature. This patchset exports load_certificate_list() and defines a new function load_builtin_platform_cert() to load compiled in certificates onto the ".platform" keyring. Changelog: v4: * Split into two patches as per Mimi Zohar and Dimitri John Ledkov recommendation. v3: * Included Jarkko's feedback ** updated patch description to include approach. ** removed extern for function declaration in the .h file. * Included load_certificate_list() within #ifdef CONFIG_KEYS condition. v2: * Fixed the error reported by kernel test robot * Updated patch description based on Jarkko's feedback. Nayna Jain (2): certs: export load_certificate_list() to be used outside certs/ integrity: support including firmware ".platform" keys at build time certs/Makefile | 5 ++-- certs/blacklist.c | 1 - certs/common.c | 2 +- certs/common.h | 9 ------- certs/system_keyring.c | 1 - include/keys/system_keyring.h | 6 +++++ security/integrity/Kconfig | 10 +++++++ security/integrity/Makefile | 17 +++++++++++- security/integrity/digsig.c | 2 +- security/integrity/integrity.h | 6 +++++ .../integrity/platform_certs/platform_cert.S | 23 ++++++++++++++++ .../platform_certs/platform_keyring.c | 26 +++++++++++++++++++ 12 files changed, 92 insertions(+), 16 deletions(-) delete mode 100644 certs/common.h create mode 100644 security/integrity/platform_certs/platform_cert.S -- 2.27.0