summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEric Snowberg <eric.snowberg@oracle.com>2022-01-25 21:58:33 -0500
committerJarkko Sakkinen <jarkko@kernel.org>2022-03-08 13:55:52 +0200
commit74f5e30051399d60dbce4296dbfd833212df13f1 (patch)
tree76231062b60ea35b4b2cbe6cb5890b844ad54681 /security
parent847c5336d8439a3b8245b31fa127cf98a26afae8 (diff)
downloadlinux-74f5e30051399d60dbce4296dbfd833212df13f1.tar.gz
linux-74f5e30051399d60dbce4296dbfd833212df13f1.tar.bz2
linux-74f5e30051399d60dbce4296dbfd833212df13f1.zip
integrity: Trust MOK keys if MokListTrustedRT found
A new Machine Owner Key (MOK) variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themselves that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/platform_certs/machine_keyring.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index ea2ac2f9f2b5..09fd8f20c756 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -5,6 +5,7 @@
* Copyright (c) 2021, Oracle and/or its affiliates.
*/
+#include <linux/efi.h>
#include "../integrity.h"
static __init int machine_keyring_init(void)
@@ -40,3 +41,21 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t
if (rc)
pr_info("Error adding keys to machine keyring %s\n", source);
}
+
+/*
+ * Try to load the MokListTrustedRT MOK variable to see if we should trust
+ * the MOK keys within the kernel. It is not an error if this variable
+ * does not exist. If it does not exist, MOK keys should not be trusted
+ * within the machine keyring.
+ */
+static __init bool uefi_check_trust_mok_keys(void)
+{
+ struct efi_mokvar_table_entry *mokvar_entry;
+
+ mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
+
+ if (mokvar_entry)
+ return true;
+
+ return false;
+}