diff options
author | Eric Snowberg <eric.snowberg@oracle.com> | 2022-01-25 21:58:33 -0500 |
---|---|---|
committer | Jarkko Sakkinen <jarkko@kernel.org> | 2022-03-08 13:55:52 +0200 |
commit | 74f5e30051399d60dbce4296dbfd833212df13f1 (patch) | |
tree | 76231062b60ea35b4b2cbe6cb5890b844ad54681 /security | |
parent | 847c5336d8439a3b8245b31fa127cf98a26afae8 (diff) | |
download | linux-74f5e30051399d60dbce4296dbfd833212df13f1.tar.gz linux-74f5e30051399d60dbce4296dbfd833212df13f1.tar.bz2 linux-74f5e30051399d60dbce4296dbfd833212df13f1.zip |
integrity: Trust MOK keys if MokListTrustedRT found
A new Machine Owner Key (MOK) variable called MokListTrustedRT has been
introduced in shim. When this UEFI variable is set, it indicates the
end-user has made the decision themselves that they wish to trust MOK keys
within the Linux trust boundary. It is not an error if this variable
does not exist. If it does not exist, the MOK keys should not be trusted
within the kernel.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/platform_certs/machine_keyring.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c index ea2ac2f9f2b5..09fd8f20c756 100644 --- a/security/integrity/platform_certs/machine_keyring.c +++ b/security/integrity/platform_certs/machine_keyring.c @@ -5,6 +5,7 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include <linux/efi.h> #include "../integrity.h" static __init int machine_keyring_init(void) @@ -40,3 +41,21 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t if (rc) pr_info("Error adding keys to machine keyring %s\n", source); } + +/* + * Try to load the MokListTrustedRT MOK variable to see if we should trust + * the MOK keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, MOK keys should not be trusted + * within the machine keyring. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + struct efi_mokvar_table_entry *mokvar_entry; + + mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT"); + + if (mokvar_entry) + return true; + + return false; +} |