| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Aug 2021 22:18:45 -0400
From: Eric Snowberg <eric.snowberg@...cle.com>
To: keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
zohar@...ux.ibm.com, dhowells@...hat.com, dwmw2@...radead.org,
herbert@...dor.apana.org.au, davem@...emloft.net,
jarkko@...nel.org, jmorris@...ei.org, serge@...lyn.com
Cc: eric.snowberg@...cle.com, keescook@...omium.org,
gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
scott.branden@...adcom.com, weiyongjun1@...wei.com,
nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senPartnership.com, pjones@...hat.com,
glin@...e.com, konrad.wilk@...cle.com
Subject: [PATCH v3 04/14] integrity: add add_to_mok_keyring
Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
If the permissions do not allow the key to be added to the mok keyring
this is not an error, add it to the platform keyring instead.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
v1: Initial version
v3: Unmodified from v1
---
security/integrity/integrity.h | 4 ++++
.../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e0e17ccba2e6..60d5c7ba05b2 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
void __init add_to_platform_keyring(const char *source, const void *data,
size_t len);
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
#else
static inline void __init add_to_platform_keyring(const char *source,
const void *data, size_t len)
{
}
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+}
#endif
diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
index fe4f2d336260..f260edac0863 100644
--- a/security/integrity/platform_certs/mok_keyring.c
+++ b/security/integrity/platform_certs/mok_keyring.c
@@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
}
device_initcall(mok_keyring_init);
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+ key_perm_t perm;
+ int rc;
+
+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
+ rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
+
+ /*
+ * If the mok keyring restrictions prevented the cert from loading,
+ * this is not an error. Just load it into the platform keyring
+ * instead.
+ */
+ if (rc)
+ rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
+ data, len, perm);
+
+ if (rc)
+ pr_info("Error adding keys to mok keyring %s\n", source);
+}
+
/*
* Try to load the MokListTrustedRT UEFI variable to see if we should trust
* the mok keys within the kernel. It is not an error if this variable
--
2.18.4
Powered by blists - more mailing lists