integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

esnowberg · jarkkojs · commit 3d6ae1a5d0c2 · 2022-03-08T13:55:52.000+02:00
With the introduction of uefi_check_trust_mok_keys, it signifies the end-
user wants to trust the machine keyring as trusted keys.  If they have
chosen to trust the machine keyring, load the qualifying keys into it
during boot, then link it to the secondary keyring .  If the user has not
chosen to trust the machine keyring, it will be empty and not linked to
the secondary keyring.

Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
@@ -112,7 +112,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
 	} else {
 		if (id == INTEGRITY_KEYRING_PLATFORM)
 			set_platform_trusted_keys(keyring[id]);
-		if (id == INTEGRITY_KEYRING_MACHINE)
+		if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
 			set_machine_trusted_keys(keyring[id]);
 		if (id == INTEGRITY_KEYRING_IMA)
 			load_module_cert(keyring[id]);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
@@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source,
 
 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
 void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
+bool __init trust_moklist(void);
 #else
 static inline void __init add_to_machine_keyring(const char *source,
 						  const void *data, size_t len)
 {
 }
+static inline bool __init trust_moklist(void)
+{
+	return false;
+}
 #endif
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
@@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
 __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
 {
 	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
-		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
+		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
 			return add_to_machine_keyring;
 		else
 			return add_to_platform_keyring;
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
@@ -8,6 +8,8 @@
 #include <linux/efi.h>
 #include "../integrity.h"
 
+static bool trust_mok;
+
 static __init int machine_keyring_init(void)
 {
 	int rc;
@@ -59,3 +61,17 @@ static __init bool uefi_check_trust_mok_keys(void)
 
 	return false;
 }
+
+bool __init trust_moklist(void)
+{
+	static bool initialized;
+
+	if (!initialized) {
+		initialized = true;
+
+		if (uefi_check_trust_mok_keys())
+			trust_mok = true;
+	}
+
+	return trust_mok;
+}

Original file line number	Diff line number	Diff line change
`@@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source,`
`287`	`287`
`288`	`288`	`#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING`
`289`	`289`	`void __init add_to_machine_keyring(const char source, const void data, size_t len);`
	`290`	`+bool __init trust_moklist(void);`
`290`	`291`	`#else`
`291`	`292`	`static inline void __init add_to_machine_keyring(const char *source,`
`292`	`293`	`const void *data, size_t len)`
`293`	`294`	`{`
`294`	`295`	`}`
	`296`	`+static inline bool __init trust_moklist(void)`
	`297`	`+{`
	`298`	`+ return false;`
	`299`	`+}`
`295`	`300`	`#endif`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)`
`83`	`83`	`__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)`
`84`	`84`	`{`
`85`	`85`	`if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {`
`86`		`- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))`
	`86`	`+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())`
`87`	`87`	`return add_to_machine_keyring;`
`88`	`88`	`else`
`89`	`89`	`return add_to_platform_keyring;`