2021-08-12 02:21:10

by Eric Snowberg

[permalink] [raw]
Subject: [PATCH v3 04/14] integrity: add add_to_mok_keyring

Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
If the permissions do not allow the key to be added to the mok keyring
this is not an error, add it to the platform keyring instead.

Signed-off-by: Eric Snowberg <[email protected]>
---
v1: Initial version
v3: Unmodified from v1
---
security/integrity/integrity.h | 4 ++++
.../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
2 files changed, 25 insertions(+)

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e0e17ccba2e6..60d5c7ba05b2 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
void __init add_to_platform_keyring(const char *source, const void *data,
size_t len);
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
#else
static inline void __init add_to_platform_keyring(const char *source,
const void *data, size_t len)
{
}
+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+}
#endif
diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
index fe4f2d336260..f260edac0863 100644
--- a/security/integrity/platform_certs/mok_keyring.c
+++ b/security/integrity/platform_certs/mok_keyring.c
@@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
}
device_initcall(mok_keyring_init);

+void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
+{
+ key_perm_t perm;
+ int rc;
+
+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
+ rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
+
+ /*
+ * If the mok keyring restrictions prevented the cert from loading,
+ * this is not an error. Just load it into the platform keyring
+ * instead.
+ */
+ if (rc)
+ rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
+ data, len, perm);
+
+ if (rc)
+ pr_info("Error adding keys to mok keyring %s\n", source);
+}
+
/*
* Try to load the MokListTrustedRT UEFI variable to see if we should trust
* the mok keys within the kernel. It is not an error if this variable
--
2.18.4


2021-08-12 20:34:54

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v3 04/14] integrity: add add_to_mok_keyring

On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote:
> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
> If the permissions do not allow the key to be added to the mok keyring
> this is not an error, add it to the platform keyring instead.

Should state why it isn't an error for clarity.

/Jarkko

>
> Signed-off-by: Eric Snowberg <[email protected]>
> ---
> v1: Initial version
> v3: Unmodified from v1
> ---
> security/integrity/integrity.h | 4 ++++
> .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
> 2 files changed, 25 insertions(+)
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e0e17ccba2e6..60d5c7ba05b2 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
> #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> void __init add_to_platform_keyring(const char *source, const void *data,
> size_t len);
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
> #else
> static inline void __init add_to_platform_keyring(const char *source,
> const void *data, size_t len)
> {
> }
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +}
> #endif
> diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
> index fe4f2d336260..f260edac0863 100644
> --- a/security/integrity/platform_certs/mok_keyring.c
> +++ b/security/integrity/platform_certs/mok_keyring.c
> @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
> }
> device_initcall(mok_keyring_init);
>
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> + key_perm_t perm;
> + int rc;
> +
> + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
> +
> + /*
> + * If the mok keyring restrictions prevented the cert from loading,
> + * this is not an error. Just load it into the platform keyring
> + * instead.
> + */
> + if (rc)
> + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
> + data, len, perm);
> +
> + if (rc)
> + pr_info("Error adding keys to mok keyring %s\n", source);
> +}
> +
> /*
> * Try to load the MokListTrustedRT UEFI variable to see if we should trust
> * the mok keys within the kernel. It is not an error if this variable
> --
> 2.18.4
>
>

2021-08-12 23:24:10

by Eric Snowberg

[permalink] [raw]
Subject: Re: [PATCH v3 04/14] integrity: add add_to_mok_keyring


> On Aug 12, 2021, at 1:32 PM, Jarkko Sakkinen <[email protected]> wrote:
>
> On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote:
>> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
>> If the permissions do not allow the key to be added to the mok keyring
>> this is not an error, add it to the platform keyring instead.
>
> Should state why it isn't an error for clarity.

I’ll add that in the next round, thanks.