| 1 | // SPDX-License-Identifier: GPL-2.0 |
|---|
| 2 | /* |
|---|
| 3 | * Machine keyring routines. |
|---|
| 4 | * |
|---|
| 5 | * Copyright (c) 2021, Oracle and/or its affiliates. |
|---|
| 6 | */ |
|---|
| 7 | |
|---|
| 8 | #include <linux/efi.h> |
|---|
| 9 | #include "../integrity.h" |
|---|
| 10 | |
|---|
| 11 | static __init int machine_keyring_init(void) |
|---|
| 12 | { |
|---|
| 13 | int rc; |
|---|
| 14 | |
|---|
| 15 | rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); |
|---|
| 16 | if (rc) |
|---|
| 17 | return rc; |
|---|
| 18 | |
|---|
| 19 | pr_notice("Machine keyring initialized\n" ); |
|---|
| 20 | return 0; |
|---|
| 21 | } |
|---|
| 22 | device_initcall(machine_keyring_init); |
|---|
| 23 | |
|---|
| 24 | void __init add_to_machine_keyring(const char *source, const void *data, size_t len) |
|---|
| 25 | { |
|---|
| 26 | key_perm_t perm; |
|---|
| 27 | int rc; |
|---|
| 28 | |
|---|
| 29 | perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; |
|---|
| 30 | rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); |
|---|
| 31 | |
|---|
| 32 | /* |
|---|
| 33 | * Some MOKList keys may not pass the machine keyring restrictions. |
|---|
| 34 | * If the restriction check does not pass and the platform keyring |
|---|
| 35 | * is configured, try to add it into that keyring instead. |
|---|
| 36 | */ |
|---|
| 37 | if (rc && efi_enabled(EFI_BOOT) && |
|---|
| 38 | IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) |
|---|
| 39 | rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, |
|---|
| 40 | data, len, perm); |
|---|
| 41 | |
|---|
| 42 | if (rc) |
|---|
| 43 | pr_info("Error adding keys to machine keyring %s\n" , source); |
|---|
| 44 | } |
|---|
| 45 | |
|---|
| 46 | /* |
|---|
| 47 | * Try to load the MokListTrustedRT MOK variable to see if we should trust |
|---|
| 48 | * the MOK keys within the kernel. It is not an error if this variable |
|---|
| 49 | * does not exist. If it does not exist, MOK keys should not be trusted |
|---|
| 50 | * within the machine keyring. |
|---|
| 51 | */ |
|---|
| 52 | static __init bool uefi_check_trust_mok_keys(void) |
|---|
| 53 | { |
|---|
| 54 | struct efi_mokvar_table_entry *mokvar_entry; |
|---|
| 55 | |
|---|
| 56 | mokvar_entry = efi_mokvar_entry_find(name: "MokListTrustedRT" ); |
|---|
| 57 | |
|---|
| 58 | if (mokvar_entry) |
|---|
| 59 | return true; |
|---|
| 60 | |
|---|
| 61 | return false; |
|---|
| 62 | } |
|---|
| 63 | |
|---|
| 64 | static bool __init trust_moklist(void) |
|---|
| 65 | { |
|---|
| 66 | static bool initialized; |
|---|
| 67 | static bool trust_mok; |
|---|
| 68 | |
|---|
| 69 | if (!initialized) { |
|---|
| 70 | initialized = true; |
|---|
| 71 | trust_mok = false; |
|---|
| 72 | |
|---|
| 73 | if (uefi_check_trust_mok_keys()) |
|---|
| 74 | trust_mok = true; |
|---|
| 75 | } |
|---|
| 76 | |
|---|
| 77 | return trust_mok; |
|---|
| 78 | } |
|---|
| 79 | |
|---|
| 80 | /* |
|---|
| 81 | * Provides platform specific check for trusting imputed keys before loading |
|---|
| 82 | * on .machine keyring. UEFI systems enable this trust based on a variable, |
|---|
| 83 | * and for other platforms, it is always enabled. |
|---|
| 84 | */ |
|---|
| 85 | bool __init imputed_trust_enabled(void) |
|---|
| 86 | { |
|---|
| 87 | if (efi_enabled(EFI_BOOT)) |
|---|
| 88 | return trust_moklist(); |
|---|
| 89 | |
|---|
| 90 | return true; |
|---|
| 91 | } |
|---|
| 92 | |
|---|
