1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Machine keyring routines. |
4 | * |
5 | * Copyright (c) 2021, Oracle and/or its affiliates. |
6 | */ |
7 | |
8 | #include <linux/efi.h> |
9 | #include "../integrity.h" |
10 | |
11 | static __init int machine_keyring_init(void) |
12 | { |
13 | int rc; |
14 | |
15 | rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); |
16 | if (rc) |
17 | return rc; |
18 | |
19 | pr_notice("Machine keyring initialized\n" ); |
20 | return 0; |
21 | } |
22 | device_initcall(machine_keyring_init); |
23 | |
24 | void __init add_to_machine_keyring(const char *source, const void *data, size_t len) |
25 | { |
26 | key_perm_t perm; |
27 | int rc; |
28 | |
29 | perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; |
30 | rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); |
31 | |
32 | /* |
33 | * Some MOKList keys may not pass the machine keyring restrictions. |
34 | * If the restriction check does not pass and the platform keyring |
35 | * is configured, try to add it into that keyring instead. |
36 | */ |
37 | if (rc && efi_enabled(EFI_BOOT) && |
38 | IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) |
39 | rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, |
40 | data, len, perm); |
41 | |
42 | if (rc) |
43 | pr_info("Error adding keys to machine keyring %s\n" , source); |
44 | } |
45 | |
46 | /* |
47 | * Try to load the MokListTrustedRT MOK variable to see if we should trust |
48 | * the MOK keys within the kernel. It is not an error if this variable |
49 | * does not exist. If it does not exist, MOK keys should not be trusted |
50 | * within the machine keyring. |
51 | */ |
52 | static __init bool uefi_check_trust_mok_keys(void) |
53 | { |
54 | struct efi_mokvar_table_entry *mokvar_entry; |
55 | |
56 | mokvar_entry = efi_mokvar_entry_find(name: "MokListTrustedRT" ); |
57 | |
58 | if (mokvar_entry) |
59 | return true; |
60 | |
61 | return false; |
62 | } |
63 | |
64 | static bool __init trust_moklist(void) |
65 | { |
66 | static bool initialized; |
67 | static bool trust_mok; |
68 | |
69 | if (!initialized) { |
70 | initialized = true; |
71 | trust_mok = false; |
72 | |
73 | if (uefi_check_trust_mok_keys()) |
74 | trust_mok = true; |
75 | } |
76 | |
77 | return trust_mok; |
78 | } |
79 | |
80 | /* |
81 | * Provides platform specific check for trusting imputed keys before loading |
82 | * on .machine keyring. UEFI systems enable this trust based on a variable, |
83 | * and for other platforms, it is always enabled. |
84 | */ |
85 | bool __init imputed_trust_enabled(void) |
86 | { |
87 | if (efi_enabled(EFI_BOOT)) |
88 | return trust_moklist(); |
89 | |
90 | return true; |
91 | } |
92 | |