integrity: check whether imputed trust is enabled

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

trust_moklist() is specific to UEFI enabled systems. Other platforms
rely only on the Kconfig.

Define a generic wrapper named imputed_trust_enabled().

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

Nayna Jain and committed by

Jarkko Sakkinen 2 years ago 4cb1ed94 7b9de406

+22 -6

4 changed files

expand all

security

integrity

digsig.c

integrity.h

platform_certs

keyring_handler.c

machine_keyring.c

+1 -1

security/integrity/digsig.c

··· 113 113 } else { 114 114 if (id == INTEGRITY_KEYRING_PLATFORM) 115 115 set_platform_trusted_keys(keyring[id]); 116 - if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) 116 + if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) 117 117 set_machine_trusted_keys(keyring[id]); 118 118 if (id == INTEGRITY_KEYRING_IMA) 119 119 load_module_cert(keyring[id]);

+3 -2

security/integrity/integrity.h

··· 320 320 321 321 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING 322 322 void __init add_to_machine_keyring(const char *source, const void *data, size_t len); 323 - bool __init trust_moklist(void); 323 + bool __init imputed_trust_enabled(void); 324 324 #else 325 325 static inline void __init add_to_machine_keyring(const char *source, 326 326 const void *data, size_t len) 327 327 { 328 328 } 329 - static inline bool __init trust_moklist(void) 329 + 330 + static inline bool __init imputed_trust_enabled(void) 330 331 { 331 332 return false; 332 333 }

+2 -1

security/integrity/platform_certs/keyring_handler.c

··· 61 61 __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) 62 62 { 63 63 if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { 64 - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) 64 + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && 65 + imputed_trust_enabled()) 65 66 return add_to_machine_keyring; 66 67 else 67 68 return add_to_platform_keyring;

+16 -2

security/integrity/platform_certs/machine_keyring.c

··· 34 34 * If the restriction check does not pass and the platform keyring 35 35 * is configured, try to add it into that keyring instead. 36 36 */ 37 - if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) 37 + if (rc && efi_enabled(EFI_BOOT) && 38 + IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) 38 39 rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, 39 40 data, len, perm); 40 41 ··· 61 60 return false; 62 61 } 63 62 64 - bool __init trust_moklist(void) 63 + static bool __init trust_moklist(void) 65 64 { 66 65 static bool initialized; 67 66 static bool trust_mok; ··· 75 74 } 76 75 77 76 return trust_mok; 77 + } 78 + 79 + /* 80 + * Provides platform specific check for trusting imputed keys before loading 81 + * on .machine keyring. UEFI systems enable this trust based on a variable, 82 + * and for other platforms, it is always enabled. 83 + */ 84 + bool __init imputed_trust_enabled(void) 85 + { 86 + if (efi_enabled(EFI_BOOT)) 87 + return trust_moklist(); 88 + 89 + return true; 78 90 }