1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Machine keyring routines. 4 * 5 * Copyright (c) 2021, Oracle and/or its affiliates. 6 */ 7 8 #include <linux/efi.h> 9 #include "../integrity.h" 10 11 static __init int machine_keyring_init(void) 12 { 13 int rc; 14 15 rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE); 16 if (rc) 17 return rc; 18 19 pr_notice("Machine keyring initialized\n"); 20 return 0; 21 } 22 device_initcall(machine_keyring_init); 23 24 void __init add_to_machine_keyring(const char *source, const void *data, size_t len) 25 { 26 key_perm_t perm; 27 int rc; 28 29 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; 30 rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm); 31 32 /* 33 * Some MOKList keys may not pass the machine keyring restrictions. 34 * If the restriction check does not pass and the platform keyring 35 * is configured, try to add it into that keyring instead. 36 */ 37 if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) 38 rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, 39 data, len, perm); 40 41 if (rc) 42 pr_info("Error adding keys to machine keyring %s\n", source); 43 } 44 45 /* 46 * Try to load the MokListTrustedRT MOK variable to see if we should trust 47 * the MOK keys within the kernel. It is not an error if this variable 48 * does not exist. If it does not exist, MOK keys should not be trusted 49 * within the machine keyring. 50 */ 51 static __init bool uefi_check_trust_mok_keys(void) 52 { 53 struct efi_mokvar_table_entry *mokvar_entry; 54 55 mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT"); 56 57 if (mokvar_entry) 58 return true; 59 60 return false; 61 } 62