kernel/security/integrity/platform_certs/machine_keyring.c, branch linux-rolling-stable

integrity: check whether imputed trust is enabled

2023-08-17T20:12:35Z

trust_moklist() is specific to UEFI enabled systems. Other platforms rely only on the Kconfig. Define a generic wrapper named imputed_trust_enabled(). Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Tested-by: Nageswara R Sastry Signed-off-by: Jarkko Sakkinen

integrity: remove global variable from machine_keyring.c

2023-08-17T20:12:35Z

trust_mok variable is accessed within a single function locally. Change trust_mok from global to local static variable. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Tested-by: Nageswara R Sastry Signed-off-by: Jarkko Sakkinen

integrity: ignore keys failing CA restrictions on non-UEFI platform

2023-08-17T20:12:35Z

On non-UEFI platforms, handle restrict_link_by_ca failures differently. Certificates which do not satisfy CA restrictions on non-UEFI platforms are ignored. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Acked-by: Jarkko Sakkinen Tested-by: Nageswara R Sastry Signed-off-by: Jarkko Sakkinen

integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

2022-03-08T11:55:52Z

With the introduction of uefi_check_trust_mok_keys, it signifies the end- user wants to trust the machine keyring as trusted keys. If they have chosen to trust the machine keyring, load the qualifying keys into it during boot, then link it to the secondary keyring . If the user has not chosen to trust the machine keyring, it will be empty and not linked to the secondary keyring. Signed-off-by: Eric Snowberg Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

integrity: Trust MOK keys if MokListTrustedRT found

2022-03-08T11:55:52Z

A new Machine Owner Key (MOK) variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themselves that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. Signed-off-by: Eric Snowberg Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

integrity: Introduce a Linux keyring called machine

2022-03-08T11:55:52Z

Many UEFI Linux distributions boot using shim. The UEFI shim provides what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure Boot DB and MOK keys to validate the next step in the boot chain. The MOK facility can be used to import user generated keys. These keys can be used to sign an end-users development kernel build. When Linux boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux .platform keyring. Define a new Linux keyring called machine. This keyring shall contain just MOK keys and not the remaining keys in the platform keyring. This new machine keyring will be used in follow on patches. Unlike keys in the platform keyring, keys contained in the machine keyring will be trusted within the kernel if the end-user has chosen to do so. Signed-off-by: Eric Snowberg Tested-by: Jarkko Sakkinen Tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen