integrity: add new keyring handler for mok keys
Currently both Secure Boot DB and Machine Owner Keys (MOK) go through the same keyring handler (get_handler_for_db). With the addition of the new machine keyring, the end-user may choose to trust MOK keys. Introduce a new keyring handler specific for MOK keys. If MOK keys are trusted by the end-user, use the new keyring handler instead. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
This commit is contained in:
Родитель
d19967764b
Коммит
45fcd5e521
|
@ -67,7 +67,7 @@ static __init void uefi_revocation_list_x509(const char *source,
|
|||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the UEFI db and MokListRT tables.
|
||||
* the UEFI db tables.
|
||||
*/
|
||||
__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
|
||||
{
|
||||
|
@ -76,6 +76,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the MokListRT tables.
|
||||
*/
|
||||
__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
|
||||
{
|
||||
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
|
||||
if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
|
||||
return add_to_machine_keyring;
|
||||
else
|
||||
return add_to_platform_keyring;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the UEFI dbx and MokListXRT tables.
|
||||
|
|
|
@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len);
|
|||
*/
|
||||
efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
|
||||
|
||||
/*
|
||||
* Return the handler for particular signature list types found in the mok.
|
||||
*/
|
||||
efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
|
||||
|
||||
/*
|
||||
* Return the handler for particular signature list types found in the dbx.
|
||||
*/
|
||||
|
|
|
@ -95,7 +95,7 @@ static int __init load_moklist_certs(void)
|
|||
rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)",
|
||||
mokvar_entry->data,
|
||||
mokvar_entry->data_size,
|
||||
get_handler_for_db);
|
||||
get_handler_for_mok);
|
||||
/* All done if that worked. */
|
||||
if (!rc)
|
||||
return rc;
|
||||
|
@ -110,7 +110,7 @@ static int __init load_moklist_certs(void)
|
|||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
|
||||
if (mok) {
|
||||
rc = parse_efi_signature_list("UEFI:MokListRT",
|
||||
mok, moksize, get_handler_for_db);
|
||||
mok, moksize, get_handler_for_mok);
|
||||
kfree(mok);
|
||||
if (rc)
|
||||
pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
||||
|
|
Загрузка…
Ссылка в новой задаче