security/integrity/platform_certs/machine_keyring.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0
 /*
  * Machine keyring routines.
  *
  * Copyright (c) 2021, Oracle and/or its affiliates.
  */

 #include <linux/efi.h>
 #include "../integrity.h"

 static __init int machine_keyring_init(void)
 {
 	int rc;

 	rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
 	if (rc)
 		return rc;

 	pr_notice("Machine keyring initialized\n");
 	return 0;
 }
 device_initcall(machine_keyring_init);

 void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
 {
 	key_perm_t perm;
 	int rc;

 	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
 	rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);

 	/*
 	 * Some MOKList keys may not pass the machine keyring restrictions.
 	 * If the restriction check does not pass and the platform keyring
 	 * is configured, try to add it into that keyring instead.
 	 */
 	if (rc && efi_enabled(EFI_BOOT) &&
 	    IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
 		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
 					 data, len, perm);

 	if (rc)
 		pr_info("Error adding keys to machine keyring %s\n", source);
 }

 /*
  * Try to load the MokListTrustedRT MOK variable to see if we should trust
  * the MOK keys within the kernel. It is not an error if this variable
  * does not exist.  If it does not exist, MOK keys should not be trusted
  * within the machine keyring.
  */
 static __init bool uefi_check_trust_mok_keys(void)
 {
 	struct efi_mokvar_table_entry *mokvar_entry;

 	mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");

 	if (mokvar_entry)
 		return true;

 	return false;
 }

 static bool __init trust_moklist(void)
 {
 	static bool initialized;
 	static bool trust_mok;

 	if (!initialized) {
 		initialized = true;
 		trust_mok = false;

 		if (uefi_check_trust_mok_keys())
 			trust_mok = true;
 	}

 	return trust_mok;
 }

 /*
  * Provides platform specific check for trusting imputed keys before loading
  * on .machine keyring. UEFI systems enable this trust based on a variable,
  * and for other platforms, it is always enabled.
  */
 bool __init imputed_trust_enabled(void)
 {
 	if (efi_enabled(EFI_BOOT))
 		return trust_moklist();

 	return true;
 }
	// SPDX-License-Identifier: GPL-2.0
	/*
	* Machine keyring routines.
	*
	* Copyright (c) 2021, Oracle and/or its affiliates.
	*/

	#include <linux/efi.h>
	#include "../integrity.h"

	static __init int machine_keyring_init(void)
	{
	int rc;

	rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
	if (rc)
	return rc;

	pr_notice("Machine keyring initialized\n");
	return 0;
	}
	device_initcall(machine_keyring_init);

	void __init add_to_machine_keyring(const char source, const void data, size_t len)
	{
	key_perm_t perm;
	int rc;

	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_VIEW;
	rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);

	/*
	* Some MOKList keys may not pass the machine keyring restrictions.
	* If the restriction check does not pass and the platform keyring
	* is configured, try to add it into that keyring instead.
	*/
	if (rc && efi_enabled(EFI_BOOT) &&
	IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
	rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
	data, len, perm);

	if (rc)
	pr_info("Error adding keys to machine keyring %s\n", source);
	}

	/*
	* Try to load the MokListTrustedRT MOK variable to see if we should trust
	* the MOK keys within the kernel. It is not an error if this variable
	* does not exist. If it does not exist, MOK keys should not be trusted
	* within the machine keyring.
	*/
	static __init bool uefi_check_trust_mok_keys(void)
	{
	struct efi_mokvar_table_entry *mokvar_entry;

	mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");

	if (mokvar_entry)
	return true;

	return false;
	}

	static bool __init trust_moklist(void)
	{
	static bool initialized;
	static bool trust_mok;

	if (!initialized) {
	initialized = true;
	trust_mok = false;

	if (uefi_check_trust_mok_keys())
	trust_mok = true;
	}

	return trust_mok;
	}

	/*
	* Provides platform specific check for trusting imputed keys before loading
	* on .machine keyring. UEFI systems enable this trust based on a variable,
	* and for other platforms, it is always enabled.
	*/
	bool __init imputed_trust_enabled(void)
	{
	if (efi_enabled(EFI_BOOT))
	return trust_moklist();

	return true;
	}