1 // SPDX-License-Identifier: GPL-2.0
3 * Machine keyring routines.
5 * Copyright (c) 2021, Oracle and/or its affiliates.
9 #include "../integrity.h"
11 static __init int machine_keyring_init(void)
15 rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
19 pr_notice("Machine keyring initialized\n");
22 device_initcall(machine_keyring_init);
24 void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
29 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
30 rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
33 * Some MOKList keys may not pass the machine keyring restrictions.
34 * If the restriction check does not pass and the platform keyring
35 * is configured, try to add it into that keyring instead.
37 if (rc && efi_enabled(EFI_BOOT) &&
38 IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
39 rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
43 pr_info("Error adding keys to machine keyring %s\n", source);
47 * Try to load the MokListTrustedRT MOK variable to see if we should trust
48 * the MOK keys within the kernel. It is not an error if this variable
49 * does not exist. If it does not exist, MOK keys should not be trusted
50 * within the machine keyring.
52 static __init bool uefi_check_trust_mok_keys(void)
54 struct efi_mokvar_table_entry *mokvar_entry;
56 mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
64 static bool __init trust_moklist(void)
66 static bool initialized;
67 static bool trust_mok;
73 if (uefi_check_trust_mok_keys())
81 * Provides platform specific check for trusting imputed keys before loading
82 * on .machine keyring. UEFI systems enable this trust based on a variable,
83 * and for other platforms, it is always enabled.
85 bool __init imputed_trust_enabled(void)
87 if (efi_enabled(EFI_BOOT))
88 return trust_moklist();