From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Date: Tue, 08 Jan 2019 15:18:00 +0000 Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys Message-Id: <1546960680.19931.114.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="maccentraleurope" Content-Transfer-Encoding: base64 List-Id: References: <20190108081247.2266-1-kasong@redhat.com> <20190108081247.2266-2-kasong@redhat.com> In-Reply-To: <20190108081247.2266-2-kasong@redhat.com> To: Kairui Song , linux-kernel@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com, linux-security-module , linux-integrity W0NjJ2luZyB0aGUgTFNNIGFuZCBpbnRlZ3JpdHkgbWFpbGluZyBsaXN0c10KClJlcGVhdGluZyBt eSBjb21tZW50IG9uIFBBVENIIDAvMSBoZXJlIHdpdGggdGhlIGV4cGFuZGVkIHNldCBvZgptYWls aW5nIGxpc3RzLgoKVGhlIGJ1aWx0aW4gYW5kIHNlY29uZGFyeSBrZXlyaW5ncyBoYXZlIGEgc2ln bmF0dXJlIGNoYW5nZSBvZiB0cnVzdApyb290ZWQgaW4gdGhlIHNpZ25lZCBrZXJuZWwgaW1hZ2Uu wqDCoEFkZGluZyB0aGUgcHJlLWJvb3Qga2V5cyB0byB0aGUKc2Vjb25kYXJ5IGtleXJpbmcgYnJl YWtzIHRoYXQgc2lnbmF0dXJlIGNoYWluIG9mIHRydXN0LgoKUGxlYXNlIGRvIE5PVCBhZGQgdGhl IHByZS1ib290ICJwbGF0Zm9ybSIga2V5cyB0byB0aGUgc2Vjb25kYXJ5CmtleXJpbmcuCgpNaW1p CgoKT24gVHVlLCAyMDE5LTAxLTA4IGF0IDE2OjEyICswODAwLCBLYWlydWkgU29uZyB3cm90ZToK PiBDdXJyZW50bHkga2V4ZWMgbWF5IG5lZWQgdG8gdmVyaWZ5IHRoZSBrZXJuZSBpbWFnZSwgYW5k IHRoZSBrZXJuZWwgaW1hZ2UKPiBjb3VsZCBiZSBzaWduZWQgd2l0aCB0aGlyZCBwYXJ0IGtleXMg d2hpY2ggYXJlIHByb3ZpZGVkIGJ5IHBhbHRmb3JtIG9yCj4gZmlybXdhcmUgKGVnLiBzdG9yZWQg aW4gTW9rTGlzdFJUIEVGSSB2YXJpYWJsZSkuIEFuZCB0aGUgc2FtZSB0aW1lLAo+IGtleGVjX2Zp bGVfbG9hZCB3aWxsIG9ubHkgdmVyaWZ5IHRoZSBpbWFnZSBhZ2FpbnMgLmJ1aWx0aW5fdHJ1c3Rl ZF9rZXlzCj4gb3IgLnNlY29uZGFyeV90cnVzdGVkX2tleXMgYWNjb3JkaW5nIHRvIGNvbmZpZ3Vy YXRpb24sIGJ1dCB0aGVyZSBpcyBubwo+IHdheSBmb3Iga2V4ZWNfZmlsZV9sb2FkIHRvIHZlcmlm eSB0aGUgaW1hZ2UgYWdhaW5zdCBhbnkgdGhpcmQgcGFydCBrZXlzCj4gbWVudGlvbmVkIGFib3Zl Lgo+IAo+IEluIGVhOTMxMDJmMzIyNCAoJ2ludGVncml0eTogRGVmaW5lIGEgdHJ1c3RlZCBwbGF0 Zm9ybSBrZXlyaW5nJykgYQo+IC5wbGF0Zm9ybSBrZXlyaW5nIGlzIGludHJvZHVjZWQgdG8gc3Rv cmUgdGhlIGtleXMgcHJvdmlkZWQgYnkgcGxhdGZvcm0KPiBvciBmaXJtd2FyZS4gQW5kIHdpdGgg YSBmZXcgZm9sbG93aW5nIGNvbW1pdHMgaW5jbHVkaW5nIDE1ZWEwZTFlM2UxODUKPiAoJ2VmaTog SW1wb3J0IGNlcnRpZmljYXRlcyBmcm9tIFVFRkkgU2VjdXJlIEJvb3QnKSwgbm93IGtleXMgcmVx dWlyZWQgdG8KPiB2ZXJpZnkgdGhlIGltYWdlIGlzIGJlaW5nIGltcG9ydGVkIHRvIC5wYWx0Zm9y bSBrZXlyaW5nLCBhbmQgbGF0ZXIKPiBJTUEtYXBwcmFpc2FsIGNvdWxkIGFjY2VzcyB0aGUga2V5 cmluZyBhbmQgdmVyaWZ5IHRoZSBpbWFnZS4KPiAKPiBUaGlzIHBhdGNoIGxpbmtzIHRoZSAucGxh dGZvcm0ga2V5cmluZyB0byAuc2Vjb25kYXJ5X3RydXN0ZWRfa2V5cyBzbwo+IGtleGVjX2ZpbGVf bG9hZCBjb3VsZCBhbHNvIGxldmVyYWdlIHRoZSAucGxhdGZvcm0ga2V5cmluZyB0byB2ZXJpZnkg dGhlCj4ga2VybmVsIGltYWdlLgo+IAo+IFNpZ25lZC1vZmYtYnk6IEthaXJ1aSBTb25nIDxrYXNv bmdAcmVkaGF0LmNvbT4KPiAtLS0KPiAgY2VydHMvc3lzdGVtX2tleXJpbmcuYyAgICAgICAgICB8 IDMwICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKwo+ICBpbmNsdWRlL2tleXMvcGxhdGZv cm1fa2V5cmluZy5oIHwgMTIgKysrKysrKysrKysrCj4gIHNlY3VyaXR5L2ludGVncml0eS9kaWdz aWcuYyAgICAgfCAgNyArKysrKysrCj4gIDMgZmlsZXMgY2hhbmdlZCwgNDkgaW5zZXJ0aW9ucygr KQo+ICBjcmVhdGUgbW9kZSAxMDA2NDQgaW5jbHVkZS9rZXlzL3BsYXRmb3JtX2tleXJpbmcuaAo+ IAo+IGRpZmYgLS1naXQgYS9jZXJ0cy9zeXN0ZW1fa2V5cmluZy5jIGIvY2VydHMvc3lzdGVtX2tl eXJpbmcuYwo+IGluZGV4IDgxNzI4NzE3NTIzZC4uZGNlZjAyNTllMTQ5IDEwMDY0NAo+IC0tLSBh L2NlcnRzL3N5c3RlbV9rZXlyaW5nLmMKPiArKysgYi9jZXJ0cy9zeXN0ZW1fa2V5cmluZy5jCj4g QEAgLTE4LDEyICsxOCwxNCBAQAo+ICAjaW5jbHVkZSA8bGludXgvdmVyaWZpY2F0aW9uLmg+Cj4g ICNpbmNsdWRlIDxrZXlzL2FzeW1tZXRyaWMtdHlwZS5oPgo+ICAjaW5jbHVkZSA8a2V5cy9zeXN0 ZW1fa2V5cmluZy5oPgo+ICsjaW5jbHVkZSA8a2V5cy9wbGF0Zm9ybV9rZXlyaW5nLmg+Cj4gICNp bmNsdWRlIDxjcnlwdG8vcGtjczcuaD4KPiAgCj4gIHN0YXRpYyBzdHJ1Y3Qga2V5ICpidWlsdGlu X3RydXN0ZWRfa2V5czsKPiAgI2lmZGVmIENPTkZJR19TRUNPTkRBUllfVFJVU1RFRF9LRVlSSU5H Cj4gIHN0YXRpYyBzdHJ1Y3Qga2V5ICpzZWNvbmRhcnlfdHJ1c3RlZF9rZXlzOwo+ICAjZW5kaWYK PiArc3RhdGljIHN0cnVjdCBrZXkgKnBsYXRmb3JtX2tleXMgPSBOVUxMOwo+ICAKPiAgZXh0ZXJu IF9faW5pdGNvbnN0IGNvbnN0IHU4IHN5c3RlbV9jZXJ0aWZpY2F0ZV9saXN0W107Cj4gIGV4dGVy biBfX2luaXRjb25zdCBjb25zdCB1bnNpZ25lZCBsb25nIHN5c3RlbV9jZXJ0aWZpY2F0ZV9saXN0 X3NpemU7Cj4gQEAgLTY3LDYgKzY5LDEyIEBAIGludCByZXN0cmljdF9saW5rX2J5X2J1aWx0aW5f YW5kX3NlY29uZGFyeV90cnVzdGVkKAo+ICAJCS8qIEFsbG93IHRoZSBidWlsdGluIGtleXJpbmcg dG8gYmUgYWRkZWQgdG8gdGhlIHNlY29uZGFyeSAqLwo+ICAJCXJldHVybiAwOwo+ICAKPiArCWlm ICh0eXBlID0gJmtleV90eXBlX2tleXJpbmcgJiYKPiArCSAgICBkZXN0X2tleXJpbmcgPSBzZWNv bmRhcnlfdHJ1c3RlZF9rZXlzICYmCj4gKwkgICAgcGF5bG9hZCA9ICZwbGF0Zm9ybV9rZXlzLT5w YXlsb2FkKQo+ICsJCS8qIEFsbG93IHRoZSBwbGF0Zm9ybSBrZXlyaW5nIHRvIGJlIGFkZGVkIHRv IHRoZSBzZWNvbmRhcnkgKi8KPiArCQlyZXR1cm4gMDsKPiArCj4gIAlyZXR1cm4gcmVzdHJpY3Rf bGlua19ieV9zaWduYXR1cmUoZGVzdF9rZXlyaW5nLCB0eXBlLCBwYXlsb2FkLAo+ICAJCQkJCSAg c2Vjb25kYXJ5X3RydXN0ZWRfa2V5cyk7Cj4gIH0KPiBAQCAtMTg4LDYgKzE5NiwyOCBAQCBzdGF0 aWMgX19pbml0IGludCBsb2FkX3N5c3RlbV9jZXJ0aWZpY2F0ZV9saXN0KHZvaWQpCj4gIH0KPiAg bGF0ZV9pbml0Y2FsbChsb2FkX3N5c3RlbV9jZXJ0aWZpY2F0ZV9saXN0KTsKPiAgCj4gKyNpZiBk ZWZpbmVkKENPTkZJR19JTlRFR1JJVFlfUExBVEZPUk1fS0VZUklORykgJiYgZGVmaW5lZChDT05G SUdfU0VDT05EQVJZX1RSVVNURURfS0VZUklORykKPiArCj4gKy8qCj4gKyAqIExpbmsgLnBsYXRm b3JtIGtleXJpbmcgdG8gLnNlY29uZGFyeV90cnVzdGVkX2tleSBrZXlyaW5nCj4gKyAqLwo+ICtz dGF0aWMgX19pbml0IGludCBsb2FkX3BsYXRmb3JtX2NlcnRpZmljYXRlX2xpc3Qodm9pZCkKPiAr ewo+ICsJaW50IHJldCA9IDA7Cj4gKwlwbGF0Zm9ybV9rZXlzID0gaW50ZWdyaXR5X2dldF9wbGF0 Zm9ybV9rZXlyaW5nKCk7Cj4gKwlpZiAoIXBsYXRmb3JtX2tleXMpIHsKPiArCQlyZXR1cm4gMDsK PiArCX0KPiArCXJldCA9IGtleV9saW5rKHNlY29uZGFyeV90cnVzdGVkX2tleXMsIHBsYXRmb3Jt X2tleXMpOwo+ICsJaWYgKHJldCA8IDApIHsKPiArCQlwcl9lcnIoIkZhaWxlZCB0byBsaW5rIHBs YXRmb3JtIGtleXJpbmc6ICVkIiwgcmV0KTsKPiArCX0KPiArCXJldHVybiAwOwo+ICt9Cj4gK2xh dGVfaW5pdGNhbGwobG9hZF9wbGF0Zm9ybV9jZXJ0aWZpY2F0ZV9saXN0KTsKPiArCj4gKyNlbmRp Zgo+ICsKPiAgI2lmZGVmIENPTkZJR19TWVNURU1fREFUQV9WRVJJRklDQVRJT04KPiAgCj4gIC8q Kgo+IGRpZmYgLS1naXQgYS9pbmNsdWRlL2tleXMvcGxhdGZvcm1fa2V5cmluZy5oIGIvaW5jbHVk ZS9rZXlzL3BsYXRmb3JtX2tleXJpbmcuaAo+IG5ldyBmaWxlIG1vZGUgMTAwNjQ0Cj4gaW5kZXgg MDAwMDAwMDAwMDAwLi40ZjkyZWQ2YzBiNDIKPiAtLS0gL2Rldi9udWxsCj4gKysrIGIvaW5jbHVk ZS9rZXlzL3BsYXRmb3JtX2tleXJpbmcuaAo+IEBAIC0wLDAgKzEsMTIgQEAKPiArI2lmbmRlZiBf S0VZU19QTEFURk9STV9LRVlSSU5HX0gKPiArI2RlZmluZSBfS0VZU19QTEFURk9STV9LRVlSSU5H X0gKPiArCj4gKyNpbmNsdWRlIDxsaW51eC9rZXkuaD4KPiArCj4gKyNpZmRlZiBDT05GSUdfSU5U RUdSSVRZX1BMQVRGT1JNX0tFWVJJTkcKPiArCj4gK2V4dGVybiBjb25zdCBzdHJ1Y3Qga2V5KiBf X2luaXQgaW50ZWdyaXR5X2dldF9wbGF0Zm9ybV9rZXlyaW5nKHZvaWQpOwo+ICsKPiArI2VuZGlm IC8qIENPTkZJR19JTlRFR1JJVFlfUExBVEZPUk1fS0VZUklORyAqLwo+ICsKPiArI2VuZGlmIC8q IF9LRVlTX1NZU1RFTV9LRVlSSU5HX0ggKi8KPiBkaWZmIC0tZ2l0IGEvc2VjdXJpdHkvaW50ZWdy aXR5L2RpZ3NpZy5jIGIvc2VjdXJpdHkvaW50ZWdyaXR5L2RpZ3NpZy5jCj4gaW5kZXggZjQ1ZDZl ZGVjZjk5Li4zOTc3NThkNGYxMmQgMTAwNjQ0Cj4gLS0tIGEvc2VjdXJpdHkvaW50ZWdyaXR5L2Rp Z3NpZy5jCj4gKysrIGIvc2VjdXJpdHkvaW50ZWdyaXR5L2RpZ3NpZy5jCj4gQEAgLTE3NiwzICsx NzYsMTAgQEAgaW50IF9faW5pdCBpbnRlZ3JpdHlfbG9hZF9jZXJ0KGNvbnN0IHVuc2lnbmVkIGlu dCBpZCwgY29uc3QgY2hhciAqc291cmNlLAo+ICAJcHJfaW5mbygiTG9hZGluZyBYLjUwOSBjZXJ0 aWZpY2F0ZTogJXNcbiIsIHNvdXJjZSk7Cj4gIAlyZXR1cm4gaW50ZWdyaXR5X2FkZF9rZXkoaWQs IGRhdGEsIGxlbiwgcGVybSk7Cj4gIH0KPiArCj4gKyNpZmRlZiBDT05GSUdfSU5URUdSSVRZX1BM QVRGT1JNX0tFWVJJTkcKPiArc3RydWN0IGtleSogX19pbml0IGludGVncml0eV9nZXRfcGxhdGZv cm1fa2V5cmluZyh2b2lkKQo+ICt7Cj4gKwlyZXR1cm4ga2V5cmluZ1tJTlRFR1JJVFlfS0VZUklO R19QTEFURk9STV07Cj4gK30KPiArI2VuZGlmCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD7AAC43612 for ; Tue, 8 Jan 2019 15:18:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AC8FD20685 for ; Tue, 8 Jan 2019 15:18:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727484AbfAHPSX (ORCPT ); Tue, 8 Jan 2019 10:18:23 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:39140 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727906AbfAHPSX (ORCPT ); Tue, 8 Jan 2019 10:18:23 -0500 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id x08FDmfF054125 for ; Tue, 8 Jan 2019 10:18:22 -0500 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2pvva97ff1-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 08 Jan 2019 10:18:21 -0500 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 8 Jan 2019 15:18:18 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 8 Jan 2019 15:18:15 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x08FID5F7471528 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 8 Jan 2019 15:18:13 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A90C742041; Tue, 8 Jan 2019 15:18:13 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8FCB24204C; Tue, 8 Jan 2019 15:18:11 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.90.168]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 8 Jan 2019 15:18:11 +0000 (GMT) Subject: Re: [RFC PATCH 1/1] KEYS, integrity: Link .platform keyring to .secondary_trusted_keys From: Mimi Zohar To: Kairui Song , linux-kernel@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, ebiggers@google.com, nayna@linux.ibm.com, dyoung@redhat.com, linux-security-module , linux-integrity Date: Tue, 08 Jan 2019 10:18:00 -0500 In-Reply-To: <20190108081247.2266-2-kasong@redhat.com> References: <20190108081247.2266-1-kasong@redhat.com> <20190108081247.2266-2-kasong@redhat.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19010815-0012-0000-0000-000002E3FC54 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19010815-0013-0000-0000-0000211B09D9 Message-Id: <1546960680.19931.114.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-01-08_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901080124 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org [Cc'ing the LSM and integrity mailing lists] Repeating my comment on PATCH 0/1 here with the expanded set of mailing lists. The builtin and secondary keyrings have a signature change of trust rooted in the signed kernel image.  Adding the pre-boot keys to the secondary keyring breaks that signature chain of trust. Please do NOT add the pre-boot "platform" keys to the secondary keyring. Mimi On Tue, 2019-01-08 at 16:12 +0800, Kairui Song wrote: > Currently kexec may need to verify the kerne image, and the kernel image > could be signed with third part keys which are provided by paltform or > firmware (eg. stored in MokListRT EFI variable). And the same time, > kexec_file_load will only verify the image agains .builtin_trusted_keys > or .secondary_trusted_keys according to configuration, but there is no > way for kexec_file_load to verify the image against any third part keys > mentioned above. > > In ea93102f3224 ('integrity: Define a trusted platform keyring') a > .platform keyring is introduced to store the keys provided by platform > or firmware. And with a few following commits including 15ea0e1e3e185 > ('efi: Import certificates from UEFI Secure Boot'), now keys required to > verify the image is being imported to .paltform keyring, and later > IMA-appraisal could access the keyring and verify the image. > > This patch links the .platform keyring to .secondary_trusted_keys so > kexec_file_load could also leverage the .platform keyring to verify the > kernel image. > > Signed-off-by: Kairui Song > --- > certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++ > include/keys/platform_keyring.h | 12 ++++++++++++ > security/integrity/digsig.c | 7 +++++++ > 3 files changed, 49 insertions(+) > create mode 100644 include/keys/platform_keyring.h > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index 81728717523d..dcef0259e149 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -18,12 +18,14 @@ > #include > #include > #include > +#include > #include > > static struct key *builtin_trusted_keys; > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > static struct key *secondary_trusted_keys; > #endif > +static struct key *platform_keys = NULL; > > extern __initconst const u8 system_certificate_list[]; > extern __initconst const unsigned long system_certificate_list_size; > @@ -67,6 +69,12 @@ int restrict_link_by_builtin_and_secondary_trusted( > /* Allow the builtin keyring to be added to the secondary */ > return 0; > > + if (type == &key_type_keyring && > + dest_keyring == secondary_trusted_keys && > + payload == &platform_keys->payload) > + /* Allow the platform keyring to be added to the secondary */ > + return 0; > + > return restrict_link_by_signature(dest_keyring, type, payload, > secondary_trusted_keys); > } > @@ -188,6 +196,28 @@ static __init int load_system_certificate_list(void) > } > late_initcall(load_system_certificate_list); > > +#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && defined(CONFIG_SECONDARY_TRUSTED_KEYRING) > + > +/* > + * Link .platform keyring to .secondary_trusted_key keyring > + */ > +static __init int load_platform_certificate_list(void) > +{ > + int ret = 0; > + platform_keys = integrity_get_platform_keyring(); > + if (!platform_keys) { > + return 0; > + } > + ret = key_link(secondary_trusted_keys, platform_keys); > + if (ret < 0) { > + pr_err("Failed to link platform keyring: %d", ret); > + } > + return 0; > +} > +late_initcall(load_platform_certificate_list); > + > +#endif > + > #ifdef CONFIG_SYSTEM_DATA_VERIFICATION > > /** > diff --git a/include/keys/platform_keyring.h b/include/keys/platform_keyring.h > new file mode 100644 > index 000000000000..4f92ed6c0b42 > --- /dev/null > +++ b/include/keys/platform_keyring.h > @@ -0,0 +1,12 @@ > +#ifndef _KEYS_PLATFORM_KEYRING_H > +#define _KEYS_PLATFORM_KEYRING_H > + > +#include > + > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > + > +extern const struct key* __init integrity_get_platform_keyring(void); > + > +#endif /* CONFIG_INTEGRITY_PLATFORM_KEYRING */ > + > +#endif /* _KEYS_SYSTEM_KEYRING_H */ > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index f45d6edecf99..397758d4f12d 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -176,3 +176,10 @@ int __init integrity_load_cert(const unsigned int id, const char *source, > pr_info("Loading X.509 certificate: %s\n", source); > return integrity_add_key(id, data, len, perm); > } > + > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > +struct key* __init integrity_get_platform_keyring(void) > +{ > + return keyring[INTEGRITY_KEYRING_PLATFORM]; > +} > +#endif