@@ -90,6 +90,31 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
return restriction;
}
+
+/**
+ * move_to_trusted_secondary_keyring - Move to the secondary trusted
+ * keyring with no validation.
+ * @key: The key to add to the secondary trusted keyring
+ * @from_keyring: The keyring containing the key to move from
+ *
+ * Move key to the secondary keyring without checking its trust chain. This
+ * is available only during kernel initialization.
+ */
+__init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring)
+{
+ int ret;
+
+ ret = key_move(key, from_keyring, secondary_trusted_keys,
+ KEY_ALLOC_BYPASS_RESTRICTION);
+
+ if (ret)
+ pr_err("Problem loading X.509 certificate %d\n", ret);
+ else
+ pr_notice("Loaded X.509 cert '%s' linked to secondary sys keyring\n",
+ key->description);
+
+ return ret;
+}
#endif
/*
@@ -34,8 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+extern __init int move_to_trusted_secondary_keyring(struct key *key,
+ struct key *from_keyring);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+static inline __init int move_to_trusted_secondary_keyring(struct key *key,
+ struct key *from_keyring)
+{
+ return -EKEYREVOKED;
+}
#endif
extern struct pkcs7_message *pkcs7;
Allow keys to be moved into the secondary keyring without checking its trust chain. This is available only during kernel initialization. This will allow keys in the MOK list to be added during boot. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- certs/system_keyring.c | 25 +++++++++++++++++++++++++ include/keys/system_keyring.h | 7 +++++++ 2 files changed, 32 insertions(+)