@@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING
in the platform keyring, keys contained in the .machine keyring will
be trusted within the kernel.
+config INTEGRITY_CA_MACHINE_KEYRING
+ bool "Only allow CA keys into the Machine Keyring"
+ depends on INTEGRITY_MACHINE_KEYRING
+ help
+ If set, only Machine Owner Keys (MOK) that are Certificate
+ Authority (CA) keys will be added to the .machine keyring. All
+ other MOK keys will be added to the .platform keyring. After
+ booting, any other key signed by the CA key can be added to the
+ secondary_trusted_keys keyring.
+
config LOAD_UEFI_KEYS
depends on INTEGRITY_PLATFORM_KEYRING
depends on EFI
@@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id)
| KEY_USR_READ | KEY_USR_SEARCH;
if (id == INTEGRITY_KEYRING_PLATFORM ||
- id == INTEGRITY_KEYRING_MACHINE) {
+ (id == INTEGRITY_KEYRING_MACHINE &&
+ !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) {
restriction = NULL;
goto out;
}
@@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id)
if (!restriction)
return -ENOMEM;
- restriction->check = restrict_link_to_ima;
+ if (id == INTEGRITY_KEYRING_MACHINE)
+ restriction->check = restrict_link_by_ca;
+ else
+ restriction->check = restrict_link_to_ima;
/*
* MOK keys can only be added through a read-only runtime services
Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- security/integrity/Kconfig | 10 ++++++++++ security/integrity/digsig.c | 8 ++++++-- 2 files changed, 16 insertions(+), 2 deletions(-)