diff mbox series

[RFC,02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring

Message ID 20210707024403.1083977-3-eric.snowberg@oracle.com
State New
Headers show
Series None | expand

Commit Message

Eric Snowberg July 7, 2021, 2:43 a.m. UTC
Allow keys to be moved into the secondary keyring without checking its
trust chain.  This is available only during kernel initialization.

This will allow keys in the MOK list to be added during boot.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/system_keyring.c        | 25 +++++++++++++++++++++++++
 include/keys/system_keyring.h |  7 +++++++
 2 files changed, 32 insertions(+)
diff mbox series

Patch

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 692365dee2bd..f02bc5832684 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -90,6 +90,31 @@  static __init struct key_restriction *get_builtin_and_secondary_restriction(void
 
 	return restriction;
 }
+
+/**
+ * move_to_trusted_secondary_keyring - Move to the secondary trusted
+ * keyring with no validation.
+ * @key: The key to add to the secondary trusted keyring
+ * @from_keyring: The keyring containing the key to move from
+ *
+ * Move key to the secondary keyring without checking its trust chain.  This
+ * is available only during kernel initialization.
+ */
+__init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring)
+{
+	int ret;
+
+	ret = key_move(key, from_keyring, secondary_trusted_keys,
+		       KEY_ALLOC_BYPASS_RESTRICTION);
+
+	if (ret)
+		pr_err("Problem loading X.509 certificate %d\n", ret);
+	else
+		pr_notice("Loaded X.509 cert '%s' linked to secondary sys keyring\n",
+			  key->description);
+
+	return ret;
+}
 #endif
 
 /*
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 6acd3cf13a18..f40837026d6d 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -34,8 +34,15 @@  extern int restrict_link_by_builtin_and_secondary_trusted(
 	const struct key_type *type,
 	const union key_payload *payload,
 	struct key *restriction_key);
+extern __init int move_to_trusted_secondary_keyring(struct key *key,
+						    struct key *from_keyring);
 #else
 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+static inline __init int move_to_trusted_secondary_keyring(struct key *key,
+							   struct key *from_keyring)
+{
+	return -EKEYREVOKED;
+}
 #endif
 
 extern struct pkcs7_message *pkcs7;