xref: /openbmc/linux/security/integrity/platform_certs/machine_keyring.c (revision c900529f3d9161bfde5cca0754f83b4d3c3e0220) 
1d1996776SEric Snowberg // SPDX-License-Identifier: GPL-2.0
2d1996776SEric Snowberg /*
3d1996776SEric Snowberg  * Machine keyring routines.
4d1996776SEric Snowberg  *
5d1996776SEric Snowberg  * Copyright (c) 2021, Oracle and/or its affiliates.
6d1996776SEric Snowberg  */
7d1996776SEric Snowberg 
874f5e300SEric Snowberg #include <linux/efi.h>
9d1996776SEric Snowberg #include "../integrity.h"
10d1996776SEric Snowberg 
machine_keyring_init(void)11d1996776SEric Snowberg static __init int machine_keyring_init(void)
12d1996776SEric Snowberg {
13d1996776SEric Snowberg 	int rc;
14d1996776SEric Snowberg 
15d1996776SEric Snowberg 	rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
16d1996776SEric Snowberg 	if (rc)
17d1996776SEric Snowberg 		return rc;
18d1996776SEric Snowberg 
19d1996776SEric Snowberg 	pr_notice("Machine keyring initialized\n");
20d1996776SEric Snowberg 	return 0;
21d1996776SEric Snowberg }
22d1996776SEric Snowberg device_initcall(machine_keyring_init);
23d1996776SEric Snowberg 
add_to_machine_keyring(const char * source,const void * data,size_t len)24d1996776SEric Snowberg void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
25d1996776SEric Snowberg {
26d1996776SEric Snowberg 	key_perm_t perm;
27d1996776SEric Snowberg 	int rc;
28d1996776SEric Snowberg 
29d1996776SEric Snowberg 	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
30d1996776SEric Snowberg 	rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
31d1996776SEric Snowberg 
32d1996776SEric Snowberg 	/*
33d1996776SEric Snowberg 	 * Some MOKList keys may not pass the machine keyring restrictions.
34d1996776SEric Snowberg 	 * If the restriction check does not pass and the platform keyring
35d1996776SEric Snowberg 	 * is configured, try to add it into that keyring instead.
36d1996776SEric Snowberg 	 */
37*4cb1ed94SNayna Jain 	if (rc && efi_enabled(EFI_BOOT) &&
38*4cb1ed94SNayna Jain 	    IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
39d1996776SEric Snowberg 		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
40d1996776SEric Snowberg 					 data, len, perm);
41d1996776SEric Snowberg 
42d1996776SEric Snowberg 	if (rc)
43d1996776SEric Snowberg 		pr_info("Error adding keys to machine keyring %s\n", source);
44d1996776SEric Snowberg }
4574f5e300SEric Snowberg 
4674f5e300SEric Snowberg /*
4774f5e300SEric Snowberg  * Try to load the MokListTrustedRT MOK variable to see if we should trust
4874f5e300SEric Snowberg  * the MOK keys within the kernel. It is not an error if this variable
4974f5e300SEric Snowberg  * does not exist.  If it does not exist, MOK keys should not be trusted
5074f5e300SEric Snowberg  * within the machine keyring.
5174f5e300SEric Snowberg  */
uefi_check_trust_mok_keys(void)5274f5e300SEric Snowberg static __init bool uefi_check_trust_mok_keys(void)
5374f5e300SEric Snowberg {
5474f5e300SEric Snowberg 	struct efi_mokvar_table_entry *mokvar_entry;
5574f5e300SEric Snowberg 
5674f5e300SEric Snowberg 	mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
5774f5e300SEric Snowberg 
5874f5e300SEric Snowberg 	if (mokvar_entry)
5974f5e300SEric Snowberg 		return true;
6074f5e300SEric Snowberg 
6174f5e300SEric Snowberg 	return false;
6274f5e300SEric Snowberg }
633d6ae1a5SEric Snowberg 
trust_moklist(void)64*4cb1ed94SNayna Jain static bool __init trust_moklist(void)
653d6ae1a5SEric Snowberg {
663d6ae1a5SEric Snowberg 	static bool initialized;
677b9de406SNayna Jain 	static bool trust_mok;
683d6ae1a5SEric Snowberg 
693d6ae1a5SEric Snowberg 	if (!initialized) {
703d6ae1a5SEric Snowberg 		initialized = true;
717b9de406SNayna Jain 		trust_mok = false;
723d6ae1a5SEric Snowberg 
733d6ae1a5SEric Snowberg 		if (uefi_check_trust_mok_keys())
743d6ae1a5SEric Snowberg 			trust_mok = true;
753d6ae1a5SEric Snowberg 	}
763d6ae1a5SEric Snowberg 
773d6ae1a5SEric Snowberg 	return trust_mok;
783d6ae1a5SEric Snowberg }
79*4cb1ed94SNayna Jain 
80*4cb1ed94SNayna Jain /*
81*4cb1ed94SNayna Jain  * Provides platform specific check for trusting imputed keys before loading
82*4cb1ed94SNayna Jain  * on .machine keyring. UEFI systems enable this trust based on a variable,
83*4cb1ed94SNayna Jain  * and for other platforms, it is always enabled.
84*4cb1ed94SNayna Jain  */
imputed_trust_enabled(void)85*4cb1ed94SNayna Jain bool __init imputed_trust_enabled(void)
86*4cb1ed94SNayna Jain {
87*4cb1ed94SNayna Jain 	if (efi_enabled(EFI_BOOT))
88*4cb1ed94SNayna Jain 		return trust_moklist();
89*4cb1ed94SNayna Jain 
90*4cb1ed94SNayna Jain 	return true;
91*4cb1ed94SNayna Jain }
92