projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7a5edd1) | patch
KEYS: Introduce link restriction for machine keys
authorEric Snowberg <eric.snowberg@oracle.com>
Wed, 26 Jan 2022 02:58:31 +0000 (21:58 -0500)
committerJarkko Sakkinen <jarkko@kernel.org>
Wed, 23 Feb 2022 15:49:08 +0000 (16:49 +0100)
commitd642066732f01a2fb62fec0939876e0f0a49ebf2
treebe59e7e15839cd3a0d6d435849c2f6036aa09d04tree
parent7a5edd1077557e1b9bc3a8e6c363b3d5ab36433ecommit | diff
KEYS: Introduce link restriction for machine keys

Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added being vouched for by a key in any of these three keyrings.

With the introduction of the machine keyring, the end-user may choose to
trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
trust them, the .machine keyring will contain these keys.  If not, the
machine keyring will always be empty.  Update the restriction check to
allow the secondary trusted keyring to also trust machine keys.

Allow the .machine keyring to be linked to the secondary_trusted_keys.
After the link is created, keys contained in the .machine keyring will
automatically be searched when searching secondary_trusted_keys.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
certs/system_keyring.c diff | blob | blame | history
include/keys/system_keyring.h diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)