1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Machine keyring routines.
4 *
5 * Copyright (c) 2021, Oracle and/or its affiliates.
6 */
7
8#include <linux/efi.h>
9#include "../integrity.h"
10
11static __init int machine_keyring_init(void)
12{
13	int rc;
14
15	rc = integrity_init_keyring(INTEGRITY_KEYRING_MACHINE);
16	if (rc)
17		return rc;
18
19	pr_notice("Machine keyring initialized\n");
20	return 0;
21}
22device_initcall(machine_keyring_init);
23
24void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
25{
26	key_perm_t perm;
27	int rc;
28
29	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
30	rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
31
32	/*
33	 * Some MOKList keys may not pass the machine keyring restrictions.
34	 * If the restriction check does not pass and the platform keyring
35	 * is configured, try to add it into that keyring instead.
36	 */
37	if (rc && efi_enabled(EFI_BOOT) &&
38	    IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
39		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
40					 data, len, perm);
41
42	if (rc)
43		pr_info("Error adding keys to machine keyring %s\n", source);
44}
45
46/*
47 * Try to load the MokListTrustedRT MOK variable to see if we should trust
48 * the MOK keys within the kernel. It is not an error if this variable
49 * does not exist.  If it does not exist, MOK keys should not be trusted
50 * within the machine keyring.
51 */
52static __init bool uefi_check_trust_mok_keys(void)
53{
54	struct efi_mokvar_table_entry *mokvar_entry;
55
56	mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
57
58	if (mokvar_entry)
59		return true;
60
61	return false;
62}
63
64static bool __init trust_moklist(void)
65{
66	static bool initialized;
67	static bool trust_mok;
68
69	if (!initialized) {
70		initialized = true;
71		trust_mok = false;
72
73		if (uefi_check_trust_mok_keys())
74			trust_mok = true;
75	}
76
77	return trust_mok;
78}
79
80/*
81 * Provides platform specific check for trusting imputed keys before loading
82 * on .machine keyring. UEFI systems enable this trust based on a variable,
83 * and for other platforms, it is always enabled.
84 */
85bool __init imputed_trust_enabled(void)
86{
87	if (efi_enabled(EFI_BOOT))
88		return trust_moklist();
89
90	return true;
91}
92