git.maquefel.me Git - linux.git/commit

author	Eric Snowberg <eric.snowberg@oracle.com>
	Wed, 26 Jan 2022 02:58:31 +0000 (21:58 -0500)
committer	Jarkko Sakkinen <jarkko@kernel.org>
	Tue, 8 Mar 2022 11:55:52 +0000 (13:55 +0200)
commit	087aa4ed379054951cb3c8ccaa0c4dbafd903c01
tree	047426a773b2102dbb56ff42f866683665ca56c1	tree \| snapshot
parent	56edb6c25f11f25df153f4804f2d5bced2b49a9e	commit \| diff

KEYS: Introduce link restriction for machine keys

Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added being vouched for by a key in any of these three keyrings.

With the introduction of the machine keyring, the end-user may choose to
trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
trust them, the .machine keyring will contain these keys. If not, the
machine keyring will always be empty. Update the restriction check to
allow the secondary trusted keyring to also trust machine keys.

Allow the .machine keyring to be linked to the secondary_trusted_keys.
After the link is created, keys contained in the .machine keyring will
automatically be searched when searching secondary_trusted_keys.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

certs/system_keyring.c		diff \| blob \| history
include/keys/system_keyring.h		diff \| blob \| history