From 3d6ae1a5d0c2019d274284859f556dcb64aa98a7 Mon Sep 17 00:00:00 2001 From: Eric Snowberg Date: Tue, 25 Jan 2022 21:58:34 -0500 Subject: integrity: Only use machine keyring when uefi_check_trust_mok_keys is true With the introduction of uefi_check_trust_mok_keys, it signifies the end- user wants to trust the machine keyring as trusted keys. If they have chosen to trust the machine keyring, load the qualifying keys into it during boot, then link it to the secondary keyring . If the user has not chosen to trust the machine keyring, it will be empty and not linked to the secondary keyring. Signed-off-by: Eric Snowberg Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- security/integrity/integrity.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'security/integrity/integrity.h') diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 730771eececd..2e214c761158 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -287,9 +287,14 @@ static inline void __init add_to_platform_keyring(const char *source, #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init add_to_machine_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_machine_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif -- cgit v1.2.1