diff options
author | Kairui Song <kasong@redhat.com> | 2019-01-21 17:59:28 +0800 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2019-02-04 17:29:19 -0500 |
commit | 219a3e8676f3132d27b530c7d2d6bcab89536b57 (patch) | |
tree | a79baecc80144b604d059a6828057210c7a06b9e /security/integrity | |
parent | 2181e084b26bddca22bc3f23364c15809cfed28b (diff) |
integrity, KEYS: add a reference to platform keyring
commit 9dc92c45177a ("integrity: Define a trusted platform keyring")
introduced a .platform keyring for storing preboot keys, used for
verifying kernel image signatures. Currently only IMA-appraisal is able
to use the keyring to verify kernel images that have their signature
stored in xattr.
This patch exposes the .platform keyring, making it accessible for
verifying PE signed kernel images as well.
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
Cc: David Howells <dhowells@redhat.com>
[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/digsig.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99..e19c2eb72c51 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); keyring[id] = NULL; + } else { + if (id == INTEGRITY_KEYRING_PLATFORM) + set_platform_trusted_keys(keyring[id]); } return err; |