087aa4ed37
Introduce a new link restriction that includes the trusted builtin, secondary and machine keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. With the introduction of the machine keyring, the end-user may choose to trust Machine Owner Keys (MOK) within the kernel. If they have chosen to trust them, the .machine keyring will contain these keys. If not, the machine keyring will always be empty. Update the restriction check to allow the secondary trusted keyring to also trust machine keys. Allow the .machine keyring to be linked to the secondary_trusted_keys. After the link is created, keys contained in the .machine keyring will automatically be searched when searching secondary_trusted_keys. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Kconfig | ||
| Makefile | ||
| blacklist.c | ||
| blacklist.h | ||
| blacklist_hashes.c | ||
| blacklist_nohashes.c | ||
| common.c | ||
| common.h | ||
| default_x509.genkey | ||
| extract-cert.c | ||
| revocation_certificates.S | ||
| system_certificates.S | ||
| system_keyring.c | ||