[PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform

[PATCH 0/6] Enable loading local and third party keys on PowerVM guest · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
[PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
Re: [PATCH 2/6] integrity: ignore keys failing CA restrictions on non-UEFI platform · Mimi Zohar <zohar@linux.ibm.com> · 2023-08-02
[PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
Re: [PATCH 1/6] integrity: PowerVM support for loading CA keys on machine keyring · Mimi Zohar <zohar@linux.ibm.com> · 2023-08-02
[PATCH 3/6] integrity: remove global variable from machine_keyring.c · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
Re: [PATCH 3/6] integrity: remove global variable from machine_keyring.c · Mimi Zohar <zohar@linux.ibm.com> · 2023-08-02
[PATCH 4/6] integrity: check whether imputed trust is enabled · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
Re: [PATCH 4/6] integrity: check whether imputed trust is enabled · Mimi Zohar <zohar@linux.ibm.com> · 2023-08-02
[PATCH 5/6] integrity: PowerVM machine keyring enablement. · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
Re: [PATCH 5/6] integrity: PowerVM machine keyring enablement. · Mimi Zohar <zohar@linux.ibm.com> · 2023-08-02
[PATCH 6/6] integrity: PowerVM support for loading third party code signing keys · Nayna Jain <nayna@linux.ibm.com> · 2023-07-14
Re: [PATCH 0/6] Enable loading local and third party keys on PowerVM guest · Mimi Zohar <zohar@linux.ibm.com> · 2023-08-02

STALE1039d

Revisions (3)

2023-07-14 v1 current
2023-08-09 v2 [diff vs current]
2023-08-13 v3 [diff vs current]

From: Nayna Jain <nayna@linux.ibm.com>
Date: 2023-07-14 15:35:03
Also in: linux-integrity, linux-security-module, lkml
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

On non-UEFI platforms, handle restrict_link_by_ca failures differently.

Certificates which do not satisfy CA restrictions on non-UEFI platforms
are ignored.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
---
 security/integrity/platform_certs/machine_keyring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 7aaed7950b6e..389a6e7c9245 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c

@@ -36,7 +36,7 @@ void __init add_to_machine_keyring(const char *source, const void *data, size_t
 	 * If the restriction check does not pass and the platform keyring
 	 * is configured, try to add it into that keyring instead.
 	 */
-	if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+	if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
 		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
 					 data, len, perm);

-- 
2.31.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help