Commit bc026676 authored Aug 15, 2023 by Nayna Jain Committed by Jarkko Sakkinen Aug 17, 2023

integrity: ignore keys failing CA restrictions on non-UEFI platform



On non-UEFI platforms, handle restrict_link_by_ca failures differently.

Certificates which do not satisfy CA restrictions on non-UEFI platforms
are ignored.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

parent a3af7188

security/integrity/platform_certs/machine_keyring.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -36,7 +36,7 @@ void __init add_to_machine_keyring(const char source, const void data, size_t
		* If the restriction check does not pass and the platform keyring
		* is configured, try to add it into that keyring instead.
		*/
		if (rc && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
		if (rc && efi_enabled(EFI_BOOT) && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
		rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
		data, len, perm);