security/integrity/platform_certs/machine_keyring.c
Source file repositories/reference/linux-study-clean/security/integrity/platform_certs/machine_keyring.c
File Facts
- System
- Linux kernel
- Corpus path
security/integrity/platform_certs/machine_keyring.c- Extension
.c- Size
- 2156 bytes
- Lines
- 92
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/efi.h../integrity.h
Detected Declarations
function Copyrightfunction add_to_machine_keyringfunction uefi_check_trust_mok_keysfunction trust_moklistfunction imputed_trust_enabledmodule init machine_keyring_init
Annotated Snippet
device_initcall(machine_keyring_init);
void __init add_to_machine_keyring(const char *source, const void *data, size_t len)
{
key_perm_t perm;
int rc;
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
rc = integrity_load_cert(INTEGRITY_KEYRING_MACHINE, source, data, len, perm);
/*
* Some MOKList keys may not pass the machine keyring restrictions.
* If the restriction check does not pass and the platform keyring
* is configured, try to add it into that keyring instead.
*/
if (rc && efi_enabled(EFI_BOOT) &&
IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
data, len, perm);
if (rc)
pr_info("Error adding keys to machine keyring %s\n", source);
}
/*
* Try to load the MokListTrustedRT MOK variable to see if we should trust
* the MOK keys within the kernel. It is not an error if this variable
* does not exist. If it does not exist, MOK keys should not be trusted
* within the machine keyring.
*/
static __init bool uefi_check_trust_mok_keys(void)
{
struct efi_mokvar_table_entry *mokvar_entry;
mokvar_entry = efi_mokvar_entry_find("MokListTrustedRT");
if (mokvar_entry)
return true;
return false;
}
static bool __init trust_moklist(void)
{
static bool initialized;
static bool trust_mok;
if (!initialized) {
initialized = true;
trust_mok = false;
if (uefi_check_trust_mok_keys())
trust_mok = true;
}
return trust_mok;
}
/*
* Provides platform specific check for trusting imputed keys before loading
* on .machine keyring. UEFI systems enable this trust based on a variable,
* and for other platforms, it is always enabled.
*/
bool __init imputed_trust_enabled(void)
{
if (efi_enabled(EFI_BOOT))
return trust_moklist();
return true;
}
Annotation
- Immediate include surface: `linux/efi.h`, `../integrity.h`.
- Detected declarations: `function Copyright`, `function add_to_machine_keyring`, `function uefi_check_trust_mok_keys`, `function trust_moklist`, `function imputed_trust_enabled`, `module init machine_keyring_init`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: integration implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.