integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

With the introduction of uefi_check_trust_mok_keys, it signifies the end- user wants to trust the machine keyring as trusted keys. If they have chosen to trust the machine keyring, load the qualifying keys into it during boot, then link it to the secondary keyring . If the user has not chosen to trust the machine keyring, it will be empty and not linked to the secondary keyring. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
author: Eric Snowberg <eric.snowberg@oracle.com> 2022-01-25 21:58:34 -0500
committer: Jarkko Sakkinen <jarkko@kernel.org> 2022-03-08 13:55:52 +0200
commit: 3d6ae1a5d0c2019d274284859f556dcb64aa98a7 (patch)
tree: adba80c2bffd87b1e986a0d0ecb93ba18407d3ba /security/integrity/digsig.c
parent: 74f5e30051399d60dbce4296dbfd833212df13f1 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 7b719aa76188..c8c8a4a4e7a0 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -112,7 +112,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
 	} else {
 		if (id == INTEGRITY_KEYRING_PLATFORM)
 			set_platform_trusted_keys(keyring[id]);
-		if (id == INTEGRITY_KEYRING_MACHINE)
+		if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
 			set_machine_trusted_keys(keyring[id]);
 		if (id == INTEGRITY_KEYRING_IMA)
 			load_module_cert(keyring[id]);
author	Eric Snowberg <eric.snowberg@oracle.com>	2022-01-25 21:58:34 -0500
committer	Jarkko Sakkinen <jarkko@kernel.org>	2022-03-08 13:55:52 +0200
commit	3d6ae1a5d0c2019d274284859f556dcb64aa98a7 (patch)
tree	adba80c2bffd87b1e986a0d0ecb93ba18407d3ba /security/integrity/digsig.c
parent	74f5e30051399d60dbce4296dbfd833212df13f1 (diff)