Hi, as the subject, this is a patch that links the new introduced .platform keyring into .secondary_trusted_keys keyring. This is mainly for the kexec_file_load, make kexec_file_load be able to verify the kernel image agains keys provided by platform or firmware. kexec_file_load already could verify the image agains secondary_trusted_keys if secondary_trusted_keys exits, so this will make kexec_file_load be ware of platform keys as well.
This may also useful for things like module sign verify that are using secondary_trusted_keys. I'm not sure if it will be better to move the INTEGRITY_PLATFORM_KEYRING to certs/ and let integrity subsystem use the keyring there, so just linked the .platform keyring into kernel's .secondary_trusted_keys keyring. It workd for my case, tested in a VM, I signed the kernel image locally with pesign and imported the cert to EFI's MokList variable. Kairui Song (1): KEYS, integrity: Link .platform keyring to .secondary_trusted_keys certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++ include/keys/platform_keyring.h | 12 ++++++++++++ security/integrity/digsig.c | 7 +++++++ 3 files changed, 49 insertions(+) create mode 100644 include/keys/platform_keyring.h -- 2.20.1
