<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/include/keys, branch v6.6.144</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>keys: Pin request_key_auth payload in instantiate paths</title>
<updated>2026-07-04T11:42:25+00:00</updated>
<author>
<name>Shaomin Chen</name>
<email>eeesssooo020@gmail.com</email>
</author>
<published>2026-06-10T10:10:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=35ab4db86774d82389e4b9559e26ab7f68d8e395'/>
<id>35ab4db86774d82389e4b9559e26ab7f68d8e395</id>
<content type='text'>
commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.

A: request_key()       B: KEYCTL_INSTANTIATE_IOV
================       =========================

create auth key
store rka in auth key
wait for helper
                       get auth key
                       load rka from auth key
                       copy user payload
                       sleep on #PF

helper completed
detach and free rka
destroy auth key
                       wake up
                       use rka-&gt;target_key
                       **USE-AFTER-FREE**

Give request_key_auth payloads a refcount.  Take a payload reference while
authkey-&gt;sem stabilizes the payload and revocation state.  Hold that
reference across the instantiate and reject paths.  Drop the auth key
owning reference from revoke and destroy.

[jarkko: Replaced the first two paragraphs of text with an actual
 concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen &lt;eeesssooo020@gmail.com&gt;
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen &lt;eeesssooo020@gmail.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.

A: request_key()       B: KEYCTL_INSTANTIATE_IOV
================       =========================

create auth key
store rka in auth key
wait for helper
                       get auth key
                       load rka from auth key
                       copy user payload
                       sleep on #PF

helper completed
detach and free rka
destroy auth key
                       wake up
                       use rka-&gt;target_key
                       **USE-AFTER-FREE**

Give request_key_auth payloads a refcount.  Take a payload reference while
authkey-&gt;sem stabilizes the payload and revocation state.  Hold that
reference across the instantiate and reject paths.  Drop the auth key
owning reference from revoke and destroy.

[jarkko: Replaced the first two paragraphs of text with an actual
 concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen &lt;eeesssooo020@gmail.com&gt;
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen &lt;eeesssooo020@gmail.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>integrity: PowerVM support for loading third party code signing keys</title>
<updated>2023-08-17T20:12:35+00:00</updated>
<author>
<name>Nayna Jain</name>
<email>nayna@linux.ibm.com</email>
</author>
<published>2023-08-15T11:27:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=44e69ea53892f18e8753943a4376de20b076c3fe'/>
<id>44e69ea53892f18e8753943a4376de20b076c3fe</id>
<content type='text'>
On secure boot enabled PowerVM LPAR, third party code signing keys are
needed during early boot to verify signed third party modules. These
third party keys are stored in moduledb object in the Platform
KeyStore (PKS).

Load third party code signing keys onto .secondary_trusted_keys keyring.

Signed-off-by: Nayna Jain &lt;nayna@linux.ibm.com&gt;
Reviewed-and-tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Nageswara R Sastry &lt;rnsastry@linux.ibm.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
On secure boot enabled PowerVM LPAR, third party code signing keys are
needed during early boot to verify signed third party modules. These
third party keys are stored in moduledb object in the Platform
KeyStore (PKS).

Load third party code signing keys onto .secondary_trusted_keys keyring.

Signed-off-by: Nayna Jain &lt;nayna@linux.ibm.com&gt;
Reviewed-and-tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Nageswara R Sastry &lt;rnsastry@linux.ibm.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>KEYS: DigitalSignature link restriction</title>
<updated>2023-08-17T20:12:20+00:00</updated>
<author>
<name>Eric Snowberg</name>
<email>eric.snowberg@oracle.com</email>
</author>
<published>2023-05-22T23:09:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4cfb908054456ad8b6b8cd5108bbdf80faade8cd'/>
<id>4cfb908054456ad8b6b8cd5108bbdf80faade8cd</id>
<content type='text'>
Add a new link restriction.  Restrict the addition of keys in a keyring
based on the key having digitalSignature usage set. Additionally, verify
the new certificate against the ones in the system keyrings.  Add two
additional functions to use the new restriction within either the builtin
or secondary keyrings.

[jarkko@kernel.org: Fix checkpatch.pl --strict issues]
Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-and-tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add a new link restriction.  Restrict the addition of keys in a keyring
based on the key having digitalSignature usage set. Additionally, verify
the new certificate against the ones in the system keyrings.  Add two
additional functions to use the new restriction within either the builtin
or secondary keyrings.

[jarkko@kernel.org: Fix checkpatch.pl --strict issues]
Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-and-tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>KEYS: Add forward declaration in asymmetric-parser.h</title>
<updated>2023-06-23T08:15:37+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2023-06-15T10:28:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b6d0695bb3c24ebe8dbaaaf61de791d5821a00ac'/>
<id>b6d0695bb3c24ebe8dbaaaf61de791d5821a00ac</id>
<content type='text'>
Add forward declaration for struct key_preparsed_payload so that
this header file is self-contained.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add forward declaration for struct key_preparsed_payload so that
this header file is self-contained.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>certs: Move load_certificate_list() to be with the asymmetric keys code</title>
<updated>2022-06-21T15:05:06+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2022-05-18T22:48:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=60050ffe3d770dd1df5b641aa48f49d07a54bd84'/>
<id>60050ffe3d770dd1df5b641aa48f49d07a54bd84</id>
<content type='text'>
Move load_certificate_list(), which loads a series of binary X.509
certificates from a blob and inserts them as keys into a keyring, to be
with the asymmetric keys code that it drives.

This makes it easier to add FIPS selftest code in which we need to load up
a private keyring for the tests to use.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-by: Simo Sorce &lt;simo@redhat.com&gt;
Reviewed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Move load_certificate_list(), which loads a series of binary X.509
certificates from a blob and inserts them as keys into a keyring, to be
with the asymmetric keys code that it drives.

This makes it easier to add FIPS selftest code in which we need to load up
a private keyring for the tests to use.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-by: Simo Sorce &lt;simo@redhat.com&gt;
Reviewed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
Link: https://lore.kernel.org/r/165515742145.1554877.13488098107542537203.stgit@warthog.procyon.org.uk/
</pre>
</div>
</content>
</entry>
<entry>
<title>KEYS: trusted: Introduce support for NXP CAAM-based trusted keys</title>
<updated>2022-05-23T15:47:50+00:00</updated>
<author>
<name>Ahmad Fatoum</name>
<email>a.fatoum@pengutronix.de</email>
</author>
<published>2022-05-13T14:57:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e9c5048c2de1913d0bcd589bc1487810c2e24bc1'/>
<id>e9c5048c2de1913d0bcd589bc1487810c2e24bc1</id>
<content type='text'>
The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core
built into many newer i.MX and QorIQ SoCs by NXP.

The CAAM does crypto acceleration, hardware number generation and
has a blob mechanism for encapsulation/decapsulation of sensitive material.

This blob mechanism depends on a device specific random 256-bit One Time
Programmable Master Key that is fused in each SoC at manufacturing
time. This key is unreadable and can only be used by the CAAM for AES
encryption/decryption of user data.

This makes it a suitable backend (source) for kernel trusted keys.

Previous commits generalized trusted keys to support multiple backends
and added an API to access the CAAM blob mechanism. Based on these,
provide the necessary glue to use the CAAM for trusted keys.

Reviewed-by: David Gstir &lt;david@sigma-star.at&gt;
Reviewed-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Tim Harvey &lt;tharvey@gateworks.com&gt;
Tested-by: Matthias Schiffer &lt;matthias.schiffer@ew.tq-group.com&gt;
Tested-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Tested-by: Michael Walle &lt;michael@walle.cc&gt; # on ls1028a (non-E and E)
Tested-by: John Ernberg &lt;john.ernberg@actia.se&gt; # iMX8QXP
Signed-off-by: Ahmad Fatoum &lt;a.fatoum@pengutronix.de&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The Cryptographic Acceleration and Assurance Module (CAAM) is an IP core
built into many newer i.MX and QorIQ SoCs by NXP.

The CAAM does crypto acceleration, hardware number generation and
has a blob mechanism for encapsulation/decapsulation of sensitive material.

This blob mechanism depends on a device specific random 256-bit One Time
Programmable Master Key that is fused in each SoC at manufacturing
time. This key is unreadable and can only be used by the CAAM for AES
encryption/decryption of user data.

This makes it a suitable backend (source) for kernel trusted keys.

Previous commits generalized trusted keys to support multiple backends
and added an API to access the CAAM blob mechanism. Based on these,
provide the necessary glue to use the CAAM for trusted keys.

Reviewed-by: David Gstir &lt;david@sigma-star.at&gt;
Reviewed-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Tim Harvey &lt;tharvey@gateworks.com&gt;
Tested-by: Matthias Schiffer &lt;matthias.schiffer@ew.tq-group.com&gt;
Tested-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Tested-by: Michael Walle &lt;michael@walle.cc&gt; # on ls1028a (non-E and E)
Tested-by: John Ernberg &lt;john.ernberg@actia.se&gt; # iMX8QXP
Signed-off-by: Ahmad Fatoum &lt;a.fatoum@pengutronix.de&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>KEYS: trusted: allow use of kernel RNG for key material</title>
<updated>2022-05-23T15:47:50+00:00</updated>
<author>
<name>Ahmad Fatoum</name>
<email>a.fatoum@pengutronix.de</email>
</author>
<published>2022-05-13T14:57:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fcd7c26901c83681532c6daac599e53d4df11738'/>
<id>fcd7c26901c83681532c6daac599e53d4df11738</id>
<content type='text'>
The two existing trusted key sources don't make use of the kernel RNG,
but instead let the hardware doing the sealing/unsealing also
generate the random key material. However, both users and future
backends may want to place less trust into the quality of the trust
source's random number generator and instead reuse the kernel entropy
pool, which can be seeded from multiple entropy sources.

Make this possible by adding a new trusted.rng parameter,
that will force use of the kernel RNG. In its absence, it's up
to the trust source to decide, which random numbers to use,
maintaining the existing behavior.

Suggested-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Acked-by: Sumit Garg &lt;sumit.garg@linaro.org&gt;
Acked-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: David Gstir &lt;david@sigma-star.at&gt;
Reviewed-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Tested-by: Michael Walle &lt;michael@walle.cc&gt; # on ls1028a (non-E and E)
Tested-by: John Ernberg &lt;john.ernberg@actia.se&gt; # iMX8QXP
Signed-off-by: Ahmad Fatoum &lt;a.fatoum@pengutronix.de&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The two existing trusted key sources don't make use of the kernel RNG,
but instead let the hardware doing the sealing/unsealing also
generate the random key material. However, both users and future
backends may want to place less trust into the quality of the trust
source's random number generator and instead reuse the kernel entropy
pool, which can be seeded from multiple entropy sources.

Make this possible by adding a new trusted.rng parameter,
that will force use of the kernel RNG. In its absence, it's up
to the trust source to decide, which random numbers to use,
maintaining the existing behavior.

Suggested-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Acked-by: Sumit Garg &lt;sumit.garg@linaro.org&gt;
Acked-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: David Gstir &lt;david@sigma-star.at&gt;
Reviewed-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Pankaj Gupta &lt;pankaj.gupta@nxp.com&gt;
Tested-by: Michael Walle &lt;michael@walle.cc&gt; # on ls1028a (non-E and E)
Tested-by: John Ernberg &lt;john.ernberg@actia.se&gt; # iMX8QXP
Signed-off-by: Ahmad Fatoum &lt;a.fatoum@pengutronix.de&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>certs: Factor out the blacklist hash creation</title>
<updated>2022-05-23T15:47:49+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@linux.microsoft.com</email>
</author>
<published>2021-07-12T17:03:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=141e523914f72575915dd334fce3cef4fb0f1e91'/>
<id>141e523914f72575915dd334fce3cef4fb0f1e91</id>
<content type='text'>
Factor out the blacklist hash creation with the get_raw_hash() helper.
This also centralize the "tbs" and "bin" prefixes and make them private,
which help to manage them consistently.

Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Cc: David Woodhouse &lt;dwmw2@infradead.org&gt;
Cc: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Cc: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Mickaël Salaün &lt;mic@linux.microsoft.com&gt;
Link: https://lore.kernel.org/r/20210712170313.884724-5-mic@digikod.net
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Factor out the blacklist hash creation with the get_raw_hash() helper.
This also centralize the "tbs" and "bin" prefixes and make them private,
which help to manage them consistently.

Cc: David Howells &lt;dhowells@redhat.com&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Cc: David Woodhouse &lt;dwmw2@infradead.org&gt;
Cc: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Cc: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Cc: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Signed-off-by: Mickaël Salaün &lt;mic@linux.microsoft.com&gt;
Link: https://lore.kernel.org/r/20210712170313.884724-5-mic@digikod.net
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>KEYS: Introduce link restriction for machine keys</title>
<updated>2022-03-08T11:55:52+00:00</updated>
<author>
<name>Eric Snowberg</name>
<email>eric.snowberg@oracle.com</email>
</author>
<published>2022-01-26T02:58:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=087aa4ed379054951cb3c8ccaa0c4dbafd903c01'/>
<id>087aa4ed379054951cb3c8ccaa0c4dbafd903c01</id>
<content type='text'>
Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added being vouched for by a key in any of these three keyrings.

With the introduction of the machine keyring, the end-user may choose to
trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
trust them, the .machine keyring will contain these keys.  If not, the
machine keyring will always be empty.  Update the restriction check to
allow the secondary trusted keyring to also trust machine keys.

Allow the .machine keyring to be linked to the secondary_trusted_keys.
After the link is created, keys contained in the .machine keyring will
automatically be searched when searching secondary_trusted_keys.

Suggested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be
added being vouched for by a key in any of these three keyrings.

With the introduction of the machine keyring, the end-user may choose to
trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
trust them, the .machine keyring will contain these keys.  If not, the
machine keyring will always be empty.  Update the restriction check to
allow the secondary trusted keyring to also trust machine keys.

Allow the .machine keyring to be linked to the secondary_trusted_keys.
After the link is created, keys contained in the .machine keyring will
automatically be searched when searching secondary_trusted_keys.

Suggested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>KEYS: store reference to machine keyring</title>
<updated>2022-03-08T11:55:52+00:00</updated>
<author>
<name>Eric Snowberg</name>
<email>eric.snowberg@oracle.com</email>
</author>
<published>2022-01-26T02:58:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=56edb6c25f11f25df153f4804f2d5bced2b49a9e'/>
<id>56edb6c25f11f25df153f4804f2d5bced2b49a9e</id>
<content type='text'>
Expose the .machine keyring created in integrity code by adding
a reference.  Store a reference to the machine keyring in
system keyring code. The system keyring code needs this to complete
the keyring link to the machine keyring.

Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Expose the .machine keyring created in integrity code by adding
a reference.  Store a reference to the machine keyring in
system keyring code. The system keyring code needs this to complete
the keyring link to the machine keyring.

Signed-off-by: Eric Snowberg &lt;eric.snowberg@oracle.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
Tested-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
