[PATCH] trust machine keyring (MoK) by default

From 585cbcb982bffc4a8cee2f3d8d099fc64f9a74b9 Mon Sep 17 00:00:00 2001
Forwarded: not-needed

Debian always trusted keys in MoK by default. Upstream made it
conditional on a new EFI variable being set.
To keep backward compatibility skip this check.

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name trust-machine-keyring-by-default.patch

diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index a401640a63cd1783d0291d98853678e00a252652..0627f14eacbee04d13d1a3e57122d2f76dbcb1a7 100644 (file)
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -68,10 +68,7 @@ static bool __init trust_moklist(void)
 
        if (!initialized) {
                initialized = true;
-               trust_mok = false;
-
-               if (uefi_check_trust_mok_keys())
-                       trust_mok = true;
+               trust_mok = true;
        }
 
        return trust_mok;