diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index c5514518ddd8c83a21969431968b9f13a8188d8c..40f35834cd1029deedc53ee13abddee6bb3e7ac7 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -326,6 +326,28 @@ int verify_pkcs7_signature(const void *data, size_t len,
 }
 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
 
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,
+			       char *name)
+{
+	key_ref_t kref;
+
+	if (!trusted_keys) {
+		trusted_keys = builtin_trusted_keys;
+	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+		trusted_keys = secondary_trusted_keys;
+#else
+		trusted_keys = builtin_trusted_keys;
+#endif
+	}
+	kref = keyring_search(make_key_ref(trusted_keys, 1), type, name, true);
+	if (IS_ERR(kref))
+		return ERR_CAST(kref);
+
+	return key_ref_to_ptr(kref);
+}
+EXPORT_SYMBOL_GPL(search_trusted_key);
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 
 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
diff --git a/include/linux/verification.h b/include/linux/verification.h
index 911ab7c2b1ab39133f2e993eeaf818847912204c..65f6e5282275106f4ed9a71f849e883c67dec380 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -8,6 +8,8 @@
 #ifndef _LINUX_VERIFICATION_H
 #define _LINUX_VERIFICATION_H
 
+#include <linux/key.h>
+
 /*
  * Indicate that both builtin trusted keys and secondary trusted keys
  * should be used.
@@ -58,5 +60,8 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
 				   enum key_being_used_for usage);
 #endif
 
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,
+			       char *name);
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 #endif /* _LINUX_VERIFY_PEFILE_H */