git.ipfire.org Git - thirdparty/dracut.git/commit

author	Stefan Berger <stefanb@linux.ibm.com>
	Thu, 29 Apr 2021 22:23:26 +0000 (18:23 -0400)
committer	Jóhann B. Guðmundsson <johannbg@gmail.com>
	Mon, 3 May 2021 08:13:48 +0000 (08:13 +0000)
commit	4bdd7eb23a8187c3f19797e47eee8c672cea33ae
tree	277362ab73a85ac2530e66628b46ce4028d0a1e5	tree \| snapshot
parent	8f99fadabea8f279a9fe28473dba424eb38f8d60	commit \| diff

fix(integrity): properly set up EVM when using an x509 cert

The current EVM script does not handle the EVM setup properly when X509
certificates are involved. In this patch we extend the setup and add
the necessary flags for support of EVM activation that include
x509 certificates, possibly in conjunction with an HMAC key. We also
first try activating EVM for x509 certificates using
EVM_ALLOW_METADATA_WRITES for newer kernels, then without it for older
ones that did not support this flag.

We add support for additional EVM activation bits to be set, such
as EVM_SETUP_COMPLETE (0x80000000) via the config file and
EVM_ACTIVATION_BITS variable.

To avoid error messages related to unloading the HMAC key if none is
used, only attempt to unload the HMAC key if one was actually set.

We add documentation about the variables that can be set in the EVM
config file.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@huawei.com>