This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.
If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.
Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.
Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.
return 1
fi
+ local evm_pubid
+ local line=$(keyctl describe %keyring:.evm)
+ if [ $? -eq 0 ]; then
+ # the kernel already setup a trusted .evm keyring so use that one
+ evm_pubid=${line%%:*}
+ else
+ # look for an existing regular keyring
+ evm_pubid=`keyctl search @u keyring _evm`
+ if [ -z "${evm_pubid}" ]; then
+ # create a new regular _evm keyring
+ evm_pubid=`keyctl newring _evm @u`
+ fi
+ fi
+
# load the EVM public key onto the EVM keyring
- evm_pubid=`keyctl newring _evm @u`
EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
[ $? -eq 0 ] || {
info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";