98integrity: support loading x509 into the trusted/builtin .evm keyring

This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.

If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.

Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.

Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.

diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index ae741885032bd4c31a732b54d0c2ebe1fa13f71f..0be16a41b66b17d02e631e5db163718c1108392e 100755 (executable)
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -76,8 +76,21 @@ load_evm_x509()
         return 1
     fi
 
+    local evm_pubid
+    local line=$(keyctl describe %keyring:.evm)
+    if [ $? -eq 0 ]; then
+        # the kernel already setup a trusted .evm keyring so use that one
+        evm_pubid=${line%%:*}
+    else
+        # look for an existing regular keyring
+        evm_pubid=`keyctl search @u keyring _evm`
+        if [ -z "${evm_pubid}" ]; then
+            # create a new regular _evm keyring
+            evm_pubid=`keyctl newring _evm @u`
+        fi
+    fi
+
     # load the EVM public key onto the EVM keyring
-    evm_pubid=`keyctl newring _evm @u`
     EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
     [ $? -eq 0 ] || {
         info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";