98integrity: support X.509-only EVM configuration

Previously if no symmetric key was configured for EVM, then the
initialization process was aborted. It can be a valid use case, however,
to only use EVM digital signatures. In this case only X.509 certificates
need to be loaded.

With this change EVM initialization will continue if any of the
symmetric or X.509 keys could be loaded.

diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index 0be16a41b66b17d02e631e5db163718c1108392e..4f73b88556571b57a354338a00dda5231e34965a 100755 (executable)
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -125,11 +125,18 @@ enable_evm()
         return 0
     fi
 
-    # load the EVM encrypted key
-    load_evm_key || return 1
+    local evm_configured
+
+    # try to load the EVM encrypted key
+    load_evm_key && evm_configured=1
+
+    # try to load the EVM public key
+    load_evm_x509 && evm_configured=1
 
-    # load the EVM public key, if it exists
-    load_evm_x509
+    # only enable EVM if a key or x509 certificate could be loaded
+    if [ -z "$evm_configured" ]; then
+        return 1
+    fi
 
     # initialize EVM
     info "Enabling EVM"