From: Matthias Gerstner Date: Wed, 24 Jan 2018 15:58:15 +0000 (+0100) Subject: 98integrity: support loading x509 into the trusted/builtin .evm keyring X-Git-Tag: 047~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb02ff635c668392f9af174657b38c0baa946e98;p=thirdparty%2Fdracut.git 98integrity: support loading x509 into the trusted/builtin .evm keyring This implements logic analogous to the one already implemented in ima-keys-load.sh, only for the .evm/_evm keyrings. If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel initially creates and configures .ima and .evm keyrings. These keyrings only accept x509 certificates that have been signed by a local CA which belongs to the kernel builtin trusted keyring. Thus if such a keyring is already present then additional evm keys should be loaded into them. If this is not the case then the _evm keyring needs to be created in userspace and keys will be loaded into it instead. Before this change dracut always created the _evm keyring and loaded keys into it without considering an existing .evm keyring. In case of CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be used by the kernel, however, and EVM digital signatures will not work as expected. --- diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index ae7418850..0be16a41b 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -76,8 +76,21 @@ load_evm_x509() return 1 fi + local evm_pubid + local line=$(keyctl describe %keyring:.evm) + if [ $? -eq 0 ]; then + # the kernel already setup a trusted .evm keyring so use that one + evm_pubid=${line%%:*} + else + # look for an existing regular keyring + evm_pubid=`keyctl search @u keyring _evm` + if [ -z "${evm_pubid}" ]; then + # create a new regular _evm keyring + evm_pubid=`keyctl newring _evm @u` + fi + fi + # load the EVM public key onto the EVM keyring - evm_pubid=`keyctl newring _evm @u` EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) [ $? -eq 0 ] || { info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";