load_evm_key() {
# read the configuration from the config file
+ # shellcheck disable=SC1090
[ -f "${EVMCONFIG}" ] \
- && . ${EVMCONFIG}
+ && . "${EVMCONFIG}"
# override the EVM key path name from the 'evmkey=' parameter in the kernel
# command line
- EVMKEYARG=$(getarg evmkey=)
- [ $? -eq 0 ] \
- && EVMKEY=${EVMKEYARG}
+ if EVMKEYARG=$(getarg evmkey=); then
+ EVMKEY=${EVMKEYARG}
+ fi
# set the default value
[ -z "${EVMKEY}" ] \
fi
# read the EVM encrypted key blob
- KEYBLOB=$(cat ${EVMKEYPATH})
+ KEYBLOB=$(cat "${EVMKEYPATH}")
# load the EVM encrypted key
- EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
- [ $? -eq 0 ] || {
+ if ! EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u); then
info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}"
return 1
- }
+ fi
return 0
}
# override the EVM key path name from the 'evmx509=' parameter in
# the kernel command line
- EVMX509ARG=$(getarg evmx509=)
- [ $? -eq 0 ] \
- && EVMX509=${EVMX509ARG}
+ if EVMX509ARG=$(getarg evmx509=); then
+ EVMX509=${EVMX509ARG}
+ fi
# set the default value
[ -z "${EVMX509}" ] \
fi
local evm_pubid line
- line=$(keyctl describe %keyring:.evm)
- if [ $? -eq 0 ]; then
+ if line=$(keyctl describe %keyring:.evm); then
# the kernel already setup a trusted .evm keyring so use that one
evm_pubid=${line%%:*}
else
fi
# load the EVM public key onto the EVM keyring
- EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
- [ $? -eq 0 ] || {
+ # FIXME: EVMX509ID unused?
+ # shellcheck disable=SC2034
+ if ! EVMX509ID=$(evmctl import "${EVMX509PATH}" "${evm_pubid}"); then
info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"
return 1
- }
+ fi
if [ "${RD_DEBUG}" = "yes" ]; then
keyctl show @u
unload_evm_key() {
# unlink the EVM encrypted key
- keyctl unlink ${EVMKEYID} @u || {
+ keyctl unlink "${EVMKEYID}" @u || {
info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}"
return 1
}
# initialize EVM
info "Enabling EVM"
- echo 1 > ${EVMSECFILE}
+ echo 1 > "${EVMSECFILE}"
# unload the EVM encrypted key
unload_evm_key || return 1
# override the default configuration
if [ -f "${IMACONFIG}" ]; then
- . ${IMACONFIG}
+ # shellcheck disable=SC1090
+ . "${IMACONFIG}"
fi
if [ -z "${IMAKEYSDIR}" ]; then
IMAKEYSDIR="/etc/keys/ima"
fi
- PUBKEY_LIST=$(ls ${NEWROOT}${IMAKEYSDIR}/*)
+ PUBKEY_LIST=$(ls "${NEWROOT}"${IMAKEYSDIR}/*)
for PUBKEY in ${PUBKEY_LIST}; do
# check for public key's existence
if [ ! -f "${PUBKEY}" ]; then
continue
fi
- X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID})
- if [ $? -ne 0 ]; then
+ # FIXME: X509ID unused?
+ # shellcheck disable=SC2034
+ if ! X509ID=$(evmctl import "${PUBKEY}" "${KEYRING_ID}"); then
info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}"
fi
done
if [ "${RD_DEBUG}" = "yes" ]; then
- keyctl show ${KEYRING_ID}
+ keyctl show "${KEYRING_ID}"
fi
return 0
}
fi
# get the IMA keyring id
-line=$(keyctl describe %keyring:.ima)
-if [ $? -eq 0 ]; then
+
+if line=$(keyctl describe %keyring:.ima); then
_ima_id=${line%%:*}
else
_ima_id=$(keyctl search @u keyring _ima)
fi
# load the IMA public key(s)
-load_x509_keys ${_ima_id}
+load_x509_keys "${_ima_id}"
fi
# override the default configuration
+ # shellcheck disable=SC1090
[ -f "${IMACONFIG}" ] \
- && . ${IMACONFIG}
+ && . "${IMACONFIG}"
# set the IMA policy path name
IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"
# check the existence of the IMA policy file
[ -f "${IMAPOLICYPATH}" ] && {
info "Loading the provided IMA custom policy"
- printf '%s' "${IMAPOLICYPATH}" > ${IMASECDIR}/policy \
- || cat "${IMAPOLICYPATH}" > ${IMASECDIR}/policy
+ printf '%s' "${IMAPOLICYPATH}" > "${IMASECDIR}"/policy \
+ || cat "${IMAPOLICYPATH}" > "${IMASECDIR}"/policy
}
return 0
projects / thirdparty / dracut.git / commitdiff
