ima: load x509 certificate from the kernel (fd5f4e90) · Commits · e / devices / android_kernel_fairphone_FP3

security/integrity/ima/Kconfig

+18 −0

Original line number	Original line	Diff line number	Diff line
	@@ -131,3 +131,21 @@ config IMA_TRUSTED_KEYRING
	help		help
	This option requires that all keys added to the .ima		This option requires that all keys added to the .ima
	keyring be signed by a key on the system trusted keyring.		keyring be signed by a key on the system trusted keyring.

			config IMA_LOAD_X509
			bool "Load X509 certificate onto the '.ima' trusted keyring"
			depends on IMA_TRUSTED_KEYRING
			default n
			help
			File signature verification is based on the public keys
			loaded on the .ima trusted keyring. These public keys are
			X509 certificates signed by a trusted key on the
			.system keyring. This option enables X509 certificate
			loading from the kernel onto the '.ima' trusted keyring.

			config IMA_X509_PATH
			string "IMA X509 certificate path"
			depends on IMA_LOAD_X509
			default "/etc/keys/x509_ima.der"
			help
			This option defines IMA X509 certificate path.

+1 −2

Original line number	Original line	Diff line number	Diff line
	@@ -173,8 +173,7 @@ int ima_get_action(struct inode *inode, int mask, int function)
	{		{
	int flags = IMA_MEASURE \| IMA_AUDIT \| IMA_APPRAISE;		int flags = IMA_MEASURE \| IMA_AUDIT \| IMA_APPRAISE;

	if (!ima_appraise)		flags &= ima_policy_flag;
	flags &= ~IMA_APPRAISE;

	return ima_match_policy(inode, function, mask, flags);		return ima_match_policy(inode, function, mask, flags);
	}		}

+17 −0

Original line number	Original line	Diff line number	Diff line
	@@ -24,6 +24,12 @@
	#include <crypto/hash_info.h>		#include <crypto/hash_info.h>
	#include "ima.h"		#include "ima.h"

			#ifdef CONFIG_IMA_X509_PATH
			#define IMA_X509_PATH CONFIG_IMA_X509_PATH
			#else
			#define IMA_X509_PATH "/etc/keys/x509_ima.der"
			#endif

	/* name for boot aggregate entry */		/* name for boot aggregate entry */
	static const char *boot_aggregate_name = "boot_aggregate";		static const char *boot_aggregate_name = "boot_aggregate";
	int ima_used_chip;		int ima_used_chip;
	@@ -91,6 +97,17 @@ static int __init ima_add_boot_aggregate(void)
	return result;		return result;
	}		}

			#ifdef CONFIG_IMA_LOAD_X509
			void __init ima_load_x509(void)
			{
			int unset_flags = ima_policy_flag & IMA_APPRAISE;

			ima_policy_flag &= ~unset_flags;
			integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH);
			ima_policy_flag \|= unset_flags;
			}
			#endif

	int __init ima_init(void)		int __init ima_init(void)
	{		{
	u8 pcr_i[TPM_DIGEST_SIZE];		u8 pcr_i[TPM_DIGEST_SIZE];

+8 −0

Original line number	Original line	Diff line number	Diff line
	@@ -162,6 +162,14 @@ static inline int asymmetric_verify(struct key keyring, const char sig,
	}		}
	#endif		#endif

			#ifdef CONFIG_IMA_LOAD_X509
			void __init ima_load_x509(void);
			#else
			static inline void ima_load_x509(void)
			{
			}
			#endif

	#ifdef CONFIG_INTEGRITY_AUDIT		#ifdef CONFIG_INTEGRITY_AUDIT
	/* declarations */		/* declarations */
	void integrity_audit_msg(int audit_msgno, struct inode *inode,		void integrity_audit_msg(int audit_msgno, struct inode *inode,