Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2ce523eb authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar
Browse files

evm: load an x509 certificate from the kernel 



This patch defines a configuration option and the evm_load_x509() hook
to load an X509 certificate onto the EVM trusted kernel keyring.

Changes in v4:
* Patch description updated

Changes in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
  directly.

Changes in v2:
* default key patch changed to /etc/keys

Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent f4dc3778

security/integrity/evm/Kconfig

+17 −0
Original line number Diff line number Diff line
@@ -42,3 +42,20 @@ config EVM_EXTRA_SMACK_XATTRS 
	  additional info to the calculation, requires existing EVM

	  labeled file systems to be relabeled.



config EVM_LOAD_X509

	bool "Load an X509 certificate onto the '.evm' trusted keyring"

	depends on INTEGRITY_TRUSTED_KEYRING

	default n

	help

	   Load an X509 certificate onto the '.evm' trusted keyring.



	   This option enables X509 certificate loading from the kernel

	   onto the '.evm' trusted keyring.  A public key can be used to

	   verify EVM integrity starting from the 'init' process.



config EVM_X509_PATH

	string "EVM X509 certificate path"

	depends on EVM_LOAD_X509

	default "/etc/keys/x509_evm.der"

	help

	   This option defines X509 certificate path.

security/integrity/evm/evm_main.c

+7 −0
Original line number Diff line number Diff line
@@ -472,6 +472,13 @@ int evm_inode_init_security(struct inode *inode, 
}

EXPORT_SYMBOL_GPL(evm_inode_init_security);



#ifdef CONFIG_EVM_LOAD_X509

void __init evm_load_x509(void)

{

	integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);

}

#endif



static int __init init_evm(void)

{

	int error;

security/integrity/iint.c

+1 −0
Original line number Diff line number Diff line
@@ -254,4 +254,5 @@ int __init integrity_read_file(const char *path, char **data) 
void __init integrity_load_keys(void)

{

	ima_load_x509();

	evm_load_x509();

}

security/integrity/integrity.h

+8 −0
Original line number Diff line number Diff line
@@ -170,6 +170,14 @@ static inline void ima_load_x509(void) 
}

#endif



#ifdef CONFIG_EVM_LOAD_X509

void __init evm_load_x509(void);

#else

static inline void evm_load_x509(void)

{

}

#endif



#ifdef CONFIG_INTEGRITY_AUDIT

/* declarations */

void integrity_audit_msg(int audit_msgno, struct inode *inode,