integrity: define '.evm' as a builtin 'trusted' keyring (f4dc3778) · Commits · e / devices / android_kernel_fairphone_FP4

security/integrity/Kconfig

+11 −0

Original line number	Diff line number	Diff line
		@@ -41,6 +41,17 @@ config INTEGRITY_ASYMMETRIC_KEYS
		This option enables digital signature verification using
		asymmetric keys.

		config INTEGRITY_TRUSTED_KEYRING
		bool "Require all keys on the integrity keyrings be signed"
		depends on SYSTEM_TRUSTED_KEYRING
		depends on INTEGRITY_ASYMMETRIC_KEYS
		select KEYS_DEBUG_PROC_KEYS
		default y
		help
		This option requires that all keys added to the .ima and
		.evm keyrings be signed by a key on the system trusted
		keyring.

		config INTEGRITY_AUDIT
		bool "Enables integrity auditing support "
		depends on AUDIT

+12 −2

Original line number	Diff line number	Diff line
		@@ -24,15 +24,22 @@
		static struct key *keyring[INTEGRITY_KEYRING_MAX];

		static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
		#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
		"_evm",
		"_module",
		#ifndef CONFIG_IMA_TRUSTED_KEYRING
		"_ima",
		#else
		".evm",
		".ima",
		#endif
		"_module",
		};

		#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
		static bool init_keyring __initdata = true;
		#else
		static bool init_keyring __initdata;
		#endif

		int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
		const char *digest, int digestlen)
		{
		@@ -68,6 +75,9 @@ int __init integrity_init_keyring(const unsigned int id)
		const struct cred *cred = current_cred();
		int err = 0;

		if (!init_keyring)
		return 0;

		keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
		KGIDT_INIT(0), cred,
		((KEY_POS_ALL & ~KEY_POS_SETATTR) \|

+5 −3

Original line number	Diff line number	Diff line
		@@ -478,15 +478,17 @@ static int __init init_evm(void)

		evm_init_config();

		error = integrity_init_keyring(INTEGRITY_KEYRING_EVM);
		if (error)
		return error;

		error = evm_init_secfs();
		if (error < 0) {
		pr_info("Error registering secfs\n");
		goto err;
		return error;
		}

		return 0;
		err:
		return error;
		}

		/*

+4 −1

Original line number	Diff line number	Diff line
		@@ -123,14 +123,17 @@ config IMA_APPRAISE
		If unsure, say N.

		config IMA_TRUSTED_KEYRING
		bool "Require all keys on the .ima keyring be signed"
		bool "Require all keys on the .ima keyring be signed (deprecated)"
		depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
		depends on INTEGRITY_ASYMMETRIC_KEYS
		select INTEGRITY_TRUSTED_KEYRING
		default y
		help
		This option requires that all keys added to the .ima
		keyring be signed by a key on the system trusted keyring.

		This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

		config IMA_LOAD_X509
		bool "Load X509 certificate onto the '.ima' trusted keyring"
		depends on IMA_TRUSTED_KEYRING

+0 −12

Original line number	Diff line number	Diff line
		@@ -251,16 +251,4 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
		return -EINVAL;
		}
		#endif /* CONFIG_IMA_LSM_RULES */

		#ifdef CONFIG_IMA_TRUSTED_KEYRING
		static inline int ima_init_keyring(const unsigned int id)
		{
		return integrity_init_keyring(id);
		}
		#else
		static inline int ima_init_keyring(const unsigned int id)
		{
		return 0;
		}
		#endif /* CONFIG_IMA_TRUSTED_KEYRING */
		#endif