dracut/0553-98integrity-support-loading-x509-into-the-trusted-bu.patch

From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 24 Jan 2018 16:58:15 +0100
Subject: [PATCH 1/2] 98integrity: support loading x509 into the
 trusted/builtin .evm keyring

This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.

If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.

Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.

Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.
---
 modules.d/98integrity/evm-enable.sh | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index ec4f03bc..a3ba59fd 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -76,8 +76,21 @@ load_evm_x509()
         return 1
     fi
 
+    local evm_pubid
+    local line=$(keyctl describe %keyring:.evm)
+    if [ $? -eq 0 ]; then
+        # the kernel already setup a trusted .evm keyring so use that one
+        evm_pubid=${line%%:*}
+    else
+        # look for an existing regular keyring
+        evm_pubid=`keyctl search @u keyring _evm`
+        if [ -z "${evm_pubid}" ]; then
+            # create a new regular _evm keyring
+            evm_pubid=`keyctl newring _evm @u`
+        fi
+    fi
+
     # load the EVM public key onto the EVM keyring
-    evm_pubid=`keyctl newring _evm @u`
     EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
     [ $? -eq 0 ] || {
 	info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";
-- 
2.13.6
Accepting request 569449 from home:dmolkentin:branches:Base:System - support validating the IMA policy file signature, needed since Kernel 4.7 * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch - IMA: improve support for evm key loading (bsc#1077359, fate#323906) - FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) - Added a few more patch annotations OBS-URL: https://build.opensuse.org/request/show/569449 OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=334 2018-01-25 09:33:05 +00:00			`From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001`
			`From: Matthias Gerstner <matthias.gerstner@suse.de>`
			`Date: Wed, 24 Jan 2018 16:58:15 +0100`
			`Subject: [PATCH 1/2] 98integrity: support loading x509 into the`
			`trusted/builtin .evm keyring`

			`This implements logic analogous to the one already implemented in`
			`ima-keys-load.sh, only for the .evm/_evm keyrings.`

			`If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel`
			`initially creates and configures .ima and .evm keyrings. These keyrings`
			`only accept x509 certificates that have been signed by a local CA which`
			`belongs to the kernel builtin trusted keyring.`

			`Thus if such a keyring is already present then additional evm keys`
			`should be loaded into them. If this is not the case then the _evm`
			`keyring needs to be created in userspace and keys will be loaded into`
			`it instead.`

			`Before this change dracut always created the _evm keyring and loaded`
			`keys into it without considering an existing .evm keyring. In case of`
			`CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be`
			`used by the kernel, however, and EVM digital signatures will not work as`
			`expected.`
			`---`
			`modules.d/98integrity/evm-enable.sh \| 15 ++++++++++++++-`
			`1 file changed, 14 insertions(+), 1 deletion(-)`

			`diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh`
			`index ec4f03bc..a3ba59fd 100755`
			`--- a/modules.d/98integrity/evm-enable.sh`
			`+++ b/modules.d/98integrity/evm-enable.sh`
			`@@ -76,8 +76,21 @@ load_evm_x509()`
			`return 1`
			`fi`

			`+ local evm_pubid`
			`+ local line=$(keyctl describe %keyring:.evm)`
			`+ if [ $? -eq 0 ]; then`
			`+ # the kernel already setup a trusted .evm keyring so use that one`
			`+ evm_pubid=${line%%:*}`
			`+ else`
			`+ # look for an existing regular keyring`
			+ evm_pubid=`keyctl search @u keyring _evm`
			`+ if [ -z "${evm_pubid}" ]; then`
			`+ # create a new regular _evm keyring`
			+ evm_pubid=`keyctl newring _evm @u`
			`+ fi`
			`+ fi`
			`+`
			`# load the EVM public key onto the EVM keyring`
			- evm_pubid=`keyctl newring _evm @u`
			`EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})`
			`[ $? -eq 0 ] \|\| {`
			`info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";`
			`--`
			`2.13.6`