c6399f9ca8
- support validating the IMA policy file signature, needed since Kernel 4.7 * Adds 0552-98integrity-support-validating-the-IMA-policy-file-s.patch - IMA: improve support for evm key loading (bsc#1077359, fate#323906) - FIPS: Adjust dependencies to work for cryptsetup 2.0 (bsc#1077070) - Added a few more patch annotations OBS-URL: https://build.opensuse.org/request/show/569449 OBS-URL: https://build.opensuse.org/package/show/Base:System/dracut?expand=0&rev=334
59 lines
2.2 KiB
Diff
59 lines
2.2 KiB
Diff
From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001
|
|
From: Matthias Gerstner <matthias.gerstner@suse.de>
|
|
Date: Wed, 24 Jan 2018 16:58:15 +0100
|
|
Subject: [PATCH 1/2] 98integrity: support loading x509 into the
|
|
trusted/builtin .evm keyring
|
|
|
|
This implements logic analogous to the one already implemented in
|
|
ima-keys-load.sh, only for the .evm/_evm keyrings.
|
|
|
|
If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
|
|
initially creates and configures .ima and .evm keyrings. These keyrings
|
|
only accept x509 certificates that have been signed by a local CA which
|
|
belongs to the kernel builtin trusted keyring.
|
|
|
|
Thus if such a keyring is already present then additional evm keys
|
|
should be loaded into them. If this is not the case then the _evm
|
|
keyring needs to be created in userspace and keys will be loaded into
|
|
it instead.
|
|
|
|
Before this change dracut always created the _evm keyring and loaded
|
|
keys into it without considering an existing .evm keyring. In case of
|
|
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
|
|
used by the kernel, however, and EVM digital signatures will not work as
|
|
expected.
|
|
---
|
|
modules.d/98integrity/evm-enable.sh | 15 ++++++++++++++-
|
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
|
|
index ec4f03bc..a3ba59fd 100755
|
|
--- a/modules.d/98integrity/evm-enable.sh
|
|
+++ b/modules.d/98integrity/evm-enable.sh
|
|
@@ -76,8 +76,21 @@ load_evm_x509()
|
|
return 1
|
|
fi
|
|
|
|
+ local evm_pubid
|
|
+ local line=$(keyctl describe %keyring:.evm)
|
|
+ if [ $? -eq 0 ]; then
|
|
+ # the kernel already setup a trusted .evm keyring so use that one
|
|
+ evm_pubid=${line%%:*}
|
|
+ else
|
|
+ # look for an existing regular keyring
|
|
+ evm_pubid=`keyctl search @u keyring _evm`
|
|
+ if [ -z "${evm_pubid}" ]; then
|
|
+ # create a new regular _evm keyring
|
|
+ evm_pubid=`keyctl newring _evm @u`
|
|
+ fi
|
|
+ fi
|
|
+
|
|
# load the EVM public key onto the EVM keyring
|
|
- evm_pubid=`keyctl newring _evm @u`
|
|
EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
|
|
[ $? -eq 0 ] || {
|
|
info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";
|
|
--
|
|
2.13.6
|
|
|