dracut/0554-98integrity-support-X.509-only-EVM-configuration.patch

From 16d52f692c2add82f54f712a7fc60885536dc39a Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 24 Jan 2018 17:19:03 +0100
Subject: [PATCH 2/2] 98integrity: support X.509-only EVM configuration

Previously if no symmetric key was configured for EVM, then the
initialization process was aborted. It can be a valid use case, however,
to only use EVM digital signatures. In this case only X.509 certificates
need to be loaded.

With this change EVM initialization will continue if any of the
symmetric or X.509 keys could be loaded.
---
 modules.d/98integrity/evm-enable.sh | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index a3ba59fd..5a92b598 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -125,11 +125,18 @@ enable_evm()
         return 0
     fi
 
-    # load the EVM encrypted key
-    load_evm_key || return 1
+    local evm_configured
+
+    # try to load the EVM encrypted key
+    load_evm_key && evm_configured=1
+
+    # try to load the EVM public key
+    load_evm_x509 && evm_configured=1
 
-    # load the EVM public key, if it exists
-    load_evm_x509
+    # only enable EVM if a key or x509 certificate could be loaded
+    if [ -z "$evm_configured" ]; then
+        return 1
+    fi
 
     # initialize EVM
     info "Enabling EVM"
-- 
2.13.6