提交 2ce523eb 编写于 作者: D Dmitry Kasatkin 提交者: Mimi Zohar

evm: load an x509 certificate from the kernel

This patch defines a configuration option and the evm_load_x509() hook
to load an X509 certificate onto the EVM trusted kernel keyring.

Changes in v4:
* Patch description updated

Changes in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
  directly.

Changes in v2:
* default key patch changed to /etc/keys
Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
上级 f4dc3778
......@@ -42,3 +42,20 @@ config EVM_EXTRA_SMACK_XATTRS
additional info to the calculation, requires existing EVM
labeled file systems to be relabeled.
config EVM_LOAD_X509
bool "Load an X509 certificate onto the '.evm' trusted keyring"
depends on INTEGRITY_TRUSTED_KEYRING
default n
help
Load an X509 certificate onto the '.evm' trusted keyring.
This option enables X509 certificate loading from the kernel
onto the '.evm' trusted keyring. A public key can be used to
verify EVM integrity starting from the 'init' process.
config EVM_X509_PATH
string "EVM X509 certificate path"
depends on EVM_LOAD_X509
default "/etc/keys/x509_evm.der"
help
This option defines X509 certificate path.
......@@ -472,6 +472,13 @@ int evm_inode_init_security(struct inode *inode,
}
EXPORT_SYMBOL_GPL(evm_inode_init_security);
#ifdef CONFIG_EVM_LOAD_X509
void __init evm_load_x509(void)
{
integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
}
#endif
static int __init init_evm(void)
{
int error;
......
......@@ -254,4 +254,5 @@ int __init integrity_read_file(const char *path, char **data)
void __init integrity_load_keys(void)
{
ima_load_x509();
evm_load_x509();
}
......@@ -170,6 +170,14 @@ static inline void ima_load_x509(void)
}
#endif
#ifdef CONFIG_EVM_LOAD_X509
void __init evm_load_x509(void);
#else
static inline void evm_load_x509(void)
{
}
#endif
#ifdef CONFIG_INTEGRITY_AUDIT
/* declarations */
void integrity_audit_msg(int audit_msgno, struct inode *inode,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册