evm: enable EVM when X509 certificate is loaded
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Thu, 22 Oct 2015 18:26:26 +0000 (21:26 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Tue, 15 Dec 2015 13:50:48 +0000 (08:50 -0500)
In order to enable EVM before starting the 'init' process,
evm_initialized needs to be non-zero.  Previously non-zero indicated
that the HMAC key was loaded.  When EVM loads the X509 before calling
'init', with this patch it is now possible to enable EVM to start
signature based verification.

This patch defines bits to enable EVM if a key of any type is loaded.

Changes in v3:
* print error message if key is not set

Changes in v2:
* EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC
* EVM_STATE_X509_SET replaced by EVM_INIT_X509

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/evm/evm.h
security/integrity/evm/evm_crypto.c
security/integrity/evm/evm_main.c
security/integrity/evm/evm_secfs.c

index 88bfe77efa1cf10ccdcb5bb50e6e949f05f017bf..f5f12727771a0aba01442d7c242f95464658abce 100644 (file)
@@ -21,6 +21,9 @@
 
 #include "../integrity.h"
 
+#define EVM_INIT_HMAC  0x0001
+#define EVM_INIT_X509  0x0002
+
 extern int evm_initialized;
 extern char *evm_hmac;
 extern char *evm_hash;
index 461f8d89157948510fda91e3286eab12d2e456ab..2c3591eca98937d205ae191439d803cc6c126006 100644 (file)
@@ -40,6 +40,10 @@ static struct shash_desc *init_desc(char type)
        struct shash_desc *desc;
 
        if (type == EVM_XATTR_HMAC) {
+               if (!(evm_initialized & EVM_INIT_HMAC)) {
+                       pr_err("HMAC key is not set\n");
+                       return ERR_PTR(-ENOKEY);
+               }
                tfm = &hmac_tfm;
                algo = evm_hmac;
        } else {
index 519de0a0ba7252918b3b3f9887cb82447055e8e2..420d94da2793e3d9748a2ac1f137de63a2963822 100644 (file)
@@ -475,7 +475,11 @@ EXPORT_SYMBOL_GPL(evm_inode_init_security);
 #ifdef CONFIG_EVM_LOAD_X509
 void __init evm_load_x509(void)
 {
-       integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+       int rc;
+
+       rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+       if (!rc)
+               evm_initialized |= EVM_INIT_X509;
 }
 #endif
 
index cf12a04717d32d8ab8e90d94c0aa39cc282abc3a..3f775dfea868505df5e4a386cda45b59b8411c39 100644 (file)
@@ -64,7 +64,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
        char temp[80];
        int i, error;
 
-       if (!capable(CAP_SYS_ADMIN) || evm_initialized)
+       if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_INIT_HMAC))
                return -EPERM;
 
        if (count >= sizeof(temp) || count == 0)
@@ -80,7 +80,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
 
        error = evm_init_key();
        if (!error) {
-               evm_initialized = 1;
+               evm_initialized |= EVM_INIT_HMAC;
                pr_info("initialized\n");
        } else
                pr_err("initialization failed\n");