projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f4dc377)
evm: load an x509 certificate from the kernel
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Thu, 22 Oct 2015 18:26:21 +0000 (21:26 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Tue, 15 Dec 2015 13:31:19 +0000 (08:31 -0500)
This patch defines a configuration option and the evm_load_x509() hook
to load an X509 certificate onto the EVM trusted kernel keyring.

Changes in v4:
* Patch description updated

Changes in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
  directly.

Changes in v2:
* default key patch changed to /etc/keys

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/evm/Kconfig patch | blob | blame | history
security/integrity/evm/evm_main.c patch | blob | blame | history
security/integrity/iint.c patch | blob | blame | history
security/integrity/integrity.h patch | blob | blame | history

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index bf19723cf1178959f82eb9782dd3ee49ea46acaf..913532c5db4fb605babfa7f35509c4113e6e4d88 100644 (file)
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -42,3 +42,20 @@ config EVM_EXTRA_SMACK_XATTRS
          additional info to the calculation, requires existing EVM
          labeled file systems to be relabeled.
 
+config EVM_LOAD_X509
+       bool "Load an X509 certificate onto the '.evm' trusted keyring"
+       depends on INTEGRITY_TRUSTED_KEYRING
+       default n
+       help
+          Load an X509 certificate onto the '.evm' trusted keyring.
+
+          This option enables X509 certificate loading from the kernel
+          onto the '.evm' trusted keyring.  A public key can be used to
+          verify EVM integrity starting from the 'init' process.
+
+config EVM_X509_PATH
+       string "EVM X509 certificate path"
+       depends on EVM_LOAD_X509
+       default "/etc/keys/x509_evm.der"
+       help
+          This option defines X509 certificate path.
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 75b7e3031d2a6de77ae58e47da5fb3c996470c8e..519de0a0ba7252918b3b3f9887cb82447055e8e2 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -472,6 +472,13 @@ out:
 }
 EXPORT_SYMBOL_GPL(evm_inode_init_security);
 
+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void)
+{
+       integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+}
+#endif
+
 static int __init init_evm(void)
 {
        int error;
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 3d2f5b45c8cbeb0b376749adab00985b7a636f6f..2de9c820903f1fe2497da5ac997ad3e6ad00981c 100644 (file)
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -254,4 +254,5 @@ out:
 void __init integrity_load_keys(void)
 {
        ima_load_x509();
+       evm_load_x509();
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 07726a731727de59ad26d0fc0ddf3def032a4177..5efe2ecc538d327818e48ec7c865bb03bc63322f 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -170,6 +170,14 @@ static inline void ima_load_x509(void)
 }
 #endif
 
+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void);
+#else
+static inline void evm_load_x509(void)
+{
+}
+#endif
+
 #ifdef CONFIG_INTEGRITY_AUDIT
 /* declarations */
 void integrity_audit_msg(int audit_msgno, struct inode *inode,