[PATCH 08/20] ima: load x509 certificate from the kernel
From: Dmitry Kasatkin
Date: Wed Apr 23 2014 - 09:38:03 EST
Provide configuration option to load X509 certificate into the
_ima kernel keyring.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
---
security/integrity/ima/Kconfig | 9 +++++++++
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index be11c01..5474c47 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -131,3 +131,12 @@ config IMA_TRUSTED_KEYRING
help
This option requires that all keys added to the _ima
keyring be signed by a key on the system trusted keyring.
+
+config IMA_LOAD_X509
+ bool "Load X509 certificate to the '_ima' trusted keyring"
+ depends on IMA_TRUSTED_KEYRING
+ select INTEGRITY_LOAD_X509
+ default n
+ help
+ This option enables X509 certificate loading from the kernel
+ to the '_ima' trusted keyring.
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 515c1a2..c13d6a8 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -108,6 +108,7 @@ int __init ima_init(void)
ima_add_boot_aggregate(); /* boot aggregate must be first entry */
ima_init_policy();
integrity_init_keyring(INTEGRITY_KEYRING_IMA);
+ integrity_load_x509(INTEGRITY_KEYRING_IMA, "/etc/keys/x509_ima.der");
return ima_fs_init();
}
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/