[PATCHv3 2/6] evm: load x509 certificate from the kernel

From: Dmitry Kasatkin
Date: Thu Oct 22 2015 - 14:50:43 EST

Next message: Dmitry Kasatkin: "[PATCHv3 5/6] evm: define EVM key max and min sizes"
Previous message: Dmitry Kasatkin: "[PATCHv3 6/6] evm: reset EVM status when file attributes changes"
In reply to: Dmitry Kasatkin: "[PATCHv3 6/6] evm: reset EVM status when file attributes changes"
Next in thread: Dmitry Kasatkin: "[PATCHv3 5/6] evm: define EVM key max and min sizes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch defines configuration option and the evm_load_x509() hook
to load X509 certificate into the EVM trusted kernel keyring.

Changes in v4:
* Patch description updated

Changes in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
directly.

Changes in v2:
* default key patch changed to /etc/keys

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxxx>
---
security/integrity/evm/Kconfig | 17 +++++++++++++++++
security/integrity/evm/evm_main.c | 7 +++++++
security/integrity/iint.c | 1 +
security/integrity/integrity.h | 8 ++++++++
4 files changed, 33 insertions(+)

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index bf19723..b1433e9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -42,3 +42,20 @@ config EVM_EXTRA_SMACK_XATTRS
additional info to the calculation, requires existing EVM
labeled file systems to be relabeled.

+config EVM_LOAD_X509
+ bool "Load X509 certificate to the '.evm' trusted keyring"
+ depends on INTEGRITY_TRUSTED_KEYRING
+ default n
+ help
+ Load X509 certificate to the '.evm' trusted keyring.
+
+ This option enables X509 certificate loading from the kernel
+ to the '.evm' trusted keyring. Public key can be used to
+ verify EVM integrity starting from 'init' process.
+
+config EVM_X509_PATH
+ string "EVM X509 certificate path"
+ depends on EVM_LOAD_X509
+ default "/etc/keys/x509_evm.der"
+ help
+ This option defines X509 certificate path.
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 75b7e30..519de0a 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -472,6 +472,13 @@ out:
}
EXPORT_SYMBOL_GPL(evm_inode_init_security);

+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void)
+{
+ integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+}
+#endif
+
static int __init init_evm(void)
{
int error;
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 3d2f5b4..2de9c82 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -254,4 +254,5 @@ out:
void __init integrity_load_keys(void)
{
ima_load_x509();
+ evm_load_x509();
}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 07726a7..5efe2ec 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -170,6 +170,14 @@ static inline void ima_load_x509(void)
}
#endif

+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void);
+#else
+static inline void evm_load_x509(void)
+{
+}
+#endif
+
#ifdef CONFIG_INTEGRITY_AUDIT
/* declarations */
void integrity_audit_msg(int audit_msgno, struct inode *inode,
--
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Kasatkin: "[PATCHv3 5/6] evm: define EVM key max and min sizes"
Previous message: Dmitry Kasatkin: "[PATCHv3 6/6] evm: reset EVM status when file attributes changes"
In reply to: Dmitry Kasatkin: "[PATCHv3 6/6] evm: reset EVM status when file attributes changes"
Next in thread: Dmitry Kasatkin: "[PATCHv3 5/6] evm: define EVM key max and min sizes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]