[PATCH 10/20] evm: load x509 certificate from the kernel
From: Dmitry Kasatkin
Date: Wed Apr 23 2014 - 09:51:45 EST
Provide configuration option to load X509 certificate into the
_evm kernel keyring.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
---
security/integrity/evm/Kconfig | 9 +++++++++
security/integrity/evm/evm_main.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 3f9098c6..70d12f7 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -51,3 +51,12 @@ config EVM_TRUSTED_KEYRING
help
This option requires that all keys added to the _evm
keyring be signed by a key on the system trusted keyring.
+
+config EVM_LOAD_X509
+ bool "Load X509 certificate to the '_evm' trusted keyring"
+ depends on EVM_TRUSTED_KEYRING
+ select INTEGRITY_LOAD_X509
+ default n
+ help
+ This option enables X509 certificate loading from the kernel
+ to the '_evm' trusted keyring.
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 8a11920..0f1b489 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -448,6 +448,7 @@ static int __init init_evm(void)
evm_init_config();
integrity_init_keyring(INTEGRITY_KEYRING_EVM);
+ integrity_load_x509(INTEGRITY_KEYRING_EVM, "/etc/keys/x509_ima.der");
error = evm_init_secfs();
if (error < 0) {
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/