Provide configuration option to load X509 certificate into the _evm kernel keyring.
Signed-off-by: Dmitry Kasatkin <[email protected]> --- security/integrity/evm/Kconfig | 9 +++++++++ security/integrity/evm/evm_main.c | 1 + 2 files changed, 10 insertions(+) diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index 3f9098c6..70d12f7 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig @@ -51,3 +51,12 @@ config EVM_TRUSTED_KEYRING help This option requires that all keys added to the _evm keyring be signed by a key on the system trusted keyring. + +config EVM_LOAD_X509 + bool "Load X509 certificate to the '_evm' trusted keyring" + depends on EVM_TRUSTED_KEYRING + select INTEGRITY_LOAD_X509 + default n + help + This option enables X509 certificate loading from the kernel + to the '_evm' trusted keyring. diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 8a11920..0f1b489 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -448,6 +448,7 @@ static int __init init_evm(void) evm_init_config(); integrity_init_keyring(INTEGRITY_KEYRING_EVM); + integrity_load_x509(INTEGRITY_KEYRING_EVM, "/etc/keys/x509_ima.der"); error = evm_init_secfs(); if (error < 0) { -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
