[PATCHv3 2/6] evm: load x509 certificate from the kernel

Dmitry Kasatkin Thu, 22 Oct 2015 11:51:16 -0700

This patch defines configuration option and the evm_load_x509() hook
to load X509 certificate into the EVM trusted kernel keyring.


Changes in v4:
* Patch description updated

Changes in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
  directly.

Changes in v2:
* default key patch changed to /etc/keys

Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com>
---
 security/integrity/evm/Kconfig    | 17 +++++++++++++++++
 security/integrity/evm/evm_main.c |  7 +++++++
 security/integrity/iint.c         |  1 +
 security/integrity/integrity.h    |  8 ++++++++
 4 files changed, 33 insertions(+)

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index bf19723..b1433e9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -42,3 +42,20 @@ config EVM_EXTRA_SMACK_XATTRS
          additional info to the calculation, requires existing EVM
          labeled file systems to be relabeled.
 
+config EVM_LOAD_X509
+       bool "Load X509 certificate to the '.evm' trusted keyring"
+       depends on INTEGRITY_TRUSTED_KEYRING
+       default n
+       help
+          Load X509 certificate to the '.evm' trusted keyring.
+
+          This option enables X509 certificate loading from the kernel
+          to the '.evm' trusted keyring. Public key can be used to
+          verify EVM integrity starting from 'init' process.
+
+config EVM_X509_PATH
+       string "EVM X509 certificate path"
+       depends on EVM_LOAD_X509
+       default "/etc/keys/x509_evm.der"
+       help
+          This option defines X509 certificate path.
diff --git a/security/integrity/evm/evm_main.c 
b/security/integrity/evm/evm_main.c
index 75b7e30..519de0a 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -472,6 +472,13 @@ out:
 }
 EXPORT_SYMBOL_GPL(evm_inode_init_security);
 
+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void)
+{
+       integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+}
+#endif
+
 static int __init init_evm(void)
 {
        int error;
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 3d2f5b4..2de9c82 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -254,4 +254,5 @@ out:
 void __init integrity_load_keys(void)
 {
        ima_load_x509();
+       evm_load_x509();
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 07726a7..5efe2ec 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -170,6 +170,14 @@ static inline void ima_load_x509(void)
 }
 #endif
 
+#ifdef CONFIG_EVM_LOAD_X509
+void __init evm_load_x509(void);
+#else
+static inline void evm_load_x509(void)
+{
+}
+#endif
+
 #ifdef CONFIG_INTEGRITY_AUDIT
 /* declarations */
 void integrity_audit_msg(int audit_msgno, struct inode *inode,
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCHv3 2/6] evm: load x509 certificate from the kernel

Reply via email to