Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
dracut.15766
0553-98integrity-support-loading-x509-into-the-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0553-98integrity-support-loading-x509-into-the-trusted-bu.patch of Package dracut.15766
From 266d28ad09755c1c7016891f356bb75a9861f77c Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Wed, 24 Jan 2018 16:58:15 +0100 Subject: [PATCH 1/2] 98integrity: support loading x509 into the trusted/builtin .evm keyring This implements logic analogous to the one already implemented in ima-keys-load.sh, only for the .evm/_evm keyrings. If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel initially creates and configures .ima and .evm keyrings. These keyrings only accept x509 certificates that have been signed by a local CA which belongs to the kernel builtin trusted keyring. Thus if such a keyring is already present then additional evm keys should be loaded into them. If this is not the case then the _evm keyring needs to be created in userspace and keys will be loaded into it instead. Before this change dracut always created the _evm keyring and loaded keys into it without considering an existing .evm keyring. In case of CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be used by the kernel, however, and EVM digital signatures will not work as expected. --- modules.d/98integrity/evm-enable.sh | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index ec4f03bc..a3ba59fd 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -76,8 +76,21 @@ load_evm_x509() return 1 fi + local evm_pubid + local line=$(keyctl describe %keyring:.evm) + if [ $? -eq 0 ]; then + # the kernel already setup a trusted .evm keyring so use that one + evm_pubid=${line%%:*} + else + # look for an existing regular keyring + evm_pubid=`keyctl search @u keyring _evm` + if [ -z "${evm_pubid}" ]; then + # create a new regular _evm keyring + evm_pubid=`keyctl newring _evm @u` + fi + fi + # load the EVM public key onto the EVM keyring - evm_pubid=`keyctl newring _evm @u` EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) [ $? -eq 0 ] || { info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"; -- 2.13.6
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor