Commit c9cd2ce2 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

integrity: provide a hook to load keys when rootfs is ready

Keys can only be loaded once the rootfs is mounted. Initcalls
are not suitable for that. This patch defines a special hook
to load the x509 public keys onto the IMA keyring, before
attempting to access any file. The keys are required for
verifying the file's signature. The hook is called after the
root filesystem is mounted and before the kernel calls 'init'.

Changes in v3:
* added more explanation to the patch description (Mimi)

Changes in v2:
* Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM
  keys by integrity subsystem.
* Hook patch moved after defining loading functions
Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent fd5f4e90
...@@ -24,6 +24,7 @@ enum integrity_status { ...@@ -24,6 +24,7 @@ enum integrity_status {
#ifdef CONFIG_INTEGRITY #ifdef CONFIG_INTEGRITY
extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
extern void integrity_inode_free(struct inode *inode); extern void integrity_inode_free(struct inode *inode);
extern void __init integrity_load_keys(void);
#else #else
static inline struct integrity_iint_cache * static inline struct integrity_iint_cache *
...@@ -36,5 +37,10 @@ static inline void integrity_inode_free(struct inode *inode) ...@@ -36,5 +37,10 @@ static inline void integrity_inode_free(struct inode *inode)
{ {
return; return;
} }
static inline void integrity_load_keys(void)
{
}
#endif /* CONFIG_INTEGRITY */ #endif /* CONFIG_INTEGRITY */
#endif /* _LINUX_INTEGRITY_H */ #endif /* _LINUX_INTEGRITY_H */
...@@ -78,6 +78,7 @@ ...@@ -78,6 +78,7 @@
#include <linux/context_tracking.h> #include <linux/context_tracking.h>
#include <linux/random.h> #include <linux/random.h>
#include <linux/list.h> #include <linux/list.h>
#include <linux/integrity.h>
#include <asm/io.h> #include <asm/io.h>
#include <asm/bugs.h> #include <asm/bugs.h>
...@@ -1026,8 +1027,11 @@ static noinline void __init kernel_init_freeable(void) ...@@ -1026,8 +1027,11 @@ static noinline void __init kernel_init_freeable(void)
* Ok, we have completed the initial bootup, and * Ok, we have completed the initial bootup, and
* we're essentially up and running. Get rid of the * we're essentially up and running. Get rid of the
* initmem segments and start the user-mode stuff.. * initmem segments and start the user-mode stuff..
*
* rootfs is available now, try loading the public keys
* and default modules
*/ */
/* rootfs is available now, try loading default modules */ integrity_load_keys();
load_default_modules(); load_default_modules();
} }
...@@ -245,3 +245,14 @@ int __init integrity_read_file(const char *path, char **data) ...@@ -245,3 +245,14 @@ int __init integrity_read_file(const char *path, char **data)
fput(file); fput(file);
return rc; return rc;
} }
/*
* integrity_load_keys - load integrity keys hook
*
* Hooks is called from init/main.c:kernel_init_freeable()
* when rootfs is ready
*/
void __init integrity_load_keys(void)
{
ima_load_x509();
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment