Commit 26ddabfe authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

evm: enable EVM when X509 certificate is loaded

In order to enable EVM before starting the 'init' process,
evm_initialized needs to be non-zero.  Previously non-zero indicated
that the HMAC key was loaded.  When EVM loads the X509 before calling
'init', with this patch it is now possible to enable EVM to start
signature based verification.

This patch defines bits to enable EVM if a key of any type is loaded.

Changes in v3:
* print error message if key is not set

Changes in v2:
* EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC
* EVM_STATE_X509_SET replaced by EVM_INIT_X509
Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 2ce523eb
...@@ -21,6 +21,9 @@ ...@@ -21,6 +21,9 @@
#include "../integrity.h" #include "../integrity.h"
#define EVM_INIT_HMAC 0x0001
#define EVM_INIT_X509 0x0002
extern int evm_initialized; extern int evm_initialized;
extern char *evm_hmac; extern char *evm_hmac;
extern char *evm_hash; extern char *evm_hash;
......
...@@ -40,6 +40,10 @@ static struct shash_desc *init_desc(char type) ...@@ -40,6 +40,10 @@ static struct shash_desc *init_desc(char type)
struct shash_desc *desc; struct shash_desc *desc;
if (type == EVM_XATTR_HMAC) { if (type == EVM_XATTR_HMAC) {
if (!(evm_initialized & EVM_INIT_HMAC)) {
pr_err("HMAC key is not set\n");
return ERR_PTR(-ENOKEY);
}
tfm = &hmac_tfm; tfm = &hmac_tfm;
algo = evm_hmac; algo = evm_hmac;
} else { } else {
......
...@@ -475,7 +475,11 @@ EXPORT_SYMBOL_GPL(evm_inode_init_security); ...@@ -475,7 +475,11 @@ EXPORT_SYMBOL_GPL(evm_inode_init_security);
#ifdef CONFIG_EVM_LOAD_X509 #ifdef CONFIG_EVM_LOAD_X509
void __init evm_load_x509(void) void __init evm_load_x509(void)
{ {
integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); int rc;
rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
if (!rc)
evm_initialized |= EVM_INIT_X509;
} }
#endif #endif
......
...@@ -64,7 +64,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf, ...@@ -64,7 +64,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
char temp[80]; char temp[80];
int i, error; int i, error;
if (!capable(CAP_SYS_ADMIN) || evm_initialized) if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_INIT_HMAC))
return -EPERM; return -EPERM;
if (count >= sizeof(temp) || count == 0) if (count >= sizeof(temp) || count == 0)
...@@ -80,7 +80,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf, ...@@ -80,7 +80,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
error = evm_init_key(); error = evm_init_key();
if (!error) { if (!error) {
evm_initialized = 1; evm_initialized |= EVM_INIT_HMAC;
pr_info("initialized\n"); pr_info("initialized\n");
} else } else
pr_err("initialization failed\n"); pr_err("initialization failed\n");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment