dracut/modules.d/98integrity/evm-enable.sh

#!/bin/sh

# Licensed under the GPLv2
#
# Copyright (C) 2011 Politecnico di Torino, Italy
#                    TORSEC group -- http://security.polito.it
# Roberto Sassu <roberto.sassu@polito.it>

EVMSECFILE="${SECURITYFSDIR}/evm"
EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
EVMKEYDESC="evm-key"
EVMKEYTYPE="encrypted"
EVMKEYID=""

load_evm_key()
{
    # read the configuration from the config file
    [ -f "${EVMCONFIG}" ] && \
        . ${EVMCONFIG}

    # override the EVM key path name from the 'evmkey=' parameter in the kernel
    # command line
    EVMKEYARG=$(getarg evmkey=)
    [ $? -eq 0 ] && \
        EVMKEY=${EVMKEYARG}

    # set the default value
    [ -z "${EVMKEY}" ] && \
        EVMKEY="/etc/keys/evm-trusted.blob";

    # set the EVM key path name
    EVMKEYPATH="${NEWROOT}${EVMKEY}"

    # check for EVM encrypted key's existence
    if [ ! -f "${EVMKEYPATH}" ]; then
        if [ "${RD_DEBUG}" = "yes" ]; then
            info "integrity: EVM encrypted key file not found: ${EVMKEYPATH}"
        fi
        return 1
    fi

    # read the EVM encrypted key blob
    KEYBLOB=$(cat ${EVMKEYPATH})

    # load the EVM encrypted key
    EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
    [ $? -eq 0 ] || {
        info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
        return 1;
    }
    return 0
}

load_evm_x509()
{
    info "Load EVM IMA X509"

    # override the EVM key path name from the 'evmx509=' parameter in
    # the kernel command line
    EVMX509ARG=$(getarg evmx509=)
    [ $? -eq 0 ] && \
        EVMX509=${EVMX509ARG}

    # set the default value
    [ -z "${EVMX509}" ] && \
        EVMX509="/etc/keys/x509_evm.der";

    # set the EVM public key path name
    EVMX509PATH="${NEWROOT}${EVMX509}"

    # check for EVM public key's existence
    if [ ! -f "${EVMX509PATH}" ]; then
        if [ "${RD_DEBUG}" = "yes" ]; then
            info "integrity: EVM x509 cert file not found: ${EVMX509PATH}"
        fi
        return 1
    fi

    local evm_pubid line
    line=$(keyctl describe %keyring:.evm)
    if [ $? -eq 0 ]; then
        # the kernel already setup a trusted .evm keyring so use that one
        evm_pubid=${line%%:*}
    else
        # look for an existing regular keyring
        evm_pubid=`keyctl search @u keyring _evm`
        if [ -z "${evm_pubid}" ]; then
            # create a new regular _evm keyring
            evm_pubid=`keyctl newring _evm @u`
        fi
    fi

    # load the EVM public key onto the EVM keyring
    EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
    [ $? -eq 0 ] || {
        info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";
        return 1;
    }

    if [ "${RD_DEBUG}" = "yes" ]; then
        keyctl show @u
    fi

    return 0
}

unload_evm_key()
{
    # unlink the EVM encrypted key
    keyctl unlink ${EVMKEYID} @u || {
        info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";
        return 1;
    }

    return 0
}

enable_evm()
{
    # check kernel support for EVM
    if [ ! -e "${EVMSECFILE}" ]; then
        if [ "${RD_DEBUG}" = "yes" ]; then
            info "integrity: EVM kernel support is disabled"
        fi
        return 0
    fi

    local evm_configured

    # try to load the EVM encrypted key
    load_evm_key && evm_configured=1

    # try to load the EVM public key
    load_evm_x509 && evm_configured=1

    # only enable EVM if a key or x509 certificate could be loaded
    if [ -z "$evm_configured" ]; then
        return 1
    fi

    # initialize EVM
    info "Enabling EVM"
    echo 1 > ${EVMSECFILE}

    # unload the EVM encrypted key
    unload_evm_key || return 1

    return 0
}

enable_evm
dracut: added new module integrity This module initializes the EVM software and permits to load a custom IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> 14 years ago			`#!/bin/sh`

			`# Licensed under the GPLv2`
			`#`
			`# Copyright (C) 2011 Politecnico di Torino, Italy`
			`# TORSEC group -- http://security.polito.it`
			`# Roberto Sassu <roberto.sassu@polito.it>`

			`EVMSECFILE="${SECURITYFSDIR}/evm"`
			`EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"`
			`EVMKEYDESC="evm-key"`
			`EVMKEYTYPE="encrypted"`
			`EVMKEYID=""`

			`load_evm_key()`
			`{`
			`# read the configuration from the config file`
			`[ -f "${EVMCONFIG}" ] && \`
			`. ${EVMCONFIG}`

			`# override the EVM key path name from the 'evmkey=' parameter in the kernel`
			`# command line`
			`EVMKEYARG=$(getarg evmkey=)`
			`[ $? -eq 0 ] && \`
			`EVMKEY=${EVMKEYARG}`

			`# set the default value`
			`[ -z "${EVMKEY}" ] && \`
			`EVMKEY="/etc/keys/evm-trusted.blob";`

			`# set the EVM key path name`
			`EVMKEYPATH="${NEWROOT}${EVMKEY}"`

			`# check for EVM encrypted key's existence`
			`if [ ! -f "${EVMKEYPATH}" ]; then`
			`if [ "${RD_DEBUG}" = "yes" ]; then`
			`info "integrity: EVM encrypted key file not found: ${EVMKEYPATH}"`
			`fi`
			`return 1`
			`fi`

			`# read the EVM encrypted key blob`
			`KEYBLOB=$(cat ${EVMKEYPATH})`

			`# load the EVM encrypted key`
			`EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)`
			`[ $? -eq 0 ] \|\| {`
			`info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";`
			`return 1;`
			`}`
Extend evm-enable.sh to load the EVM public key Create the _evm keyring and load the EVM public key on it. 10 years ago			`return 0`
			`}`

			`load_evm_x509()`
			`{`
			`info "Load EVM IMA X509"`

			`# override the EVM key path name from the 'evmx509=' parameter in`
			`# the kernel command line`
			`EVMX509ARG=$(getarg evmx509=)`
			`[ $? -eq 0 ] && \`
			`EVMX509=${EVMX509ARG}`

			`# set the default value`
			`[ -z "${EVMX509}" ] && \`
			`EVMX509="/etc/keys/x509_evm.der";`

			`# set the EVM public key path name`
			`EVMX509PATH="${NEWROOT}${EVMX509}"`

			`# check for EVM public key's existence`
			`if [ ! -f "${EVMX509PATH}" ]; then`
			`if [ "${RD_DEBUG}" = "yes" ]; then`
			`info "integrity: EVM x509 cert file not found: ${EVMX509PATH}"`
98integrity: fix inconsistent whitespace 7 years ago			`fi`
Extend evm-enable.sh to load the EVM public key Create the _evm keyring and load the EVM public key on it. 10 years ago			`return 1`
			`fi`

Fixed issue #420 7 years ago			`local evm_pubid line`
			`line=$(keyctl describe %keyring:.evm)`
98integrity: support loading x509 into the trusted/builtin .evm keyring This implements logic analogous to the one already implemented in ima-keys-load.sh, only for the .evm/_evm keyrings. If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel initially creates and configures .ima and .evm keyrings. These keyrings only accept x509 certificates that have been signed by a local CA which belongs to the kernel builtin trusted keyring. Thus if such a keyring is already present then additional evm keys should be loaded into them. If this is not the case then the _evm keyring needs to be created in userspace and keys will be loaded into it instead. Before this change dracut always created the _evm keyring and loaded keys into it without considering an existing .evm keyring. In case of CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be used by the kernel, however, and EVM digital signatures will not work as expected. 7 years ago			`if [ $? -eq 0 ]; then`
			`# the kernel already setup a trusted .evm keyring so use that one`
			`evm_pubid=${line%%:*}`
			`else`
			`# look for an existing regular keyring`
			evm_pubid=`keyctl search @u keyring _evm`
			`if [ -z "${evm_pubid}" ]; then`
			`# create a new regular _evm keyring`
			evm_pubid=`keyctl newring _evm @u`
			`fi`
			`fi`

Extend evm-enable.sh to load the EVM public key Create the _evm keyring and load the EVM public key on it. 10 years ago			`# load the EVM public key onto the EVM keyring`
			`EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})`
			`[ $? -eq 0 ] \|\| {`
98integrity: fix inconsistent whitespace 7 years ago			`info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";`
			`return 1;`
Extend evm-enable.sh to load the EVM public key Create the _evm keyring and load the EVM public key on it. 10 years ago			`}`

			`if [ "${RD_DEBUG}" = "yes" ]; then`
			`keyctl show @u`
			`fi`
dracut: added new module integrity This module initializes the EVM software and permits to load a custom IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> 14 years ago
			`return 0`
			`}`

			`unload_evm_key()`
			`{`
			`# unlink the EVM encrypted key`
			`keyctl unlink ${EVMKEYID} @u \|\| {`
			`info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";`
			`return 1;`
			`}`

			`return 0`
			`}`

			`enable_evm()`
			`{`
			`# check kernel support for EVM`
			`if [ ! -e "${EVMSECFILE}" ]; then`
			`if [ "${RD_DEBUG}" = "yes" ]; then`
			`info "integrity: EVM kernel support is disabled"`
			`fi`
			`return 0`
			`fi`

98integrity: support X.509-only EVM configuration Previously if no symmetric key was configured for EVM, then the initialization process was aborted. It can be a valid use case, however, to only use EVM digital signatures. In this case only X.509 certificates need to be loaded. With this change EVM initialization will continue if any of the symmetric or X.509 keys could be loaded. 7 years ago			`local evm_configured`

			`# try to load the EVM encrypted key`
			`load_evm_key && evm_configured=1`

			`# try to load the EVM public key`
			`load_evm_x509 && evm_configured=1`
dracut: added new module integrity This module initializes the EVM software and permits to load a custom IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> 14 years ago
98integrity: support X.509-only EVM configuration Previously if no symmetric key was configured for EVM, then the initialization process was aborted. It can be a valid use case, however, to only use EVM digital signatures. In this case only X.509 certificates need to be loaded. With this change EVM initialization will continue if any of the symmetric or X.509 keys could be loaded. 7 years ago			`# only enable EVM if a key or x509 certificate could be loaded`
			`if [ -z "$evm_configured" ]; then`
			`return 1`
			`fi`
Extend evm-enable.sh to load the EVM public key Create the _evm keyring and load the EVM public key on it. 10 years ago
dracut: added new module integrity This module initializes the EVM software and permits to load a custom IMA policy. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> 14 years ago			`# initialize EVM`
			`info "Enabling EVM"`
			`echo 1 > ${EVMSECFILE}`

			`# unload the EVM encrypted key`
			`unload_evm_key \|\| return 1`

			`return 0`
			`}`

			`enable_evm`