kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

dracut: added new module integrity 

This module initializes the EVM software and permits to load a custom IMA
policy.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Acked-by: Gianluca Ramunno <ramunno@polito.it>
master
Roberto Sassu 2011-07-08 14:11:01 +02:00 committed by Harald Hoyer
parent e1ed2a207b
commit 0c71fb672f
5 changed files with 195 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
dracut.kernel.7.xml
View File

@ -718,6 +718,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
<para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
</listitem>
</varlistentry>
<varlistentry>
<term><envar>evmkey=</envar><replaceable>&lt;EVM key path name&gt;</replaceable></term>
<listitem>
<para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2>

40
modules.d/98integrity/README Normal file
View File

@ -0,0 +1,40 @@
# Directions for creating the encrypted key that will be used to initialize
# the EVM software.

# Create the EVM key (encrypted key type)
#
# The encrypted key is a random number encrypted/decrypted using the
# kernel master key. The encrypted key is only exposed to userspace
# as an encrypted datablob.
$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
782117972

# Save the encrypted key
$ su -c 'keyctl pipe `keyctl search @u encrypted evm_key` > /etc/keys/evm-trusted.blob'

# The EVM key path name can be set in one of the following ways (specified in
# the order in which the variable is overwritten):

1) use the default value:
--------------------------------------------------------------------------
EVMKEY="/etc/keys/evm-trusted.blob"
--------------------------------------------------------------------------

2) create the configuration file '/etc/sysconfig/evm' and set the EVMKEY variable;

3) specify the EVM key path name in the 'evmkey=' parameter of the kernel command
line.


# Directions for loading a custom IMA policy.

# Write the policy following the instructions provided in the file
# 'Documentation/ABI/testing/ima_policy' of the kernel documentation.

# Save the policy in a file.

# Create the configuration file '/etc/sysconfig/ima' to override the path name of
# the IMA custom policy.
------------- '/etc/sysconfig/ima' (with the default value) -------------
IMAPOLICY="/etc/sysconfig/ima-policy"
-------------------------------------------------------------------------

91
modules.d/98integrity/evm-enable.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

# Licensed under the GPLv2
#
# Copyright (C) 2011 Politecnico di Torino, Italy
# TORSEC group -- http://security.polito.it
# Roberto Sassu <roberto.sassu@polito.it>

EVMSECFILE="${SECURITYFSDIR}/evm"
EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
EVMKEYDESC="evm-key"
EVMKEYTYPE="encrypted"
EVMKEYID=""

load_evm_key()
{
# read the configuration from the config file
[ -f "${EVMCONFIG}" ] && \
. ${EVMCONFIG}

# override the EVM key path name from the 'evmkey=' parameter in the kernel
# command line
EVMKEYARG=$(getarg evmkey=)
[ $? -eq 0 ] && \
EVMKEY=${EVMKEYARG}

# set the default value
[ -z "${EVMKEY}" ] && \
EVMKEY="/etc/keys/evm-trusted.blob";

# set the EVM key path name
EVMKEYPATH="${NEWROOT}${EVMKEY}"

# check for EVM encrypted key's existence
if [ ! -f "${EVMKEYPATH}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: EVM encrypted key file not found: ${EVMKEYPATH}"
fi
return 1
fi

# read the EVM encrypted key blob
KEYBLOB=$(cat ${EVMKEYPATH})

# load the EVM encrypted key
EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
[ $? -eq 0 ] || {
info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
return 1;
}

return 0
}

unload_evm_key()
{
# unlink the EVM encrypted key
keyctl unlink ${EVMKEYID} @u || {
info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";
return 1;
}

return 0
}

enable_evm()
{
# check kernel support for EVM
if [ ! -e "${EVMSECFILE}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: EVM kernel support is disabled"
fi
return 0
fi

# load the EVM encrypted key
load_evm_key || return 1

# initialize EVM
info "Enabling EVM"
echo 1 > ${EVMSECFILE}

# unload the EVM encrypted key
unload_evm_key || return 1

return 0
}

enable_evm

41
modules.d/98integrity/ima-policy-load.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

# Licensed under the GPLv2
#
# Copyright (C) 2011 Politecnico di Torino, Italy
# TORSEC group -- http://security.polito.it
# Roberto Sassu <roberto.sassu@polito.it>

IMASECDIR="${SECURITYFSDIR}/ima"
IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
IMAPOLICY="/etc/sysconfig/ima-policy"

load_ima_policy()
{
# check kernel support for IMA
if [ ! -e "${IMASECDIR}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: IMA kernel support is disabled"
fi
return 0
fi

# override the default configuration
[ -f "${IMACONFIG}" ] && \
. ${IMACONFIG}

# set the IMA policy path name
IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"

# check the existence of the IMA policy file
[ -f "${IMAPOLICYPATH}" ] && {
info "Loading the provided IMA custom policy";
cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
}

return 0
}

load_ima_policy

17
modules.d/98integrity/module-setup.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

check() {
return 0
}

depends() {
echo masterkey
return 0
}

install() {
inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
}