dracut: added new module integrity

This module initializes the EVM software and permits to load a custom IMA
policy.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Acked-by: Gianluca Ramunno <ramunno@polito.it>

dracut.kernel.7.xml

@@ -718,6 +718,12 @@ rd.znet=ctc,0.0.0600,0.0.0601,0.0.0602,protocol=bar</programlisting></para>
             <para>Set the type of the kernel master key. e.g.: <programlisting>masterkeytype=trusted</programlisting></para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term><envar>evmkey=</envar><replaceable>&lt;EVM key path name&gt;</replaceable></term>
+          <listitem>
+            <para>Set the path name of the EVM key. e.g.: <programlisting>evmkey=/etc/keys/evm-trusted.blob</programlisting></para>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
     <refsect2>

modules.d/98integrity/README

@@ -0,0 +1,40 @@
+# Directions for creating the encrypted key that will be used to initialize
+# the EVM software.
+
+# Create the EVM key (encrypted key type)
+#
+# The encrypted key is a random number encrypted/decrypted using the
+# kernel master key.  The encrypted key is only exposed to userspace
+# as an encrypted datablob.
+$ keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
+782117972
+
+# Save the encrypted key
+$ su -c 'keyctl pipe `keyctl search @u encrypted evm_key` > /etc/keys/evm-trusted.blob'
+
+# The EVM key path name can be set in one of the following ways (specified in
+# the order in which the variable is overwritten):
+
+1) use the default value:
+--------------------------------------------------------------------------
+EVMKEY="/etc/keys/evm-trusted.blob"
+--------------------------------------------------------------------------
+
+2) create the configuration file '/etc/sysconfig/evm' and set the EVMKEY variable;
+
+3) specify the EVM key path name in the 'evmkey=' parameter of the kernel command
+line.
+
+
+# Directions for loading a custom IMA policy.
+
+# Write the policy following the instructions provided in the file
+# 'Documentation/ABI/testing/ima_policy' of the kernel documentation.
+
+# Save the policy in a file.
+
+# Create the configuration file '/etc/sysconfig/ima' to override the path name of
+# the IMA custom policy.
+------------- '/etc/sysconfig/ima' (with the default value) -------------
+IMAPOLICY="/etc/sysconfig/ima-policy"
+-------------------------------------------------------------------------

modules.d/98integrity/evm-enable.sh

@@ -0,0 +1,91 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu@polito.it>
+
+EVMSECFILE="${SECURITYFSDIR}/evm"
+EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
+EVMKEYDESC="evm-key"
+EVMKEYTYPE="encrypted"
+EVMKEYID=""
+
+load_evm_key()
+{
+    # read the configuration from the config file
+    [ -f "${EVMCONFIG}" ] && \
+        . ${EVMCONFIG}
+
+    # override the EVM key path name from the 'evmkey=' parameter in the kernel
+    # command line
+    EVMKEYARG=$(getarg evmkey=)
+    [ $? -eq 0 ] && \
+        EVMKEY=${EVMKEYARG}
+
+    # set the default value
+    [ -z "${EVMKEY}" ] && \
+        EVMKEY="/etc/keys/evm-trusted.blob";
+
+    # set the EVM key path name
+    EVMKEYPATH="${NEWROOT}${EVMKEY}"
+
+    # check for EVM encrypted key's existence
+    if [ ! -f "${EVMKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: EVM encrypted key file not found: ${EVMKEYPATH}"
+        fi
+        return 1
+    fi
+
+    # read the EVM encrypted key blob
+    KEYBLOB=$(cat ${EVMKEYPATH})
+
+    # load the EVM encrypted key
+    EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
+    [ $? -eq 0 ] || {
+        info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+unload_evm_key()
+{
+    # unlink the EVM encrypted key
+    keyctl unlink ${EVMKEYID} @u || {
+        info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";
+        return 1;
+    }
+
+    return 0
+}
+
+enable_evm()
+{
+    # check kernel support for EVM
+    if [ ! -e "${EVMSECFILE}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: EVM kernel support is disabled"
+        fi
+        return 0
+    fi
+
+    # load the EVM encrypted key
+    load_evm_key || return 1
+
+    # initialize EVM
+    info "Enabling EVM"
+    echo 1 > ${EVMSECFILE}
+
+    # unload the EVM encrypted key
+    unload_evm_key || return 1
+
+    return 0
+}
+
+enable_evm

modules.d/98integrity/ima-policy-load.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# Licensed under the GPLv2
+#
+# Copyright (C) 2011 Politecnico di Torino, Italy
+#                    TORSEC group -- http://security.polito.it
+# Roberto Sassu <roberto.sassu@polito.it>
+
+IMASECDIR="${SECURITYFSDIR}/ima"
+IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+IMAPOLICY="/etc/sysconfig/ima-policy"
+
+load_ima_policy()
+{
+    # check kernel support for IMA
+    if [ ! -e "${IMASECDIR}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: IMA kernel support is disabled"
+        fi
+        return 0
+    fi
+
+    # override the default configuration
+    [ -f "${IMACONFIG}" ] && \
+        . ${IMACONFIG}
+
+    # set the IMA policy path name
+    IMAPOLICYPATH="${NEWROOT}${IMAPOLICY}"
+
+    # check the existence of the IMA policy file
+    [ -f "${IMAPOLICYPATH}" ] && {
+        info "Loading the provided IMA custom policy";
+        cat ${IMAPOLICYPATH} > ${IMASECDIR}/policy;
+    }
+
+    return 0
+}
+
+load_ima_policy

modules.d/98integrity/module-setup.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 0
+}
+
+depends() {
+    echo masterkey
+    return 0
+}
+
+install() {
+    inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
+    inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
+}