fix(integrity): add support for loading multiple EVM x509 certs

Add support for loading EVM x509 certs from a directory that the user can specify with the EVMKEYSDIR variable in the evm config file. By default the additional certs are loaded from /etc/keys/evm. Support for multiple EVM keys allows the usage in a system of files with signed metadata from multiple parties. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
2021-06-18 13:26:29 -04:00 · 2021-06-18 13:26:29 -04:00 · 9da76af8e7
parent f649cd10b2
commit 9da76af8e7
1 changed files with 18 additions and 10 deletions
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@ -20,6 +20,7 @@ EVM_ACTIVATION_BITS=0
 # EVMX509: path to x509 cert; default is /etc/keys/x509_evm.der
 # EVM_ACTIVATION_BITS: additional EVM activation bits, such as
 #                      EVM_SETUP_COMPLETE; default is 0
+# EVMKEYSDIR: Directory with more x509 certs; default is /etc/keys/evm/

 load_evm_key() {
    # read the configuration from the config file
@ -77,10 +78,7 @@ load_evm_x509() {

    # check for EVM public key's existence
    if [ ! -f "${EVMX509PATH}" ]; then
-        if [ "${RD_DEBUG}" = "yes" ]; then
-            info "integrity: EVM x509 cert file not found: ${EVMX509PATH}"
-        fi
-        return 1
+        EVMX509PATH=""
    fi

    local evm_pubid line
@ -96,13 +94,23 @@ load_evm_x509() {
        fi
    fi

-    # load the EVM public key onto the EVM keyring
-    # FIXME: EVMX509ID unused?
-    # shellcheck disable=SC2034
-    if ! EVMX509ID=$(evmctl import "${EVMX509PATH}" "${evm_pubid}"); then
-        info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"
-        return 1
+    if [ -z "${EVMKEYSDIR}" ]; then
+        EVMKEYSDIR="/etc/keys/evm"
    fi
+    # load the default EVM public key onto the EVM keyring along
+    # with all the other ones in $EVMKEYSDIR
+    for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do
+        if [ ! -f "${PUBKEY}" ]; then
+            if [ "${RD_DEBUG}" = "yes" ]; then
+                info "integrity: EVM x509 cert file not found: ${PUBKEY}"
+            fi
+            continue
+        fi
+        if ! evmctl import "${PUBKEY}" "${evm_pubid}"; then
+            info "integrity: failed to load the EVM X509 cert ${PUBKEY}"
+            return 1
+        fi
+    done

    if [ "${RD_DEBUG}" = "yes" ]; then
        keyctl show @u