kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix(integrity): add support for loading multiple EVM x509 certs 

Add support for loading EVM x509 certs from a directory that the user can
specify with the EVMKEYSDIR variable in the evm config file. By default
the additional certs are loaded from /etc/keys/evm.

Support for multiple EVM keys allows the usage in a system of files with
signed metadata from multiple parties.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
master
Stefan Berger 3 years ago committed by Jóhann B. Guðmundsson
parent
f649cd10b2
commit
9da76af8e7
1 changed files with 18 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 28
      modules.d/98integrity/evm-enable.sh

28
modules.d/98integrity/evm-enable.sh
Unescape View File

@ -20,6 +20,7 @@ EVM_ACTIVATION_BITS=0 @@ -20,6 +20,7 @@ EVM_ACTIVATION_BITS=0
# EVMX509: path to x509 cert; default is /etc/keys/x509_evm.der
# EVM_ACTIVATION_BITS: additional EVM activation bits, such as
# EVM_SETUP_COMPLETE; default is 0
# EVMKEYSDIR: Directory with more x509 certs; default is /etc/keys/evm/

load_evm_key() {
# read the configuration from the config file
@ -77,10 +78,7 @@ load_evm_x509() { @@ -77,10 +78,7 @@ load_evm_x509() {

# check for EVM public key's existence
if [ ! -f "${EVMX509PATH}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: EVM x509 cert file not found: ${EVMX509PATH}"
fi
return 1
EVMX509PATH=""
fi

local evm_pubid line
@ -96,13 +94,23 @@ load_evm_x509() { @@ -96,13 +94,23 @@ load_evm_x509() {
fi
fi

# load the EVM public key onto the EVM keyring
# FIXME: EVMX509ID unused?
# shellcheck disable=SC2034
if ! EVMX509ID=$(evmctl import "${EVMX509PATH}" "${evm_pubid}"); then
info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"
return 1
if [ -z "${EVMKEYSDIR}" ]; then
EVMKEYSDIR="/etc/keys/evm"
fi
# load the default EVM public key onto the EVM keyring along
# with all the other ones in $EVMKEYSDIR
for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do
if [ ! -f "${PUBKEY}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
info "integrity: EVM x509 cert file not found: ${PUBKEY}"
fi
continue
fi
if ! evmctl import "${PUBKEY}" "${evm_pubid}"; then
info "integrity: failed to load the EVM X509 cert ${PUBKEY}"
return 1
fi
done

if [ "${RD_DEBUG}" = "yes" ]; then
keyctl show @u

Write Preview
Loading…
Cancel
Save