evm: enable EVM when X509 certificate is loaded

In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was loaded. When EVM loads the X509 before calling 'init', with this patch it is now possible to enable EVM to start signature based verification. This patch defines bits to enable EVM if a key of any type is loaded. Changes in v3: * print error message if key is not set Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
mariux64 · Dec 15, 2015 · 26ddabf · 26ddabf
1 parent 2ce523e
commit 26ddabf
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
@@ -21,6 +21,9 @@
 
 #include "../integrity.h"
 
+#define EVM_INIT_HMAC	0x0001
+#define EVM_INIT_X509	0x0002
+
 extern int evm_initialized;
 extern char *evm_hmac;
 extern char *evm_hash;

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
@@ -40,6 +40,10 @@ static struct shash_desc *init_desc(char type)
 	struct shash_desc *desc;
 
 	if (type == EVM_XATTR_HMAC) {
+		if (!(evm_initialized & EVM_INIT_HMAC)) {
+			pr_err("HMAC key is not set\n");
+			return ERR_PTR(-ENOKEY);
+		}
 		tfm = &hmac_tfm;
 		algo = evm_hmac;
 	} else {

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
@@ -475,7 +475,11 @@ EXPORT_SYMBOL_GPL(evm_inode_init_security);
 #ifdef CONFIG_EVM_LOAD_X509
 void __init evm_load_x509(void)
 {
-	integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+	int rc;
+
+	rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH);
+	if (!rc)
+		evm_initialized |= EVM_INIT_X509;
 }
 #endif
 

diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
@@ -64,7 +64,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
 	char temp[80];
 	int i, error;
 
-	if (!capable(CAP_SYS_ADMIN) || evm_initialized)
+	if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_INIT_HMAC))
 		return -EPERM;
 
 	if (count >= sizeof(temp) || count == 0)
@@ -80,7 +80,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
 
 	error = evm_init_key();
 	if (!error) {
-		evm_initialized = 1;
+		evm_initialized |= EVM_INIT_HMAC;
 		pr_info("initialized\n");
 	} else
 		pr_err("initialization failed\n");