mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring that we're using, let keyctl do this for us. In order to do that we need to have /proc available as /proc, so move it around before and after working with keyctl. Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
@@ -95,20 +95,22 @@ fi
|
||||
[ ! -d "$securityfs_dir/ima" ] &&
|
||||
print_info "IMA is not enabled. Exiting ..." && exit 2
|
||||
|
||||
keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'`
|
||||
mount --move ${ROOT_DIR}/proc /proc
|
||||
|
||||
# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
|
||||
# automatically loaded by kernel already. Here is the opportunity to load
|
||||
# a custom IMA certificate from the real rootfs.
|
||||
for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do
|
||||
[ ! -s "$cert" ] && continue
|
||||
name=`basename $cert`
|
||||
|
||||
if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then
|
||||
if ! keyctl padd asymmetric "$name" %:.ima < $cert > ${ROOT_DIR}/dev/null; then
|
||||
print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal"
|
||||
else
|
||||
print_verbose "The custom IMA certificate $cert loaded for IMA appraisal"
|
||||
fi
|
||||
done
|
||||
mount --move /proc ${ROOT_DIR}/proc
|
||||
|
||||
# Attempt to load the default policy.
|
||||
[ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default"
|
||||
|
||||
@@ -34,7 +34,7 @@ RDEPENDS_${PN} += "\
|
||||
gawk \
|
||||
util-linux-mount \
|
||||
util-linux-umount \
|
||||
ima-evm-utils \
|
||||
keyutils \
|
||||
ima-policy \
|
||||
"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user