meta-integrity: init.ima: Switch to using keyctl

Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us.  In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.

Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
Tom Rini
2018-05-16 10:31:49 -04:00
committed by Jia Zhang
parent f9f181fe5c
commit b7b42cdec7
2 changed files with 5 additions and 3 deletions
@@ -95,20 +95,22 @@ fi
[ ! -d "$securityfs_dir/ima" ] &&
print_info "IMA is not enabled. Exiting ..." && exit 2
keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'`
mount --move ${ROOT_DIR}/proc /proc
# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
# automatically loaded by kernel already. Here is the opportunity to load
# a custom IMA certificate from the real rootfs.
for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do
[ ! -s "$cert" ] && continue
name=`basename $cert`
if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then
if ! keyctl padd asymmetric "$name" %:.ima < $cert > ${ROOT_DIR}/dev/null; then
print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal"
else
print_verbose "The custom IMA certificate $cert loaded for IMA appraisal"
fi
done
mount --move /proc ${ROOT_DIR}/proc
# Attempt to load the default policy.
[ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default"
@@ -34,7 +34,7 @@ RDEPENDS_${PN} += "\
gawk \
util-linux-mount \
util-linux-umount \
ima-evm-utils \
keyutils \
ima-policy \
"