diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima index f117717..f11ff13 100755 --- a/meta-integrity/recipes-core/initrdscripts/files/init.ima +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima @@ -95,20 +95,22 @@ fi [ ! -d "$securityfs_dir/ima" ] && print_info "IMA is not enabled. Exiting ..." && exit 2 -keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'` +mount --move ${ROOT_DIR}/proc /proc # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was # automatically loaded by kernel already. Here is the opportunity to load # a custom IMA certificate from the real rootfs. for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do [ ! -s "$cert" ] && continue + name=`basename $cert` - if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then + if ! keyctl padd asymmetric "$name" %:.ima < $cert > ${ROOT_DIR}/dev/null; then print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal" else print_verbose "The custom IMA certificate $cert loaded for IMA appraisal" fi done +mount --move /proc ${ROOT_DIR}/proc # Attempt to load the default policy. [ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default" diff --git a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb index e615e05..b261e9e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb @@ -34,7 +34,7 @@ RDEPENDS_${PN} += "\ gawk \ util-linux-mount \ util-linux-umount \ - ima-evm-utils \ + keyutils \ ima-policy \ "