aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity/ima
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@huawei.com>2015-10-22 14:26:10 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2015-11-23 14:30:02 -0500
commitf4dc37785e9b3373d0cb93125d5579fed2af3a43 (patch)
treeb1bed1b8038d92770cc9881a1ad57b97e1b57dc3 /security/integrity/ima
parentebd68df3f24b318d391d15c458d6f43f340ba36a (diff)
integrity: define '.evm' as a builtin 'trusted' keyring
Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima')
-rw-r--r--security/integrity/ima/Kconfig5
-rw-r--r--security/integrity/ima/ima.h12
-rw-r--r--security/integrity/ima/ima_init.c2
3 files changed, 5 insertions, 14 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index df303346029b..a292b881c16f 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -123,14 +123,17 @@ config IMA_APPRAISE
123 If unsure, say N. 123 If unsure, say N.
124 124
125config IMA_TRUSTED_KEYRING 125config IMA_TRUSTED_KEYRING
126 bool "Require all keys on the .ima keyring be signed" 126 bool "Require all keys on the .ima keyring be signed (deprecated)"
127 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 127 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
128 depends on INTEGRITY_ASYMMETRIC_KEYS 128 depends on INTEGRITY_ASYMMETRIC_KEYS
129 select INTEGRITY_TRUSTED_KEYRING
129 default y 130 default y
130 help 131 help
131 This option requires that all keys added to the .ima 132 This option requires that all keys added to the .ima
132 keyring be signed by a key on the system trusted keyring. 133 keyring be signed by a key on the system trusted keyring.
133 134
135 This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
136
134config IMA_LOAD_X509 137config IMA_LOAD_X509
135 bool "Load X509 certificate onto the '.ima' trusted keyring" 138 bool "Load X509 certificate onto the '.ima' trusted keyring"
136 depends on IMA_TRUSTED_KEYRING 139 depends on IMA_TRUSTED_KEYRING
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e2a60c30df44..9e82367f5190 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -251,16 +251,4 @@ static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
251 return -EINVAL; 251 return -EINVAL;
252} 252}
253#endif /* CONFIG_IMA_LSM_RULES */ 253#endif /* CONFIG_IMA_LSM_RULES */
254
255#ifdef CONFIG_IMA_TRUSTED_KEYRING
256static inline int ima_init_keyring(const unsigned int id)
257{
258 return integrity_init_keyring(id);
259}
260#else
261static inline int ima_init_keyring(const unsigned int id)
262{
263 return 0;
264}
265#endif /* CONFIG_IMA_TRUSTED_KEYRING */
266#endif 254#endif
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index e600cadd231c..bd79f254d204 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -116,7 +116,7 @@ int __init ima_init(void)
116 if (!ima_used_chip) 116 if (!ima_used_chip)
117 pr_info("No TPM chip found, activating TPM-bypass!\n"); 117 pr_info("No TPM chip found, activating TPM-bypass!\n");
118 118
119 rc = ima_init_keyring(INTEGRITY_KEYRING_IMA); 119 rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA);
120 if (rc) 120 if (rc)
121 return rc; 121 return rc;
122 122
generated by cgit v1.2.2 (git 2.25.0) at 2026-04-04 11:49:31 -0400