tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

integrity: provide a hook to load keys when rootfs is ready

Keys can only be loaded once the rootfs is mounted. Initcalls
are not suitable for that. This patch defines a special hook
to load the x509 public keys onto the IMA keyring, before
attempting to access any file. The keys are required for
verifying the file's signature. The hook is called after the
root filesystem is mounted and before the kernel calls 'init'.

Changes in v3:
* added more explanation to the patch description (Mimi)

Changes in v2:
* Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM
keys by integrity subsystem.
* Hook patch moved after defining loading functions

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

authored by

Dmitry Kasatkin and committed by
Mimi Zohar c9cd2ce2 fd5f4e90

+22 -1
+6
include/linux/integrity.h
··· 24 24 #ifdef CONFIG_INTEGRITY 25 25 extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); 26 26 extern void integrity_inode_free(struct inode *inode); 27 + extern void __init integrity_load_keys(void); 27 28 28 29 #else 29 30 static inline struct integrity_iint_cache * ··· 37 36 { 38 37 return; 39 38 } 39 + 40 + static inline void integrity_load_keys(void) 41 + { 42 + } 40 43 #endif /* CONFIG_INTEGRITY */ 44 + 41 45 #endif /* _LINUX_INTEGRITY_H */
+5 -1
init/main.c
··· 78 78 #include <linux/context_tracking.h> 79 79 #include <linux/random.h> 80 80 #include <linux/list.h> 81 + #include <linux/integrity.h> 81 82 82 83 #include <asm/io.h> 83 84 #include <asm/bugs.h> ··· 1027 1026 * Ok, we have completed the initial bootup, and 1028 1027 * we're essentially up and running. Get rid of the 1029 1028 * initmem segments and start the user-mode stuff.. 1029 + * 1030 + * rootfs is available now, try loading the public keys 1031 + * and default modules 1030 1032 */ 1031 1033 1032 - /* rootfs is available now, try loading default modules */ 1034 + integrity_load_keys(); 1033 1035 load_default_modules(); 1034 1036 }
+11
security/integrity/iint.c
··· 245 245 fput(file); 246 246 return rc; 247 247 } 248 + 249 + /* 250 + * integrity_load_keys - load integrity keys hook 251 + * 252 + * Hooks is called from init/main.c:kernel_init_freeable() 253 + * when rootfs is ready 254 + */ 255 + void __init integrity_load_keys(void) 256 + { 257 + ima_load_x509(); 258 + }