diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2021-06-18 13:26:29 -0400 |
|---|---|---|
| committer | Jóhann B. Guðmundsson <johannbg@gmail.com> | 2021-08-06 13:58:01 +0000 |
| commit | 9da76af8e7f0f7a939b2ee44f0b4a5ce0bdd3b0b (patch) | |
| tree | 599f5d81b012ee9223421b88da92b56d76a3586e | |
| parent | f649cd10b2e920e9d65c532db9b9f89a7370ad99 (diff) | |
| download | dracut-9da76af8e7f0f7a939b2ee44f0b4a5ce0bdd3b0b.tar.gz | |
fix(integrity): add support for loading multiple EVM x509 certs
Add support for loading EVM x509 certs from a directory that the user can
specify with the EVMKEYSDIR variable in the evm config file. By default
the additional certs are loaded from /etc/keys/evm.
Support for multiple EVM keys allows the usage in a system of files with
signed metadata from multiple parties.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
| -rwxr-xr-x | modules.d/98integrity/evm-enable.sh | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh index 77ab9bc6..0abdfb80 100755 --- a/modules.d/98integrity/evm-enable.sh +++ b/modules.d/98integrity/evm-enable.sh @@ -20,6 +20,7 @@ EVM_ACTIVATION_BITS=0 # EVMX509: path to x509 cert; default is /etc/keys/x509_evm.der # EVM_ACTIVATION_BITS: additional EVM activation bits, such as # EVM_SETUP_COMPLETE; default is 0 +# EVMKEYSDIR: Directory with more x509 certs; default is /etc/keys/evm/ load_evm_key() { # read the configuration from the config file @@ -77,10 +78,7 @@ load_evm_x509() { # check for EVM public key's existence if [ ! -f "${EVMX509PATH}" ]; then - if [ "${RD_DEBUG}" = "yes" ]; then - info "integrity: EVM x509 cert file not found: ${EVMX509PATH}" - fi - return 1 + EVMX509PATH="" fi local evm_pubid line @@ -96,13 +94,23 @@ load_evm_x509() { fi fi - # load the EVM public key onto the EVM keyring - # FIXME: EVMX509ID unused? - # shellcheck disable=SC2034 - if ! EVMX509ID=$(evmctl import "${EVMX509PATH}" "${evm_pubid}"); then - info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}" - return 1 + if [ -z "${EVMKEYSDIR}" ]; then + EVMKEYSDIR="/etc/keys/evm" fi + # load the default EVM public key onto the EVM keyring along + # with all the other ones in $EVMKEYSDIR + for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do + if [ ! -f "${PUBKEY}" ]; then + if [ "${RD_DEBUG}" = "yes" ]; then + info "integrity: EVM x509 cert file not found: ${PUBKEY}" + fi + continue + fi + if ! evmctl import "${PUBKEY}" "${evm_pubid}"; then + info "integrity: failed to load the EVM X509 cert ${PUBKEY}" + return 1 + fi + done if [ "${RD_DEBUG}" = "yes" ]; then keyctl show @u |