mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
26ddabfe96
In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was loaded. When EVM loads the X509 before calling 'init', with this patch it is now possible to enable EVM to start signature based verification. This patch defines bits to enable EVM if a key of any type is loaded. Changes in v3: * print error message if key is not set Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
104 lines
2.4 KiB
C
104 lines
2.4 KiB
C
/*
|
|
* Copyright (C) 2010 IBM Corporation
|
|
*
|
|
* Authors:
|
|
* Mimi Zohar <zohar@us.ibm.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, version 2 of the License.
|
|
*
|
|
* File: evm_secfs.c
|
|
* - Used to signal when key is on keyring
|
|
* - Get the key and enable EVM
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/uaccess.h>
|
|
#include <linux/module.h>
|
|
#include "evm.h"
|
|
|
|
static struct dentry *evm_init_tpm;
|
|
|
|
/**
|
|
* evm_read_key - read() for <securityfs>/evm
|
|
*
|
|
* @filp: file pointer, not actually used
|
|
* @buf: where to put the result
|
|
* @count: maximum to send along
|
|
* @ppos: where to start
|
|
*
|
|
* Returns number of bytes read or error code, as appropriate
|
|
*/
|
|
static ssize_t evm_read_key(struct file *filp, char __user *buf,
|
|
size_t count, loff_t *ppos)
|
|
{
|
|
char temp[80];
|
|
ssize_t rc;
|
|
|
|
if (*ppos != 0)
|
|
return 0;
|
|
|
|
sprintf(temp, "%d", evm_initialized);
|
|
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
|
|
|
|
return rc;
|
|
}
|
|
|
|
/**
|
|
* evm_write_key - write() for <securityfs>/evm
|
|
* @file: file pointer, not actually used
|
|
* @buf: where to get the data from
|
|
* @count: bytes sent
|
|
* @ppos: where to start
|
|
*
|
|
* Used to signal that key is on the kernel key ring.
|
|
* - get the integrity hmac key from the kernel key ring
|
|
* - create list of hmac protected extended attributes
|
|
* Returns number of bytes written or error code, as appropriate
|
|
*/
|
|
static ssize_t evm_write_key(struct file *file, const char __user *buf,
|
|
size_t count, loff_t *ppos)
|
|
{
|
|
char temp[80];
|
|
int i, error;
|
|
|
|
if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_INIT_HMAC))
|
|
return -EPERM;
|
|
|
|
if (count >= sizeof(temp) || count == 0)
|
|
return -EINVAL;
|
|
|
|
if (copy_from_user(temp, buf, count) != 0)
|
|
return -EFAULT;
|
|
|
|
temp[count] = '\0';
|
|
|
|
if ((sscanf(temp, "%d", &i) != 1) || (i != 1))
|
|
return -EINVAL;
|
|
|
|
error = evm_init_key();
|
|
if (!error) {
|
|
evm_initialized |= EVM_INIT_HMAC;
|
|
pr_info("initialized\n");
|
|
} else
|
|
pr_err("initialization failed\n");
|
|
return count;
|
|
}
|
|
|
|
static const struct file_operations evm_key_ops = {
|
|
.read = evm_read_key,
|
|
.write = evm_write_key,
|
|
};
|
|
|
|
int __init evm_init_secfs(void)
|
|
{
|
|
int error = 0;
|
|
|
|
evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP,
|
|
NULL, NULL, &evm_key_ops);
|
|
if (!evm_init_tpm || IS_ERR(evm_init_tpm))
|
|
error = -EFAULT;
|
|
return error;
|
|
}
|