[PATCH v3 4/6] integrity: provide hook to load keys when rootfs is ready

From: Dmitry Kasatkin
Date: Fri Oct 10 2014 - 10:10:59 EST

Next message: Andy Shevchenko: "Re: [PATCH 2/2 v3] SPI: spi-pxa2xx: SPI support for Intel Quark X1000"
Previous message: Dmitry Kasatkin: "[PATCH v3 6/6] VFS: refactor vfs_read()"
In reply to: Mimi Zohar: "Re: [PATCH v3 6/6] VFS: refactor vfs_read()"
Next in thread: Mimi Zohar: "Re: [PATCH v3 4/6] integrity: provide hook to load keys when rootfs is ready"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Keys can only be loaded when rootfs is mounted. Initcalls
are not suitable for that. Provide a special hook.

Changes in v2:
* Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM
keys by integrity subsystem.
* Hook patch moved after defining loading functions

Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
---
include/linux/integrity.h | 6 ++++++
init/main.c | 6 +++++-
security/integrity/iint.c | 11 +++++++++++
3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 83222ce..c2d6082 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -24,6 +24,7 @@ enum integrity_status {
#ifdef CONFIG_INTEGRITY
extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
extern void integrity_inode_free(struct inode *inode);
+extern void __init integrity_load_keys(void);

#else
static inline struct integrity_iint_cache *
@@ -36,5 +37,10 @@ static inline void integrity_inode_free(struct inode *inode)
{
return;
}
+
+static inline void integrity_load_keys(void)
+{
+}
#endif /* CONFIG_INTEGRITY */
+
#endif /* _LINUX_INTEGRITY_H */
diff --git a/init/main.c b/init/main.c
index e8ae1fe..2c1928d 100644
--- a/init/main.c
+++ b/init/main.c
@@ -78,6 +78,7 @@
#include <linux/context_tracking.h>
#include <linux/random.h>
#include <linux/list.h>
+#include <linux/integrity.h>

#include <asm/io.h>
#include <asm/bugs.h>
@@ -1026,8 +1027,11 @@ static noinline void __init kernel_init_freeable(void)
* Ok, we have completed the initial bootup, and
* we're essentially up and running. Get rid of the
* initmem segments and start the user-mode stuff..
+ *
+ * rootfs is available now, try loading the public keys
+ * and default modules
*/

- /* rootfs is available now, try loading default modules */
+ integrity_load_keys();
load_default_modules();
}
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 0a76686..a1f5cd1 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -245,3 +245,14 @@ out:
fput(file);
return rc;
}
+
+/*
+ * integrity_load_keys - load integrity keys hook
+ *
+ * Hooks is called from init/main.c:kernel_init_freeable()
+ * when rootfs is ready
+ */
+void __init integrity_load_keys(void)
+{
+ ima_load_x509();
+}
--
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Shevchenko: "Re: [PATCH 2/2 v3] SPI: spi-pxa2xx: SPI support for Intel Quark X1000"
Previous message: Dmitry Kasatkin: "[PATCH v3 6/6] VFS: refactor vfs_read()"
In reply to: Mimi Zohar: "Re: [PATCH v3 6/6] VFS: refactor vfs_read()"
Next in thread: Mimi Zohar: "Re: [PATCH v3 4/6] integrity: provide hook to load keys when rootfs is ready"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]