Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(integrity): properly set up EVM when using an x509 cert
The current EVM script does not handle the EVM setup properly when X509 certificates are involved. In this patch we extend the setup and add the necessary flags for support of EVM activation that include x509 certificates, possibly in conjunction with an HMAC key. We also first try activating EVM for x509 certificates using EVM_ALLOW_METADATA_WRITES for newer kernels, then without it for older ones that did not support this flag. We add support for additional EVM activation bits to be set, such as EVM_SETUP_COMPLETE (0x80000000) via the config file and EVM_ACTIVATION_BITS variable. To avoid error messages related to unloading the HMAC key if none is used, only attempt to unload the HMAC key if one was actually set. We add documentation about the variables that can be set in the EVM config file. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Cc: Roberto Sassu <roberto.sassu@huawei.com>
- Loading branch information