Skip to content

Commit

Permalink
fix(integrity): properly set up EVM when using an x509 cert
Browse files Browse the repository at this point in the history
The current EVM script does not handle the EVM setup properly when X509
certificates are involved. In this patch we extend the setup and add
the necessary flags for support of EVM activation that include
x509 certificates, possibly in conjunction with an HMAC key. We also
first try activating EVM for x509 certificates using
EVM_ALLOW_METADATA_WRITES for newer kernels, then without it for older
ones that did not support this flag.

We add support for additional EVM activation bits to be set, such
as EVM_SETUP_COMPLETE (0x80000000) via the config file and
EVM_ACTIVATION_BITS variable.

To avoid error messages related to unloading the HMAC key if none is
used, only attempt to unload the HMAC key if one was actually set.

We add documentation about the variables that can be set in the EVM
config file.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@huawei.com>
  • Loading branch information
stefanberger authored and johannbg committed May 3, 2021
1 parent 8f99fad commit 4bdd7eb
Showing 1 changed file with 26 additions and 7 deletions.
33 changes: 26 additions & 7 deletions modules.d/98integrity/evm-enable.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,15 @@ EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
EVMKEYDESC="evm-key"
EVMKEYTYPE="encrypted"
EVMKEYID=""
EVM_ACTIVATION_BITS=0

# The following variables can be set in /etc/sysconfig/evm:
# EVMKEY: path to the symmetric key; defaults to /etc/keys/evm-trusted.blob
# EVMKEYDESC: Description of the symmetric key; default is 'evm-key'
# EVMKEYTYPE: Type of the symmetric key; default is 'encrypted'
# EMX509: path to x509 cert; default is /etc/keys/x509_evm.der
# EVM_ACTIVATION_BITS: additional EVM activation bits, such as
# EVM_SETUP_COMPLETE; default is 0

load_evm_key() {
# read the configuration from the config file
Expand Down Expand Up @@ -121,25 +130,35 @@ enable_evm() {
return 0
fi

local evm_configured
local evm_configured=0
local EVM_INIT_HMAC=1 EVM_INIT_X509=2 EVM_ALLOW_METADATA_WRITES=4

# try to load the EVM encrypted key
load_evm_key && evm_configured=1
load_evm_key && evm_configured=${EVM_INIT_HMAC}

# try to load the EVM public key
load_evm_x509 && evm_configured=1
load_evm_x509 && evm_configured=$((evm_configured | EVM_INIT_X509))

# only enable EVM if a key or x509 certificate could be loaded
if [ -z "$evm_configured" ]; then
if [ $evm_configured -eq 0 ]; then
return 1
fi

# initialize EVM
info "Enabling EVM"
echo 1 > "${EVMSECFILE}"
if [ "$((evm_configured & EVM_INIT_X509))" -ne 0 ]; then
# Older kernels did not support EVM_ALLOW_METADATA_WRITES, try for
# newer ones first that need it when an x509 is used
echo $((evm_configured | EVM_ALLOW_METADATA_WRITES | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}" ||
echo $((evm_configured | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}"
else
echo $((evm_configured | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}"
fi

# unload the EVM encrypted key
unload_evm_key || return 1
if [ "$((evm_configured & EVM_INIT_HMAC))" -ne 0 ]; then
# unload the EVM encrypted key
unload_evm_key || return 1
fi

return 0
}
Expand Down

0 comments on commit 4bdd7eb

Please sign in to comment.