Hi, Currently secure IMA/EVM initialization has to be done from the initramfs, embedded in the signed kernel image. Many systems do not want to use initramfs or use unsigned locally generated images.
This patchset introduces kernel functionality, which allows to perform IMA/EVM initialization without initramfs from the kernel, which includes mainly following: - loading EVM hmac encrypted keys - loading and verification of signed X509 certificates - loading and verification of signed IMA policy Patchset introduces the set of new kernel configuration options, which makes this functionality entirely configurable. Not enabling any of the options does not change original IMA/EVM behavior. In order not to bloat security configuration menu, integrity subsystem options were moved to the separate menu. It does not affect existing configuration. Re-configuration is not needed. -Dmitry Dmitry Kasatkin (19): integrity: initialize EVM before IMA ima: move asymmetric keys config option integrity: move integrity subsystem options to a separate menu integrity: provide builtin 'trusted' keyrings ima: create '_ima' as a builtin 'trusted' keyring integrity: provide x509 certificate loading from the kernel ima: load x509 certificate from the kernel evm: create '_evm' as a builtin 'trusted' keyring evm: load x509 certificate from the kernel ima: added kernel parameter for disabling IMA ima: provide buffer hash calculation function ima: replace opencount with bitop ima: check if policy was set at open ima: path based policy loading interface ima: load policy from the kernel ima: make IMA policy replaceable at runtime evm: added kernel parameter for disabling EVM evm: try enable EVM from the kernel evm: read EVM key from the kernel Mimi Zohar (1): KEYS: verify a certificate is signed by a 'trusted' key crypto/asymmetric_keys/x509_public_key.c | 85 +++++++++++++++++++++++- security/integrity/Kconfig | 41 ++++++++---- security/integrity/Makefile | 4 +- security/integrity/digsig.c | 103 +++++++++++++++++++++++++++++ security/integrity/evm/Kconfig | 32 +++++++-- security/integrity/evm/evm.h | 14 ++++ security/integrity/evm/evm_crypto.c | 101 ++++++++++++++++++++++++++++ security/integrity/evm/evm_main.c | 25 +++++-- security/integrity/evm/evm_secfs.c | 13 ++-- security/integrity/ima/Kconfig | 49 +++++++++++++- security/integrity/ima/ima.h | 19 ++++++ security/integrity/ima/ima_crypto.c | 11 +++- security/integrity/ima/ima_fs.c | 48 ++++++++++---- security/integrity/ima/ima_init.c | 3 + security/integrity/ima/ima_main.c | 12 +++- security/integrity/ima/ima_policy.c | 109 ++++++++++++++++++++++++++++--- security/integrity/integrity.h | 20 ++++++ 17 files changed, 626 insertions(+), 63 deletions(-) -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
