diff options
author | Dmitry Kasatkin <dmitry.kasatkin@huawei.com> | 2015-10-22 20:26:26 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-12-15 14:50:48 +0100 |
commit | 26ddabfe96bb7468763c9c92791404d991b16250 (patch) | |
tree | 1b97563509dec74394acdb7351bf15d130284909 /security/integrity/evm/evm_secfs.c | |
parent | evm: load an x509 certificate from the kernel (diff) | |
download | linux-26ddabfe96bb7468763c9c92791404d991b16250.tar.xz linux-26ddabfe96bb7468763c9c92791404d991b16250.zip |
evm: enable EVM when X509 certificate is loaded
In order to enable EVM before starting the 'init' process,
evm_initialized needs to be non-zero. Previously non-zero indicated
that the HMAC key was loaded. When EVM loads the X509 before calling
'init', with this patch it is now possible to enable EVM to start
signature based verification.
This patch defines bits to enable EVM if a key of any type is loaded.
Changes in v3:
* print error message if key is not set
Changes in v2:
* EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC
* EVM_STATE_X509_SET replaced by EVM_INIT_X509
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/evm/evm_secfs.c')
-rw-r--r-- | security/integrity/evm/evm_secfs.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index cf12a04717d3..3f775dfea868 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -64,7 +64,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf, char temp[80]; int i, error; - if (!capable(CAP_SYS_ADMIN) || evm_initialized) + if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_INIT_HMAC)) return -EPERM; if (count >= sizeof(temp) || count == 0) @@ -80,7 +80,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf, error = evm_init_key(); if (!error) { - evm_initialized = 1; + evm_initialized |= EVM_INIT_HMAC; pr_info("initialized\n"); } else pr_err("initialization failed\n"); |