Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 15ae2509e522678e761046cdb8693291c09cf78c / . / meta-security / meta-integrity / recipes-core / initrdscripts / initramfs-framework-ima / ima
blob: 8616f9924aa6e83158e5770afaf3b0779564385c [file] [log] [blame]
Brad Bishop15ae2502019-06-18 21:44:24 -0400[diff] [blame^]1#!/bin/sh
2#
3# Loads IMA policy into the kernel.
4
5ima_enabled() {
6 if [ "$bootparam_no_ima" = "true" ]; then
7 return 1
8 fi
9}
10
11ima_run() {
12 info "Initializing IMA (can be skipped with no_ima boot parameter)."
13 if ! grep -w securityfs /proc/mounts >/dev/null; then
14 if ! mount -t securityfs securityfs /sys/kernel/security; then
15 fatal "Could not mount securityfs."
16 fi
17 fi
18 if [ ! -d /sys/kernel/security/ima ]; then
19 fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel."
20 fi
21
22 # Instead of depending on the kernel to load the IMA X.509 certificate,
23 # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492)
24 # where the loaded key was not checked sufficiently. We use keyctl here because it is
25 # slightly smaller than evmctl and is needed anyway.
26 # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349).
27 for kind in ima evm; do
28 key=/etc/keys/x509_$kind.der
29 if [ -s $key ]; then
30 id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1)
31 if [ "$id" ]; then
32 id=$(printf "%d" 0x$id)
33 fi
34 if [ -z "$id" ]; then
35 id=`keyctl search @u keyring _$kind 2>/dev/null`
36 if [ -z "$id" ]; then
37 id=`keyctl newring _$kind @u`
38 fi
39 fi
40 info "Loading $key into $kind keyring $id"
41 keyctl padd asymmetric "" $id <$key
42 fi
43 done
44
45 # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly
46 # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
47 # checking the write of each line. To minimize the risk of policy loading going wrong we
48 # also remove comments and blank lines ourselves.
49 if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then
50 fatal "Could not load IMA policy."
51 fi
52}