diff options
author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-11-05 17:01:15 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-11-17 23:12:01 -0500 |
commit | c9cd2ce2bc6313aafa33f8e28d29a8690252f219 (patch) | |
tree | 6918661e956daa2bb688ea70103df3cc8859e246 /security | |
parent | fd5f4e9054acbf4f22fac81a358baf3c27aa42ac (diff) | |
download | op-kernel-dev-c9cd2ce2bc6313aafa33f8e28d29a8690252f219.zip op-kernel-dev-c9cd2ce2bc6313aafa33f8e28d29a8690252f219.tar.gz |
integrity: provide a hook to load keys when rootfs is ready
Keys can only be loaded once the rootfs is mounted. Initcalls
are not suitable for that. This patch defines a special hook
to load the x509 public keys onto the IMA keyring, before
attempting to access any file. The keys are required for
verifying the file's signature. The hook is called after the
root filesystem is mounted and before the kernel calls 'init'.
Changes in v3:
* added more explanation to the patch description (Mimi)
Changes in v2:
* Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM
keys by integrity subsystem.
* Hook patch moved after defining loading functions
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/iint.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/security/integrity/iint.c b/security/integrity/iint.c index dbee618..df45640 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -245,3 +245,14 @@ out: fput(file); return rc; } + +/* + * integrity_load_keys - load integrity keys hook + * + * Hooks is called from init/main.c:kernel_init_freeable() + * when rootfs is ready + */ +void __init integrity_load_keys(void) +{ + ima_load_x509(); +} |