fix(integrity): properly set up EVM when using an x509 cert

The current EVM script does not handle the EVM setup properly when X509 certificates are involved. In this patch we extend the setup and add the necessary flags for support of EVM activation that include x509 certificates, possibly in conjunction with an HMAC key. We also first try activating EVM for x509 certificates using EVM_ALLOW_METADATA_WRITES for newer kernels, then without it for older ones that did not support this flag. We add support for additional EVM activation bits to be set, such as EVM_SETUP_COMPLETE (0x80000000) via the config file and EVM_ACTIVATION_BITS variable. To avoid error messages related to unloading the HMAC key if none is used, only attempt to unload the HMAC key if one was actually set. We add documentation about the variables that can be set in the EVM config file. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Cc: Roberto Sassu <roberto.sassu@huawei.com>
dracutdevs · May 3, 2021 · 4bdd7eb · 4bdd7eb
1 parent 8f99fad
commit 4bdd7eb
Showing 1 changed file with 26 additions and 7 deletions.
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
@@ -11,6 +11,15 @@ EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
 EVMKEYDESC="evm-key"
 EVMKEYTYPE="encrypted"
 EVMKEYID=""
+EVM_ACTIVATION_BITS=0
+
+# The following variables can be set in /etc/sysconfig/evm:
+# EVMKEY: path to the symmetric key; defaults to /etc/keys/evm-trusted.blob
+# EVMKEYDESC: Description of the symmetric key; default is 'evm-key'
+# EVMKEYTYPE: Type of the symmetric key; default is 'encrypted'
+# EMX509: path to x509 cert; default is /etc/keys/x509_evm.der
+# EVM_ACTIVATION_BITS: additional EVM activation bits, such as
+#                      EVM_SETUP_COMPLETE; default is 0
 
 load_evm_key() {
     # read the configuration from the config file
@@ -121,25 +130,35 @@ enable_evm() {
         return 0
     fi
 
-    local evm_configured
+    local evm_configured=0
+    local EVM_INIT_HMAC=1 EVM_INIT_X509=2 EVM_ALLOW_METADATA_WRITES=4
 
     # try to load the EVM encrypted key
-    load_evm_key && evm_configured=1
+    load_evm_key && evm_configured=${EVM_INIT_HMAC}
 
     # try to load the EVM public key
-    load_evm_x509 && evm_configured=1
+    load_evm_x509 && evm_configured=$((evm_configured | EVM_INIT_X509))
 
     # only enable EVM if a key or x509 certificate could be loaded
-    if [ -z "$evm_configured" ]; then
+    if [ $evm_configured -eq 0 ]; then
         return 1
     fi
 
     # initialize EVM
     info "Enabling EVM"
-    echo 1 > "${EVMSECFILE}"
+    if [ "$((evm_configured & EVM_INIT_X509))" -ne 0 ]; then
+      # Older kernels did not support EVM_ALLOW_METADATA_WRITES, try for
+      # newer ones first that need it when an x509 is used
+      echo $((evm_configured | EVM_ALLOW_METADATA_WRITES | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}" ||
+        echo $((evm_configured | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}"
+    else
+      echo $((evm_configured | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}"
+    fi
 
-    # unload the EVM encrypted key
-    unload_evm_key || return 1
+    if [ "$((evm_configured & EVM_INIT_HMAC))" -ne 0 ]; then
+      # unload the EVM encrypted key
+      unload_evm_key || return 1
+    fi
 
     return 0
 }