File: evm-enable.sh

package info (click to toggle)
dracut 020-2
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 2,536 kB
  • sloc: sh: 11,827; ansic: 1,960; makefile: 183; python: 165; perl: 55
file content (91 lines) | stat: -rwxr-xr-x 2,150 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

# Licensed under the GPLv2
#
# Copyright (C) 2011 Politecnico di Torino, Italy
#                    TORSEC group -- http://security.polito.it
# Roberto Sassu <roberto.sassu@polito.it>

EVMSECFILE="${SECURITYFSDIR}/evm"
EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
EVMKEYDESC="evm-key"
EVMKEYTYPE="encrypted"
EVMKEYID=""

load_evm_key()
{
    # read the configuration from the config file
    [ -f "${EVMCONFIG}" ] && \
        . ${EVMCONFIG}

    # override the EVM key path name from the 'evmkey=' parameter in the kernel
    # command line
    EVMKEYARG=$(getarg evmkey=)
    [ $? -eq 0 ] && \
        EVMKEY=${EVMKEYARG}

    # set the default value
    [ -z "${EVMKEY}" ] && \
        EVMKEY="/etc/keys/evm-trusted.blob";

    # set the EVM key path name
    EVMKEYPATH="${NEWROOT}${EVMKEY}"

    # check for EVM encrypted key's existence
    if [ ! -f "${EVMKEYPATH}" ]; then
        if [ "${RD_DEBUG}" = "yes" ]; then
            info "integrity: EVM encrypted key file not found: ${EVMKEYPATH}"
        fi
        return 1
    fi

    # read the EVM encrypted key blob
    KEYBLOB=$(cat ${EVMKEYPATH})

    # load the EVM encrypted key
    EVMKEYID=$(keyctl add ${EVMKEYTYPE} ${EVMKEYDESC} "load ${KEYBLOB}" @u)
    [ $? -eq 0 ] || {
        info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
        return 1;
    }

    return 0
}

unload_evm_key()
{
    # unlink the EVM encrypted key
    keyctl unlink ${EVMKEYID} @u || {
        info "integrity: failed to unlink the EVM encrypted key: ${EVMKEYDESC}";
        return 1;
    }

    return 0
}

enable_evm()
{
    # check kernel support for EVM
    if [ ! -e "${EVMSECFILE}" ]; then
        if [ "${RD_DEBUG}" = "yes" ]; then
            info "integrity: EVM kernel support is disabled"
        fi
        return 0
    fi

    # load the EVM encrypted key
    load_evm_key || return 1

    # initialize EVM
    info "Enabling EVM"
    echo 1 > ${EVMSECFILE}

    # unload the EVM encrypted key
    unload_evm_key || return 1

    return 0
}

enable_evm