Keys can only be loaded when rootfs is mounted. Initcalls are not suitable for that. Provide a special hook.
Changes in v2: * Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM keys by integrity subsystem. * Hook patch moved after defining loading functions Signed-off-by: Dmitry Kasatkin <[email protected]> --- include/linux/integrity.h | 6 ++++++ init/main.c | 6 +++++- security/integrity/iint.c | 11 +++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 83222ce..c2d6082 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -24,6 +24,7 @@ enum integrity_status { #ifdef CONFIG_INTEGRITY extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); extern void integrity_inode_free(struct inode *inode); +extern void __init integrity_load_keys(void); #else static inline struct integrity_iint_cache * @@ -36,5 +37,10 @@ static inline void integrity_inode_free(struct inode *inode) { return; } + +static inline void integrity_load_keys(void) +{ +} #endif /* CONFIG_INTEGRITY */ + #endif /* _LINUX_INTEGRITY_H */ diff --git a/init/main.c b/init/main.c index e8ae1fe..2c1928d 100644 --- a/init/main.c +++ b/init/main.c @@ -78,6 +78,7 @@ #include <linux/context_tracking.h> #include <linux/random.h> #include <linux/list.h> +#include <linux/integrity.h> #include <asm/io.h> #include <asm/bugs.h> @@ -1026,8 +1027,11 @@ static noinline void __init kernel_init_freeable(void) * Ok, we have completed the initial bootup, and * we're essentially up and running. Get rid of the * initmem segments and start the user-mode stuff.. + * + * rootfs is available now, try loading the public keys + * and default modules */ - /* rootfs is available now, try loading default modules */ + integrity_load_keys(); load_default_modules(); } diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 0a76686..a1f5cd1 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -245,3 +245,14 @@ out: fput(file); return rc; } + +/* + * integrity_load_keys - load integrity keys hook + * + * Hooks is called from init/main.c:kernel_init_freeable() + * when rootfs is ready + */ +void __init integrity_load_keys(void) +{ + ima_load_x509(); +} -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
