init.ima: clean up and allow to load extra IMA policies from the real rootfs

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-08-15 16:15:38 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-08-15 16:15:38 +0800
commit: eb08a619d88b853aed181502dff277de5c4caedf (patch)
tree: ca61d455b8c1683f22262cd3be36cbcac94c53d9
parent: 656706373f42dedd9763134d048dd42fc43aa31b (diff)
download: meta-secure-core-eb08a619d88b853aed181502dff277de5c4caedf.tar.gz
1 files changed, 18 insertions, 10 deletions
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima
index 65d4a37..5d12945 100755
--- a/meta-integrity/recipes-core/initrdscripts/files/init.ima
+++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima
@@ -3,7 +3,7 @@
 # Initramfs script for IMA initialzation
 #
 # This script is a halper used to load the external
-# IMA policy and public keys used to verify the IMA
+# IMA policy and certificate used to verify the IMA
 # signature.
 #
 # Copyright (c) 2017, Jia Zhang <lans.zhang2008@gmail.com>
@@ -15,7 +15,7 @@
 # 0 - IMA initialiazation complete
 # 1 - Kernel doesn't support securityfs
 # 2 - Kernel doesn't support IMA
-# 3 - There is no public key to load
+# 3 - There is no IMA certificate to load
 # 4 - There is no IMA policy file defined
 # 5 - Unable to load IMA policy file
@@ -72,7 +72,7 @@ trap_handler() {
 trap "trap_handler $?" SIGINT EXIT
 if grep -q "ima_appraise=off" "${ROOT_DIR}/proc/cmdline"; then
-    print_info "Skip to load the public key and IMA policy"
+    print_info "Skip to load the IMA certificate and policy"
    exit 0
 fi
@@ -97,25 +97,33 @@ fi
 keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'`
-for key in ${ROOT_DIR}/etc/keys/x509_evm*.crt; do
+# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
-    [ ! -s "$key" ] && continue
+# automatically loaded by kernel already. Here is the opportunity to load
+# a custom IMA certificate from the real rootfs.
+for cert in ${ROOT_DIR}/etc/keys/x509_evm*.crt; do
+    [ ! -s "$cert" ] && continue
-    if ! evmctl import "$key" "$keyring_id" >"${ROOT_DIR}/dev/null"; then
+    if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then
-        print_critical "Unable to load the public key $key for IMA appraisal"
+        print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal"
    else
-        print_verbose "The external public key $key loaded for IMA appraisal"
+        print_verbose "The custom IMA certificate $cert loaded for IMA appraisal"
    fi
 done
 # Attempt to load the default policy.
-[ ! -f "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default"
+[ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default"
-[ ! -f "${IMA_POLICY}" ] && {
+[ ! -s "${IMA_POLICY}" ] && {
    print_warning "No IMA policy file defined"
    exit 4
 }
 echo "${IMA_POLICY}" > "$securityfs_dir/ima/policy" && {
+    # Attempt to load IMA policies from the real rootfs.
+    for policy in ${ROOT_DIR}/etc/ima/ima_policy*; do
+        echo "$policy" > "$securityfs_dir/ima/policy"
+    done
    exit 0
 } || {
    print_critical "Unable to load the IMA policy ${IMA_POLICY}"
author	Lans Zhang <jia.zhang@windriver.com>	2017-08-15 16:15:38 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-08-15 16:15:38 +0800
commit	eb08a619d88b853aed181502dff277de5c4caedf (patch)
tree	ca61d455b8c1683f22262cd3be36cbcac94c53d9
parent	656706373f42dedd9763134d048dd42fc43aa31b (diff)
download	meta-secure-core-eb08a619d88b853aed181502dff277de5c4caedf.tar.gz