From b7b42cdec7b20be00ea2c344189f5924951d3037 Mon Sep 17 00:00:00 2001
From: Tom Rini <trini@konsulko.com>
Date: Wed, 16 May 2018 10:31:49 -0400
Subject: meta-integrity: init.ima: Switch to using keyctl

Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us.  In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.

Signed-off-by: Tom Rini <trini@konsulko.com>
---
 meta-integrity/recipes-core/initrdscripts/files/init.ima       | 6 ++++--
 meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima
index f117717..f11ff13 100755
--- a/meta-integrity/recipes-core/initrdscripts/files/init.ima
+++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima
@@ -95,20 +95,22 @@ fi
 [ ! -d "$securityfs_dir/ima" ] &&
     print_info "IMA is not enabled. Exiting ..." && exit 2
 
-keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'`
+mount --move ${ROOT_DIR}/proc /proc
 
 # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
 # automatically loaded by kernel already. Here is the opportunity to load
 # a custom IMA certificate from the real rootfs.
 for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do
     [ ! -s "$cert" ] && continue
+    name=`basename $cert`
 
-    if ! evmctl import "$cert" "$keyring_id" >"${ROOT_DIR}/dev/null"; then
+    if ! keyctl padd asymmetric "$name" %:.ima < $cert > ${ROOT_DIR}/dev/null; then
         print_critical "Unable to load the custom IMA certificate $cert for IMA appraisal"
     else
         print_verbose "The custom IMA certificate $cert loaded for IMA appraisal"
     fi
 done
+mount --move /proc ${ROOT_DIR}/proc
 
 # Attempt to load the default policy.
 [ ! -s "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default"
diff --git a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb
index e615e05..b261e9e 100644
--- a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb
@@ -34,7 +34,7 @@ RDEPENDS_${PN} += "\
     gawk \
     util-linux-mount \
     util-linux-umount \
-    ima-evm-utils \
+    keyutils \
     ima-policy \
 "
 
-- 
cgit v1.2.3-54-g00ecf