From 26ddabfe96bb7468763c9c92791404d991b16250 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Thu, 22 Oct 2015 21:26:26 +0300 Subject: evm: enable EVM when X509 certificate is loaded In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was loaded. When EVM loads the X509 before calling 'init', with this patch it is now possible to enable EVM to start signature based verification. This patch defines bits to enable EVM if a key of any type is loaded. Changes in v3: * print error message if key is not set Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_crypto.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'security/integrity/evm/evm_crypto.c') diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 461f8d891579..2c3591eca989 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -40,6 +40,10 @@ static struct shash_desc *init_desc(char type) struct shash_desc *desc; if (type == EVM_XATTR_HMAC) { + if (!(evm_initialized & EVM_INIT_HMAC)) { + pr_err("HMAC key is not set\n"); + return ERR_PTR(-ENOKEY); + } tfm = &hmac_tfm; algo = evm_hmac; } else { -- cgit v1.2.3-59-g8ed1b