fix(integrity): properly set up EVM when using an x509 cert

stefanberger · johannbg · commit 4bdd7eb23a81 · 2021-05-03T08:13:48.000Z
The current EVM script does not handle the EVM setup properly when X509
certificates are involved. In this patch we extend the setup and add
the necessary flags for support of EVM activation that include
x509 certificates, possibly in conjunction with an HMAC key. We also
first try activating EVM for x509 certificates using
EVM_ALLOW_METADATA_WRITES for newer kernels, then without it for older
ones that did not support this flag.

We add support for additional EVM activation bits to be set, such
as EVM_SETUP_COMPLETE (0x80000000) via the config file and
EVM_ACTIVATION_BITS variable.

To avoid error messages related to unloading the HMAC key if none is
used, only attempt to unload the HMAC key if one was actually set.

We add documentation about the variables that can be set in the EVM
config file.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Reviewed-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
Cc: Roberto Sassu &lt;roberto.sassu@huawei.com&gt;
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
@@ -11,6 +11,15 @@ EVMCONFIG="${NEWROOT}/etc/sysconfig/evm"
 EVMKEYDESC="evm-key"
 EVMKEYTYPE="encrypted"
 EVMKEYID=""
+EVM_ACTIVATION_BITS=0
+
+# The following variables can be set in /etc/sysconfig/evm:
+# EVMKEY: path to the symmetric key; defaults to /etc/keys/evm-trusted.blob
+# EVMKEYDESC: Description of the symmetric key; default is 'evm-key'
+# EVMKEYTYPE: Type of the symmetric key; default is 'encrypted'
+# EMX509: path to x509 cert; default is /etc/keys/x509_evm.der
+# EVM_ACTIVATION_BITS: additional EVM activation bits, such as
+#                      EVM_SETUP_COMPLETE; default is 0
 
 load_evm_key() {
     # read the configuration from the config file
@@ -121,25 +130,35 @@ enable_evm() {
         return 0
     fi
 
-    local evm_configured
+    local evm_configured=0
+    local EVM_INIT_HMAC=1 EVM_INIT_X509=2 EVM_ALLOW_METADATA_WRITES=4
 
     # try to load the EVM encrypted key
-    load_evm_key && evm_configured=1
+    load_evm_key && evm_configured=${EVM_INIT_HMAC}
 
     # try to load the EVM public key
-    load_evm_x509 && evm_configured=1
+    load_evm_x509 && evm_configured=$((evm_configured | EVM_INIT_X509))
 
     # only enable EVM if a key or x509 certificate could be loaded
-    if [ -z "$evm_configured" ]; then
+    if [ $evm_configured -eq 0 ]; then
         return 1
     fi
 
     # initialize EVM
     info "Enabling EVM"
-    echo 1 > "${EVMSECFILE}"
+    if [ "$((evm_configured & EVM_INIT_X509))" -ne 0 ]; then
+      # Older kernels did not support EVM_ALLOW_METADATA_WRITES, try for
+      # newer ones first that need it when an x509 is used
+      echo $((evm_configured | EVM_ALLOW_METADATA_WRITES | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}" ||
+        echo $((evm_configured | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}"
+    else
+      echo $((evm_configured | EVM_ACTIVATION_BITS)) > "${EVMSECFILE}"
+    fi
 
-    # unload the EVM encrypted key
-    unload_evm_key || return 1
+    if [ "$((evm_configured & EVM_INIT_HMAC))" -ne 0 ]; then
+      # unload the EVM encrypted key
+      unload_evm_key || return 1
+    fi
 
     return 0
 }
