target/linux/mmp/base-files/etc/init.d/ima_init - T108 - Gitiles

 #!/bin/sh /etc/rc.common
 # IMA and EVM setup

 START=99

 start() {
 	echo "Load in the EVM and IMA keys"
 	ima_appraise=`cat /proc/cmdline | grep ima_appraise_tcb`
 	fix=`cat /proc/cmdline | grep ima_appraise=fix`
 	off=`cat /proc/cmdline | grep ima_appraise=off`
 	evm=`cat /proc/cmdline | grep evm=fix`

 	if [ ! -z "$ima_appraise" ]; then
 	        SECFS=/sys/kernel/security
 		grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS

 		# search for IMA trusted keyring, then for untrusted
 		ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
 		if [ -z "$ima_id" ]; then
 			ima_id=`keyctl search @u keyring _ima 2>/dev/null`
 			if [ -z "$ima_id" ]; then
 				ima_id=`keyctl newring _ima @u`
 			fi
 		fi
 		# import IMA X509 certificate
 		evmctl import /etc/keys/x509_ima.der $ima_id
 	fi

 	if [ ! -z "$evm" ] && [ ! -z "$ima_appraise" ];then

 		# If evm enabled, generate _evm keyring
 		# search for EVM keyring
 		evm_id=`keyctl search @u keyring _evm 2>/dev/null`
 		if [ -z "$evm_id" ]; then
 			evm_id=`keyctl newring _evm @u`
 		fi
 		# import EVM X509 certificate
 		evmctl import /etc/keys/x509_evm.der $evm_id

 		blob0="/etc/keys/kmk"
 		blob1="/etc/keys/evm-key"
 		if [ -f "$blob0" ] && [ -f "$blob1" ];then
 			if [ -z "$off" ]; then
 			        # a) import EVM encrypted key
 				cat /etc/keys/kmk | keyctl padd user kmk @u
 				keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
 			fi
 		elif [ ! -z "$fix" ];then
 			# The first time bootup in fix mode, save generated evm-key to a local file

 		        # create and save the key kernel master key (user type)
 		        # LMK is used to encrypt encrypted keys
 			keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
 			keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk

 			# create the EVM encrypted key
 			keyctl add encrypted evm-key "new user:kmk 64" @u
 			keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
 			sync

 			# for calculate ima hash alone:
 			# 		evmctl ima_hash $file
 			# for sign ima alone:
 			# 		evmctl ima_sign --key /etc/keys/privkey_ima.pem $file --uuid --generation 0
 			# for calculate ima hash and sign extended attr to evm:
 			# 		evmctl sign --imahash --key /etc/keys/privkey_evm.pem $file --uuid --generation 0
 		fi

 		if [ -z "$off" ];then
 			# enforce mode: enable evm
 			echo 1 > /sys/kernel/security/evm
 		fi
 	fi
 }
	#!/bin/sh /etc/rc.common
	# IMA and EVM setup

	START=99

	start() {
	echo "Load in the EVM and IMA keys"
	ima_appraise=`cat /proc/cmdline \| grep ima_appraise_tcb`
	fix=`cat /proc/cmdline \| grep ima_appraise=fix`
	off=`cat /proc/cmdline \| grep ima_appraise=off`
	evm=`cat /proc/cmdline \| grep evm=fix`

	if [ ! -z "$ima_appraise" ]; then
	SECFS=/sys/kernel/security
	grep -q $SECFS /proc/mounts \|\| mount -n -t securityfs securityfs $SECFS

	# search for IMA trusted keyring, then for untrusted
	ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
	if [ -z "$ima_id" ]; then
	ima_id=`keyctl search @u keyring _ima 2>/dev/null`
	if [ -z "$ima_id" ]; then
	ima_id=`keyctl newring _ima @u`
	fi
	fi
	# import IMA X509 certificate
	evmctl import /etc/keys/x509_ima.der $ima_id
	fi

	if [ ! -z "$evm" ] && [ ! -z "$ima_appraise" ];then

	# If evm enabled, generate _evm keyring
	# search for EVM keyring
	evm_id=`keyctl search @u keyring _evm 2>/dev/null`
	if [ -z "$evm_id" ]; then
	evm_id=`keyctl newring _evm @u`
	fi
	# import EVM X509 certificate
	evmctl import /etc/keys/x509_evm.der $evm_id

	blob0="/etc/keys/kmk"
	blob1="/etc/keys/evm-key"
	if [ -f "$blob0" ] && [ -f "$blob1" ];then
	if [ -z "$off" ]; then
	# a) import EVM encrypted key
	cat /etc/keys/kmk \| keyctl padd user kmk @u
	keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
	fi
	elif [ ! -z "$fix" ];then
	# The first time bootup in fix mode, save generated evm-key to a local file

	# create and save the key kernel master key (user type)
	# LMK is used to encrypt encrypted keys
	keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
	keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk

	# create the EVM encrypted key
	keyctl add encrypted evm-key "new user:kmk 64" @u
	keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
	sync

	# for calculate ima hash alone:
	# evmctl ima_hash $file
	# for sign ima alone:
	# evmctl ima_sign --key /etc/keys/privkey_ima.pem $file --uuid --generation 0
	# for calculate ima hash and sign extended attr to evm:
	# evmctl sign --imahash --key /etc/keys/privkey_evm.pem $file --uuid --generation 0
	fi

	if [ -z "$off" ];then
	# enforce mode: enable evm
	echo 1 > /sys/kernel/security/evm
	fi
	fi
	}