On Sat, Sep 30, 2017 at 7:08 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, 2017-09-27 at 15:16 -0700, Matthew Garrett wrote: >> A reasonable configuration is to use IMA to appraise a subset of files >> (based on user, security label or other features supported by IMA) but >> to also want to use EVM to validate not only the state of the IMA hash >> but also additional metadata on the file. Right now this is only >> possible if a symmetric key has been loaded, which may not be desirable >> in all cases (eg, one where EVM digital signatures are shipped to end >> systems rather than EVM HMACs being generated locally). > > Commit 26ddabfe96bb "evm: enable EVM when X509 certificate is loaded" > already allows EVM to be enabled without loading a symmetric key. This only seems to be set if CONFIG_EVM_LOAD_X509 is set. Should there be some sort of callback to set this if a key is loaded onto the evm keyring at runtime?
