On Mon, 2017-10-02 at 10:02 -0700, Matthew Garrett wrote: > On Sat, Sep 30, 2017 at 7:08 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > On Wed, 2017-09-27 at 15:16 -0700, Matthew Garrett wrote: > >> A reasonable configuration is to use IMA to appraise a subset of files > >> (based on user, security label or other features supported by IMA) but > >> to also want to use EVM to validate not only the state of the IMA hash > >> but also additional metadata on the file. Right now this is only > >> possible if a symmetric key has been loaded, which may not be desirable > >> in all cases (eg, one where EVM digital signatures are shipped to end > >> systems rather than EVM HMACs being generated locally). > > > > Commit 26ddabfe96bb "evm: enable EVM when X509 certificate is loaded" > > already allows EVM to be enabled without loading a symmetric key. > > This only seems to be set if CONFIG_EVM_LOAD_X509 is set. Should there > be some sort of callback to set this if a key is loaded onto the evm > keyring at runtime? Currently writing 1 to the securityfs file causes the EVM key to be loaded. I would extend the existing evm_write_key(). Writing 2, for example, might skip attempting to load the EVM key. You'll probably want to make sure that a public key has been loaded first. Mimi
