evm: load EVM key from the kernel

Currently EVM key needs to be added from the user space and it has to be
done before mounting filesystems. It requires initramfs. Many systems
often does not want to use initramfs.

This patch provides support for loading EVM key from the kernel.

It supports both 'trusted' and 'user' master keys. However, it is
recommended to use 'trusted' master key, because 'user' master key
is in non-encrypted form.

Until key is loaded, EVM stays disabled. To keep default behavior, this
patch adds the kernel parameter 'evm_load' to enabled loading of the key.

It also moves EVM initialization before IMA to prevent appraisal failure
when kernel will try to access file system without initial ramfs.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
6 files changed