tree f0a5e93a6b58a3671a0ee595dd869bc13602fcf7
parent 3e4ff83140e48289a182cbfd36c15fa84f1084ec
author Dmitry Kasatkin <dmitry.kasatkin@huawei.com> 1508354418 +0300
committer Dmitry Kasatkin <dmitry.kasatkin@huawei.com> 1508354509 +0300

evm: load EVM key from the kernel

Currently EVM key needs to be added from the user space and it has to be
done before mounting filesystems. It requires initramfs. Many systems
often does not want to use initramfs.

This patch provides support for loading EVM key from the kernel.

It supports both 'trusted' and 'user' master keys. However, it is
recommended to use 'trusted' master key, because 'user' master key
is in non-encrypted form.

Until key is loaded, EVM stays disabled. To keep default behavior, this
patch adds the kernel parameter 'evm_load' to enabled loading of the key.

It also moves EVM initialization before IMA to prevent appraisal failure
when kernel will try to access file system without initial ramfs.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
