dracut/SOURCES/0041.patch
2023-09-21 18:19:38 +00:00

50 lines
1.4 KiB
Diff

From 9d2a3df5453001612b225c7423451f6e02e06c19 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Mon, 20 Jun 2022 17:13:19 +0200
Subject: [PATCH] fix(integrity): do not enable EVM if there is no key
Track when a key is successfully loaded, and return 1 if no key has been
loaded. This will not enable EVM if there are no keys available in the
system.
Fix #1847
Signed-off-by: Alberto Planas <aplanas@suse.com>
(Cherry-picked commit: 90585c624af15ba0abb7f32b0c2afc2b122dd019)
Related: #2158155
---
modules.d/98integrity/evm-enable.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index 0abdfb80..913b5f12 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -99,6 +99,7 @@ load_evm_x509() {
fi
# load the default EVM public key onto the EVM keyring along
# with all the other ones in $EVMKEYSDIR
+ local key_imported=1
for PUBKEY in ${EVMX509PATH} "${NEWROOT}${EVMKEYSDIR}"/*; do
if [ ! -f "${PUBKEY}" ]; then
if [ "${RD_DEBUG}" = "yes" ]; then
@@ -110,13 +111,14 @@ load_evm_x509() {
info "integrity: failed to load the EVM X509 cert ${PUBKEY}"
return 1
fi
+ key_imported=0
done
if [ "${RD_DEBUG}" = "yes" ]; then
keyctl show @u
fi
- return 0
+ return ${key_imported}
}
unload_evm_key() {