[Linux-ima-user] A slightly fixed script pulled from evmctl.1

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I have pulled parts out of the evmctl(1) manual page into a script
and made a couple minor changes. Hope this is helpful for someone.
Also comments and suggestions are always welcome. 

This could be added to the ima-evm-utils examples if desired.

- Curtis

diff -ruN oldexamples/load_keys.sh examples/load_keys.sh

--- oldexamples/load_keys.sh    1969-12-31 17:00:00.000000000 -0700
+++ examples/load_keys.sh       2015-01-27 12:36:52.857679097 -0700
@@ -0,0 +1,54 @@
+#!/bin/bash
+# Load the default keys  from /etc/keys and then the policy
+# This is mostly taken from the evmctl(1) page with minor changes 
+# and a few fixes. (No TPM so I use the  encrypted key
+# not the trusted one.)
+# 
+# Copyright 2012 Linux Integrity Project Free use of this software 
+# is granted under the terms of the GNU Public License (GPL)
+# Author of this rough incarnation of the script: Curtis Veit
+# Original Author: Dmitry Kasatkin and possibly others
+
+ima_id="`awk '/\.ima/ { print "0x"$1 } ' /proc/keys`"
+                      # printf syntax fails for me
+if [ -z "$ima_id" ]; then
+       ima_id=`keyctl search @u keyring _ima 2>/dev/null`
+       if [ -z "$ima_id" ]; then
+               ima_id=`keyctl newring _ima @u`
+       fi
+       dotIMAring="no"
+fi
+
+#import the default ima certificate.
+ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
+
+# Now do evm 
+evm_id=`keyctl search @u keyring _evm 2>/dev/null`
+if [ -z "$evm_id" ]; then
+       evm_id=`keyctl newring _evm @u`
+fi
+
+#import the evm x509 certificate
+evmctl import /etc/keys/x509_evm.der  $evm_id
+
+# add the EVM symetric key to the kernel keyring
+cat /etc/keys/kmk | keyctl padd user kmk @u
+keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
+
+# Do the following for locking down the keyrings.
+# Protect the EVM keyring
+keyctl setperm $evm_id 0x0b0b0000
+# protect _ima keyring 
+# (The .ima keyring gives - keyctl_setperm: Permission denied)
+if [ "$dotIMAring" = "no" ]; then
+       keyctl setperm $ima_id 0x0b0b0000
+       # Protect IMA key from revoking (against DoS)
+       # use ima_key var from above. (the ima_key return value)
+       keyctl setperm $ima_key 0x0b0b0000
+fi
+
+# Turn everything on - not sure if there is a best order to the two line below...
+echo "1" > /sys/kernel/security/evm
+cat irms_policy > /sys/kernel/security/ima/policy 
+
+exit 0



