[Linux-ima-user] EVM: Using a presigned image

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I want to sign an root filesystem off line using the same private key
for both IMA and EVM, ie using evmctl sign --imasig

This image is read-only and is on an embedded product.  The kernel
automatically loads the public key as I have
CONFIG_IMA_TRUSTED_KEYRING=y
CONFIG_IMA_LOAD_X509=y
CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der"

set in the kernel configuration

I can't see how to enable this key for verifying EVM as soon as the
kernel passes control to the init process.  Is this possible? Do I
have to write my own init processes which could be a script to load
the /etc/keys/ima_x509.der into the evm keyring, enable evm and then
pass control to systemd?

Many Thanks in advnace,
Martin.