modules.d/97masterkey/masterkey.sh

   1 #!/bin/sh
   2
   3 # Licensed under the GPLv2
   4 #
   5 # Copyright (C) 2011 Politecnico di Torino, Italy
   6 #                    TORSEC group -- http://security.polito.it
   7 # Roberto Sassu <roberto.sassu@polito.it>
   8
   9 MASTERKEYSCONFIG="${NEWROOT}/etc/sysconfig/masterkey"
  10 MULTIKERNELMODE="NO"
  11 PCRLOCKNUM=11
  12
  13 load_masterkey()
  14 {
  15     # read the configuration from the config file
  16     [ -f "${MASTERKEYSCONFIG}" ] && \
  17         . ${MASTERKEYSCONFIG}
  18
  19     # override the kernel master key path name from the 'masterkey=' parameter
  20     # in the kernel command line
  21     MASTERKEYARG=$(getarg masterkey=)
  22     [ $? -eq 0 ] && \
  23         MASTERKEY=${MASTERKEYARG}
  24
  25     # override the kernel master key type from the 'masterkeytype=' parameter
  26     # in the kernel command line
  27     MASTERKEYTYPEARG=$(getarg masterkeytype=)
  28     [ $? -eq 0 ] && \
  29         MASTERKEYTYPE=${MASTERKEYTYPEARG}
  30
  31     # set default values
  32     [ -z "${MASTERKEYTYPE}" ] && \
  33         MASTERKEYTYPE="trusted"
  34
  35     if [ -z "${MASTERKEY}" ]; then
  36         # append the kernel version to the default masterkey path name
  37         # if MULTIKERNELMODE is set to YES
  38         if [ "${MULTIKERNELMODE}" = "YES" ]; then
  39             MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}-$(uname -r).blob"
  40         else
  41             MASTERKEY="/etc/keys/kmk-${MASTERKEYTYPE}.blob"
  42         fi
  43     fi
  44
  45     # set the kernel master key path name
  46     MASTERKEYPATH="${NEWROOT}${MASTERKEY}"
  47
  48     # check for kernel master key's existence
  49     if [ ! -f "${MASTERKEYPATH}" ]; then
  50         if [ "${RD_DEBUG}" = "yes" ]; then
  51             info "masterkey: kernel master key file not found: ${MASTERKEYPATH}"
  52         fi
  53         return 1
  54     fi
  55
  56     # read the kernel master key blob
  57     KEYBLOB=$(cat ${MASTERKEYPATH})
  58
  59     # add the 'load' prefix if the key type is 'trusted'
  60     [ "${MASTERKEYTYPE}" = "trusted" ] && \
  61         KEYBLOB="load ${KEYBLOB} pcrlock=${PCRLOCKNUM}"
  62
  63     # load the kernel master key
  64     info "Loading the kernel master key"
  65     keyctl add "${MASTERKEYTYPE}" "kmk-${MASTERKEYTYPE}" "${KEYBLOB}" @u >/dev/null || {
  66         info "masterkey: failed to load the kernel master key: kmk-${MASTERKEYTYPE}";
  67         return 1;
  68     }
  69
  70     return 0
  71 }
  72
  73 load_masterkey