IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

commit: 9f81a2eda488fef4c4e33a3965ae1759eb7db280 [log] [tgz]
author: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Wed Jan 22 17:32:04 2020 -0800
committer: Mimi Zohar <zohar@linux.ibm.com> Thu Jan 23 07:35:11 2020 -0500
tree: 822a66bb5abaf5dfcd3e224257ce5a97f3c3e7f1
parent: 5c7bac9fb2c5929a3b8600c45a972aabf9f410b5 [diff] [blame]
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 355754a6..711ff10 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig

@@ -316,3 +316,9 @@
 	depends on IMA
 	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 	default y
+
+config IMA_QUEUE_EARLY_BOOT_KEYS
+	bool
+	depends on IMA_MEASURE_ASYMMETRIC_KEYS
+	depends on SYSTEM_TRUSTED_KEYRING
+	default y
commit	9f81a2eda488fef4c4e33a3965ae1759eb7db280	[log] [tgz]
author	Lakshmi Ramasubramanian <nramas@linux.microsoft.com>	Wed Jan 22 17:32:04 2020 -0800
committer	Mimi Zohar <zohar@linux.ibm.com>	Thu Jan 23 07:35:11 2020 -0500
tree	822a66bb5abaf5dfcd3e224257ce5a97f3c3e7f1
parent	5c7bac9fb2c5929a3b8600c45a972aabf9f410b5 [diff] [blame]