#!/bin/sh

IMA_POLICY=
IMA_POLICY_ADMIN=/etc/integrity/policy
IMA_POLICY_DEFAULT=/usr/share/integrity/policy
SECFS=sys/kernel/security

msg="Enabling IMA/EVM..."

run() {
	if ! grep -q  "/$SECFS" /proc/mounts; then
		mount -n -t securityfs securityfs "/$SECFS"
		export UMOUNT_FS="$SECFS"
	fi

	# search for IMA keyring
	ima_id="$(keyctl search @u keyring _ima 2>/dev/null)"
	if [ -z "$ima_id" ]; then
		ima_id="$(keyctl newring _ima @u)"
	fi
	verbose "Ima_id is $ima_id"

	# import IMA X509 certificate
	evmctl import /etc/keys/x509_ima.der "$ima_id" >/dev/null
	verbose "ima x509 import done"

	# search for EVM keyring
	evm_id="$(keyctl search @u keyring _evm 2>/dev/null)"
	if [ -z "$evm_id" ]; then
		evm_id="$(keyctl newring _evm @u)"
	fi
	verbose "evm_id is $evm_id"

	# import EVM X509 certificate
	evmctl import /etc/keys/x509_evm.der "$evm_id" >/dev/null
	verbose "evm x509 import done"

	# import EVM encrypted key
	keyctl show | grep -q kmk-user || keyctl add user kmk-user "$(cat /etc/keys/kmk-user.blob)" @u >/dev/null
	verbose "kmk-user added"
	keyctl add encrypted evm-key "load $(cat /etc/keys/evm-key.blob)" @u >/dev/null
	verbose "kmk evm-key installed"

	# protect EVM keyring
	#keyctl setperm $evm_id 0x0b0b0000
	# protect IMA keyring
	#keyctl setperm $ima_id 0x0b0b0000
	# protecting IMA key from revoking (against DoS)
	#ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
	#keyctl setperm $ima_key 0x0b0b0000

	# enable EVM
	echo "1" > /sys/kernel/security/evm

	# load policy
	if [ -f "$IMA_POLICY_ADMIN" ]; then
		IMA_POLICY="$IMA_POLICY_ADMIN"
	elif [ -f "$IMA_POLICY_DEFAULT" ]; then
		IMA_POLICY="$IMA_POLICY_DEFAULT"
	fi
	if [ -n "$IMA_POLICY" ]; then
		verbose "Loading IMA policy $IMA_POLICY"
		cat "$IMA_POLICY" >/sys/kernel/security/ima/policy
	fi
}

