[v2,ima-evm-utils,3/4] Add --hmackey option for evmctl

Message ID	20230605165554.1965238-4-roberto.sassu@huaweicloud.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@vger.kernel.org> From: Roberto Sassu <roberto.sassu@huaweicloud.com> To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com Cc: linux-integrity@vger.kernel.org, vt@altlinux.org, pvorel@suse.cz, stefanb@linux.ibm.com, paul@paul-moore.com, casey@schaufler-ca.com, Roberto Sassu <roberto.sassu@huawei.com> Subject: [PATCH v2 ima-evm-utils 3/4] Add --hmackey option for evmctl Date: Mon, 5 Jun 2023 18:55:53 +0200 Message-Id: <20230605165554.1965238-4-roberto.sassu@huaweicloud.com> In-Reply-To: <20230605165554.1965238-1-roberto.sassu@huaweicloud.com> References: <20230605165554.1965238-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Simple EVM HMAC calculation tests \| expand [v2,ima-evm-utils,0/4] Simple EVM HMAC calculation tests [v2,ima-evm-utils,1/4] Include the filesystem UUID in HMAC calculation [v2,ima-evm-utils,2/4] Restore correct HMAC calculation for directories [v2,ima-evm-utils,3/4] Add --hmackey option for evmctl [v2,ima-evm-utils,4/4] Add simple test to check EVM HMAC calculation

Message ID

20230605165554.1965238-4-roberto.sassu@huaweicloud.com (mailing list archive)

State

New, archived

Headers

From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com
Cc: linux-integrity@vger.kernel.org, vt@altlinux.org, pvorel@suse.cz,
        stefanb@linux.ibm.com, paul@paul-moore.com, casey@schaufler-ca.com,
        Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v2 ima-evm-utils 3/4] Add --hmackey option for evmctl
Date: Mon,  5 Jun 2023 18:55:53 +0200
Message-Id: <20230605165554.1965238-4-roberto.sassu@huaweicloud.com>
In-Reply-To: <20230605165554.1965238-1-roberto.sassu@huaweicloud.com>
References: <20230605165554.1965238-1-roberto.sassu@huaweicloud.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Simple EVM HMAC calculation tests | expand

Commit Message

Roberto Sassu June 5, 2023, 4:55 p.m. UTC

From: Roberto Sassu <roberto.sassu@huawei.com>

Add the --hmackey option, to specify an alternate path for the file
containing the HMAC key. By default evmctl looks in
/etc/keys/evm-key-plain.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 README       |  3 ++-
 src/evmctl.c | 12 ++++++++++--
 src/imaevm.h |  1 +
 3 files changed, 13 insertions(+), 3 deletions(-)

Comments

Casey Schaufler June 5, 2023, 6:14 p.m. UTC | #1

On 6/5/2023 9:55 AM, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Add the --hmackey option

At first glance I read this as "hackey", as in the option is a hack.
The name you have is the obvious choice, but it caught my attention
for the wrong reason. 

> , to specify an alternate path for the file
> containing the HMAC key. By default evmctl looks in
> /etc/keys/evm-key-plain.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  README       |  3 ++-
>  src/evmctl.c | 12 ++++++++++--
>  src/imaevm.h |  1 +
>  3 files changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/README b/README
> index 40a61f94315..7239dda257e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,7 @@ COMMANDS
>   ima_fix [-t fdsxm] path
>   ima_clear [-t fdsxm] path
>   sign_hash [--veritysig] [--key key] [--pass=<password>]
> - hmac [--imahash | --imasig ] file
> + hmac [--imahash | --imasig] [--hmackey key] file
>  
>  
>  OPTIONS
> @@ -82,6 +82,7 @@ OPTIONS
>        --ignore-violations ignore ToMToU measurement violations
>        --verify-sig   verify the file signature based on the file hash, both
>                       stored in the template data.
> +      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
>    -v                 increase verbosity level
>    -h, --help         display this help and exit
>  
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7a3ffd7c823..8caf9bd83fb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
>  			return err;
>  	}
>  
> -	return hmac_evm(file, "/etc/keys/evm-key-plain");
> +	return hmac_evm(file, imaevm_params.hmackeyfile ? :
> +			"/etc/keys/evm-key-plain");
>  }
>  
>  static int ima_fix(const char *path)
> @@ -2873,6 +2874,9 @@ static void usage(void)
>  		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
>  #endif
>  		"      --ignore-violations ignore ToMToU measurement violations\n"
> +#ifdef DEBUG
> +		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
> +#endif
>  		"  -v                 increase verbosity level\n"
>  		"  -h, --help         display this help and exit\n"
>  		"\n"
> @@ -2902,7 +2906,7 @@ struct command cmds[] = {
>  	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
>  	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
>  #ifdef DEBUG
> -	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> +	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
>  #endif
>  	{0, 0, 0, NULL}
>  };
> @@ -2944,6 +2948,7 @@ static struct option opts[] = {
>  	{"keyid-from-cert", 1, 0, 145},
>  	{"veritysig", 0, 0, 146},
>  	{"hwtpm", 0, 0, 147},
> +	{"hmackey", 1, 0, 148},
>  	{}
>  
>  };
> @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
>  		case 147:
>  			hwtpm = 1;
>  			break;
> +		case 148:
> +			imaevm_params.hmackeyfile = optarg;
> +			break;
>  		case '?':
>  			exit(1);
>  			break;
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 78e7ed5e89d..18d7b0e447e 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -221,6 +221,7 @@ struct libimaevm_params {
>  	const char *keypass;
>  	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
>  	ENGINE *eng;
> +	const char *hmackeyfile;
>  };
>  
>  struct RSA_ASN1_template {

Mimi Zohar June 15, 2023, 12:11 a.m. UTC | #2

On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add the --hmackey option, to specify an alternate path for the file
> containing the HMAC key. By default evmctl looks in
> /etc/keys/evm-key-plain.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Please include the motivation for this feature.  Otherwise, it looks
good.

diff --git a/README b/README
index 40a61f94315..7239dda257e 100644
--- a/README
+++ b/README
@@ -40,7 +40,7 @@  COMMANDS
  ima_fix [-t fdsxm] path
  ima_clear [-t fdsxm] path
  sign_hash [--veritysig] [--key key] [--pass=<password>]
- hmac [--imahash | --imasig ] file
+ hmac [--imahash | --imasig] [--hmackey key] file
 
 
 OPTIONS
@@ -82,6 +82,7 @@  OPTIONS
       --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
                      stored in the template data.
+      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a3ffd7c823..8caf9bd83fb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1417,7 +1417,8 @@  static int cmd_hmac_evm(struct command *cmd)
 			return err;
 	}
 
-	return hmac_evm(file, "/etc/keys/evm-key-plain");
+	return hmac_evm(file, imaevm_params.hmackeyfile ? :
+			"/etc/keys/evm-key-plain");
 }
 
 static int ima_fix(const char *path)
@@ -2873,6 +2874,9 @@  static void usage(void)
 		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
 #endif
 		"      --ignore-violations ignore ToMToU measurement violations\n"
+#ifdef DEBUG
+		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
+#endif
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n"
@@ -2902,7 +2906,7 @@  struct command cmds[] = {
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
 	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
 #ifdef DEBUG
-	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
+	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
 #endif
 	{0, 0, 0, NULL}
 };
@@ -2944,6 +2948,7 @@  static struct option opts[] = {
 	{"keyid-from-cert", 1, 0, 145},
 	{"veritysig", 0, 0, 146},
 	{"hwtpm", 0, 0, 147},
+	{"hmackey", 1, 0, 148},
 	{}
 
 };
@@ -3189,6 +3194,9 @@  int main(int argc, char *argv[])
 		case 147:
 			hwtpm = 1;
 			break;
+		case 148:
+			imaevm_params.hmackeyfile = optarg;
+			break;
 		case '?':
 			exit(1);
 			break;
diff --git a/src/imaevm.h b/src/imaevm.h
index 78e7ed5e89d..18d7b0e447e 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -221,6 +221,7 @@  struct libimaevm_params {
 	const char *keypass;
 	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
 	ENGINE *eng;
+	const char *hmackeyfile;
 };
 
 struct RSA_ASN1_template {

[v2,ima-evm-utils,3/4] Add --hmackey option for evmctl

Commit Message

Comments

Patch