From patchwork Wed Nov 15 21:05:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Garrett X-Patchwork-Id: 10060271 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EA13F604D4 for ; Wed, 15 Nov 2017 21:05:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE0F72A307 for ; Wed, 15 Nov 2017 21:05:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C22402A30E; Wed, 15 Nov 2017 21:05:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D8452A307 for ; Wed, 15 Nov 2017 21:05:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757865AbdKOVFg (ORCPT ); Wed, 15 Nov 2017 16:05:36 -0500 Received: from mail-qt0-f201.google.com ([209.85.216.201]:61614 "EHLO mail-qt0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750946AbdKOVFf (ORCPT ); Wed, 15 Nov 2017 16:05:35 -0500 Received: by mail-qt0-f201.google.com with SMTP id 31so21809300qtz.20 for ; Wed, 15 Nov 2017 13:05:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc; bh=tee8Zyq5frkXumHSYmsWcUSZfEfeJhPo94Mi1uMA0SY=; b=EZ/2tMRz1BrRcjCz7N1gD6yBsSDYV9oIr4mP7rn7JbYfiE+hl8Bj8sY8WSzd8mCrf2 78sZLDjCDcOP7ROGan8Z1TeMDYsdXoC14Jlq1OiTzHEVO297eF+kEssjREhUpFeU6Sw6 XGBxZ0Wl50WVGq0FFPzK/o2tUbQdF1F23oUx6WQHmuQDDzoM6U4xwKR4dlPFdiZpiKeM Cz2TkZwn/+G6+rOcX0qPJ7frY/ezq8LtzMYwuvEtuqVk880suD8phaNojz1Y3SY2g62x FR44y7vOAH8+Sv82PYpVyO/suRpxP7YDqgLbJPPlHCDYKTSIjhqrz2rJFtWvICdNaAAw Dibg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc; bh=tee8Zyq5frkXumHSYmsWcUSZfEfeJhPo94Mi1uMA0SY=; b=c1M8CFSmT5weVP6apaKl0GMrqIZsjetJTZlx+MGpaySz1uaFkpbxKDmvdrm9jf72sw 5UzuSlrU0ZuwH+d4e4SQGDQPOCfFEwm3zoRKKQuZmgCfeJloYsgif6zLsBVgSrYGczHq 8/LQG4gLdWElO30Et9WC3JCnVCYtunsiU2I5ebdwY+mMeRTqVb5CyHXo2T1bdogWFkpM f8/RHYYZzDU9n+tYVY3rXcrTQ+bdxSp5OBGXETVlA4kZiHwPvl1M0oEbscJIjYEWhH2O zxM2Lpsv/nn3/HGR8JT3ZloVPt7j+S3G5JxomYTAt1CtZec/lPkM+l8dRefZdgCeQgpN fiNA== X-Gm-Message-State: AJaThX7IM9inZOwx22HqxW1AigtIFNyuQvtXMkQZuiZ3fHtC7wHuMOdX SZE38Mvlfaci7Bgto8lrDeddAISEGpExTp2dWRdgqJHxA9q8qe1IdLHPxKCDSlTjKrAr7YaWrzS 8SlOaM2z1hCwBUv21Tt/mplMjqQ7WM0TiHmQ= X-Google-Smtp-Source: AGs4zMa6Qj3jRQa+PHN9aXt8kN/FqpOlc0r4qsh6UvB/UXSq8NGeUchoYLtEVSdfo8Kty8/vDR5+R9EcaDtFoNT+WD8djA== MIME-Version: 1.0 X-Received: by 10.55.157.21 with SMTP id g21mr18228608qke.6.1510779934296; Wed, 15 Nov 2017 13:05:34 -0800 (PST) Date: Wed, 15 Nov 2017 13:05:27 -0800 Message-Id: <20171115210527.11488-1-mjg59@google.com> X-Mailer: git-send-email 2.15.0.448.gf294e3d99a-goog Subject: [USER] [PATCH] Add support for portable EVM format From: Matthew Garrett To: linux-integrity@vger.kernel.org Cc: zohar@linux.vnet.ibm.com, Matthew Garrett Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add a --portable argument that generates EVM signatures without using the inode number and generation or fs UUID. Signed-off-by: Matthew Garrett --- README | 6 ++++-- src/evmctl.c | 35 +++++++++++++++++++++++++---------- src/imaevm.h | 1 + 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/README b/README index b1dfafa..da828cf 100644 --- a/README +++ b/README @@ -26,7 +26,7 @@ COMMANDS --version help import [--rsa] pubkey keyring - sign [-r] [--imahash | --imasig ] [--key key] [--pass password] file + sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file verify file ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file @@ -46,6 +46,7 @@ OPTIONS -f, --sigfile store IMA signature in .sig file instead of xattr --rsa use RSA key type and signing scheme v1 -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) + -o, --portable generate portable EVM signatures -p, --pass password for encrypted signing key -r, --recursive recurse into directories (sign) -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink) @@ -95,7 +96,8 @@ Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes fsuuid by default. Providing '--uuid' option without parameter allows to disable usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use -custom UUID. +custom UUID. Providing the '--portable' option will disable usage of the fs uuid +and also the inode number and generation. Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to include additional SMACK extended attributes into HMAC. They are following: diff --git a/src/evmctl.c b/src/evmctl.c index 3eb3771..f02da39 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -119,6 +119,7 @@ static int recursive; static int msize; static dev_t fs_dev; static bool evm_immutable; +static bool evm_portable; #define HMAC_FLAG_NO_UUID 0x0001 #define HMAC_FLAG_CAPS_SET 0x0002 @@ -422,8 +423,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash) struct h_misc *hmac = (struct h_misc *)&hmac_misc; hmac_size = sizeof(*hmac); - hmac->ino = st.st_ino; - hmac->generation = generation; + if (!evm_portable) { + hmac->ino = st.st_ino; + hmac->generation = generation; + } hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; @@ -431,8 +434,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash) struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; hmac_size = sizeof(*hmac); - hmac->ino = st.st_ino; - hmac->generation = generation; + if (!evm_portable) { + hmac->ino = st.st_ino; + hmac->generation = generation; + } hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; @@ -440,8 +445,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash) struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; hmac_size = sizeof(*hmac); - hmac->ino = st.st_ino; - hmac->generation = generation; + if (!evm_portable) { + hmac->ino = st.st_ino; + hmac->generation = generation; + } hmac->uid = st.st_uid; hmac->gid = st.st_gid; hmac->mode = st.st_mode; @@ -456,7 +463,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return 1; } - if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) { + if (!evm_immutable && !evm_portable && + !(hmac_flags & HMAC_FLAG_NO_UUID)) { err = get_uuid(&st, uuid); if (err) return -1; @@ -493,7 +501,10 @@ static int sign_evm(const char *file, const char *key) /* add header */ len++; - sig[0] = EVM_IMA_XATTR_DIGSIG; + if (evm_portable) + sig[0] = EVM_XATTR_PORTABLE_DIGSIG; + else + sig[0] = EVM_IMA_XATTR_DIGSIG; if (evm_immutable) sig[1] = 3; /* immutable signature version */ @@ -888,7 +899,6 @@ static int cmd_import(struct command *cmd) calc_keyid_v1(keyid, name, pub, len); } - printf("Keyid is %x\n", *((uint32_t *)keyid)); log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id); @@ -1523,6 +1533,7 @@ static void usage(void) " -f, --sigfile store IMA signature in .sig file instead of xattr\n" " --rsa use RSA key type and signing scheme v1\n" " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n" + " -o, --portable generate portable EVM signatures\n" " -p, --pass password for encrypted signing key\n" " -r, --recursive recurse into directories (sign)\n" " -t, --type file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)\n" @@ -1580,6 +1591,7 @@ static struct option opts[] = { {"recursive", 0, 0, 'r'}, {"m32", 0, 0, '3'}, {"m64", 0, 0, '6'}, + {"portable", 0, 0, 'o'}, {"smack", 0, 0, 128}, {"version", 0, 0, 129}, {"inode", 1, 0, 130}, @@ -1636,7 +1648,7 @@ int main(int argc, char *argv[]) g_argc = argc; while (1) { - c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:riz", opts, &lind); + c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:riz", opts, &lind); if (c == -1) break; @@ -1685,6 +1697,9 @@ int main(int argc, char *argv[]) case 'i': evm_immutable = true; break; + case 'o': + evm_portable = true; + break; case 't': search_type = optarg; break; diff --git a/src/imaevm.h b/src/imaevm.h index 711596c..e397743 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -82,6 +82,7 @@ enum evm_ima_xattr_type { EVM_XATTR_HMAC, EVM_IMA_XATTR_DIGSIG, IMA_XATTR_DIGEST_NG, + EVM_XATTR_PORTABLE_DIGSIG, }; struct h_misc {