@@ -34,7 +34,7 @@ COMMANDS
ima_hash file
ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
ima_fix [-t fdsxm] path
- sign_hash [--key key] [--pass password]
+ sign_hash [--veritysig] [--key key] [--pass password]
hmac [--imahash | --imasig ] file
@@ -43,6 +43,7 @@ OPTIONS
-a, --hashalgo sha1, sha224, sha256, sha384, sha512
-s, --imasig make IMA signature
+ --veritysig sign an fs-verity file digest hash
-d, --imahash make IMA hash
-f, --sigfile store IMA signature in .sig file instead of xattr
--xattr-user store xattrs in user namespace (for testing purposes)
@@ -135,6 +135,7 @@ static int msize;
static dev_t fs_dev;
static bool evm_immutable;
static bool evm_portable;
+static bool veritysig;
#define HMAC_FLAG_NO_UUID 0x0001
#define HMAC_FLAG_CAPS_SET 0x0002
@@ -759,6 +760,11 @@ static int cmd_sign_hash(struct command *cmd)
fwrite(line, len, 1, stdout);
fprintf(stdout, " ");
+
+ if (veritysig) {
+ sig[0] = IMA_VERITY_DIGSIG;
+ sig[1] = 3; /* signature version 3 */
+ }
bin2hex(sig, siglen + 1, stdout);
fprintf(stdout, "\n");
}
@@ -2556,7 +2562,7 @@ struct command cmds[] = {
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
- {"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
+ {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass [password]", "Sign hashes from either shaXsum or \"fsverity measure\" output.\n"},
#ifdef DEBUG
{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
#endif
@@ -2596,6 +2602,7 @@ static struct option opts[] = {
{"verify-bank", 2, 0, 143},
{"keyid", 1, 0, 144},
{"keyid-from-cert", 1, 0, 145},
+ {"veritysig", 0, 0, 146},
{}
};
@@ -2826,6 +2833,9 @@ int main(int argc, char *argv[])
}
imaevm_params.keyid = keyid;
break;
+ case 146:
+ veritysig = 1;
+ break;
case '?':
exit(1);
break;
@@ -93,6 +93,7 @@ enum evm_ima_xattr_type {
EVM_IMA_XATTR_DIGSIG,
IMA_XATTR_DIGEST_NG,
EVM_XATTR_PORTABLE_DIGSIG,
+ IMA_VERITY_DIGSIG,
};
struct h_misc {
Instead of calculating a file hash and directly signing it, the new IMA signature version 3 is a signature of the ima_file_id struct hash. fs-verity only supports IMA signature version 3. struct ima_file_id { __u8 hash_type; /* xattr type [enum evm_ima_xattr_type] */ __u8 hash_algorithm; /* Digest algorithm [enum hash_algo] */ __u8 hash[HASH_MAX_DIGESTSIZE]; } __packed; The following steps are provided as a PoC and assume an existing fsverity enabled file: 1. Calculate the hash of the fsverity_descriptor struct digest, prefixed with the xattr type and hash algorithm. The following commands call "fsverity measure" to read the fsverity_descriptor struct digest, prefix the digest with the IMA_VERITY_DIGSIG(06) and hash_algo_name enumeration (e.g. sha256 is 04), before calculating the hash. $ line=$(fsverity measure <file>) $ hash=$(echo $line | sed -e 's/^.*:/0604/' -e 's/\s.*$//' | xxd -r -p - | sha256sum | sed 's/\s.*$//') $ filename=$(echo $line | sed -e 's/^.* //') 2. "evmctl sign_hash" with the new "--veritysig" option may be used to sign the resulting "ima_file_id" struct hash, provided in sha*sum output format [hash filename]. $ echo $hash $filename | evmctl sign_hash --veritysig --hashalgo sha256 \ --key <signing key.pem> > <signed hash> 3. Prefix the resulting signature with '0x' before writing it as security.ima xattr. ('setfattr' requires root privileges.) Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- README | 3 ++- src/evmctl.c | 12 +++++++++++- src/imaevm.h | 1 + 3 files changed, 14 insertions(+), 2 deletions(-)