| Message ID | 20230616192358.314906-4-roberto.sassu@huaweicloud.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Simple EVM HMAC calculation tests | expand |
On 6/16/23 15:23, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > "evmctl --hmac" was only enabled in debug mode, since the hmac key was not > exposed to userspace. It was never really used. With the ability of > creating an encrypted key based on user-provided decrypted data, verifying > the EVM hmac is now feasible. > > Make "evmctl --hmac" more configurable by adding the --hmackey option, to > specify an alternate path for the file containing the HMAC key. By default > evmctl looks in /etc/keys/evm-key-plain. > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > README | 3 ++- > src/evmctl.c | 12 ++++++++++-- > src/imaevm.h | 1 + > 3 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/README b/README > index 40a61f94315..7239dda257e 100644 > --- a/README > +++ b/README > @@ -40,7 +40,7 @@ COMMANDS > ima_fix [-t fdsxm] path > ima_clear [-t fdsxm] path > sign_hash [--veritysig] [--key key] [--pass=<password>] > - hmac [--imahash | --imasig ] file > + hmac [--imahash | --imasig] [--hmackey key] file > > > OPTIONS > @@ -82,6 +82,7 @@ OPTIONS > --ignore-violations ignore ToMToU measurement violations > --verify-sig verify the file signature based on the file hash, both > stored in the template data. > + --hmackey path to symmetric key (default: /etc/keys/evm-key-plain) > -v increase verbosity level > -h, --help display this help and exit > > diff --git a/src/evmctl.c b/src/evmctl.c > index 7a3ffd7c823..8caf9bd83fb 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd) > return err; > } > > - return hmac_evm(file, "/etc/keys/evm-key-plain"); > + return hmac_evm(file, imaevm_params.hmackeyfile ? : > + "/etc/keys/evm-key-plain"); > } > > static int ima_fix(const char *path) > @@ -2873,6 +2874,9 @@ static void usage(void) > " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n" > #endif > " --ignore-violations ignore ToMToU measurement violations\n" > +#ifdef DEBUG > + " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n" > +#endif > " -v increase verbosity level\n" > " -h, --help display this help and exit\n" > "\n" > @@ -2902,7 +2906,7 @@ struct command cmds[] = { > {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, > {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"}, > #ifdef DEBUG > - {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, > + {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, > #endif > {0, 0, 0, NULL} > }; > @@ -2944,6 +2948,7 @@ static struct option opts[] = { > {"keyid-from-cert", 1, 0, 145}, > {"veritysig", 0, 0, 146}, > {"hwtpm", 0, 0, 147}, > + {"hmackey", 1, 0, 148}, > {} > > }; > @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[]) > case 147: > hwtpm = 1; > break; > + case 148: > + imaevm_params.hmackeyfile = optarg; > + break; > case '?': > exit(1); > break; > diff --git a/src/imaevm.h b/src/imaevm.h > index 78e7ed5e89d..18d7b0e447e 100644 > --- a/src/imaevm.h > +++ b/src/imaevm.h > @@ -221,6 +221,7 @@ struct libimaevm_params { > const char *keypass; > uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */ > ENGINE *eng; > + const char *hmackeyfile; > }; > > struct RSA_ASN1_template { Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/README b/README index 40a61f94315..7239dda257e 100644 --- a/README +++ b/README @@ -40,7 +40,7 @@ COMMANDS ima_fix [-t fdsxm] path ima_clear [-t fdsxm] path sign_hash [--veritysig] [--key key] [--pass=<password>] - hmac [--imahash | --imasig ] file + hmac [--imahash | --imasig] [--hmackey key] file OPTIONS @@ -82,6 +82,7 @@ OPTIONS --ignore-violations ignore ToMToU measurement violations --verify-sig verify the file signature based on the file hash, both stored in the template data. + --hmackey path to symmetric key (default: /etc/keys/evm-key-plain) -v increase verbosity level -h, --help display this help and exit diff --git a/src/evmctl.c b/src/evmctl.c index 7a3ffd7c823..8caf9bd83fb 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd) return err; } - return hmac_evm(file, "/etc/keys/evm-key-plain"); + return hmac_evm(file, imaevm_params.hmackeyfile ? : + "/etc/keys/evm-key-plain"); } static int ima_fix(const char *path) @@ -2873,6 +2874,9 @@ static void usage(void) " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n" #endif " --ignore-violations ignore ToMToU measurement violations\n" +#ifdef DEBUG + " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n" +#endif " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n" @@ -2902,7 +2906,7 @@ struct command cmds[] = { {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"}, #ifdef DEBUG - {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, + {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, #endif {0, 0, 0, NULL} }; @@ -2944,6 +2948,7 @@ static struct option opts[] = { {"keyid-from-cert", 1, 0, 145}, {"veritysig", 0, 0, 146}, {"hwtpm", 0, 0, 147}, + {"hmackey", 1, 0, 148}, {} }; @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[]) case 147: hwtpm = 1; break; + case 148: + imaevm_params.hmackeyfile = optarg; + break; case '?': exit(1); break; diff --git a/src/imaevm.h b/src/imaevm.h index 78e7ed5e89d..18d7b0e447e 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -221,6 +221,7 @@ struct libimaevm_params { const char *keypass; uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */ ENGINE *eng; + const char *hmackeyfile; }; struct RSA_ASN1_template {