From 59ef0a0b99d87437b92b1185e7b845d2ad88c6a4 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Fri, 12 Jul 2013 14:52:12 -0400 Subject: [PATCH] Save full security.ima attribute to a file Right now if -f option is passed in, we only save the actual signature to a file and not the full security.ima attribute. I think it makes more sense to save full security.ima attribute so that it can act as detached signatures and one can install signature later. That is signing can take place on build server and detached signatures can be generated and these signatures can be installed later on target. One can use following steps. evmctl ima_sign -f -x -a sha256 /tmp/data.txt hexdump -v -e '1/1 "%02x"' /tmp/data.txt.sig > /tmp/data.txt.sig.hex printf "# file: /tmp/data.txt\nsecurity.ima=0x" | cat - /tmp/data.txt.sig.hex | setfattr --restore - evmctl ima_verify /tmp/data.txt Signed-off-by: Vivek Goyal --- src/evmctl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 9a36def..5879e5d 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1044,7 +1044,7 @@ static int sign_ima(const char *file, const char *key) } if (sigfile) - bin2file(file, "sig", sig + 1, len - 1); + bin2file(file, "sig", sig, len); if (xattr) { err = setxattr(file, "security.ima", sig, len, 0); @@ -1281,8 +1281,7 @@ static int verify_ima(const char *file) if (sigfile) { void *tmp; tmp = file2bin(file, "sig", &len); - sig[0] = 0x03; - memcpy(sig+1, tmp, len++); + memcpy(sig, tmp, len); free(tmp); }