dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-06-30 21:02:33 +02:00
Code Releases Activity

Deprecate IMA signature version 1

Browse Source 
The original IMA file signatures were based on a SHA1 hash.  Kernel
support for other hash algorithms was subsequently upstreamed.  Deprecate
"--rsa" support.

Define "--enable-sigv1" option to configure signature v1 support.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Mimi Zohar
2022-08-04 18:33:38 -04:00
parent 8e1da33b0c
commit 751a395772
5 changed files with 66 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/evmctl.c
View File

@ -990,7 +990,6 @@ static int cmd_verify_ima(struct command *cmd)
init_public_keys("/etc/keys/x509_evm.der");
}
errno = 0;
if (!file) {
log_err("Parameters missing\n");
print_usage(cmd);
@ -1007,6 +1006,7 @@ static int cmd_verify_ima(struct command *cmd)
return fails > 0;
}
#if CONFIG_SIGV1
static int cmd_convert(struct command *cmd)
{
char *inkey;
@ -1037,6 +1037,7 @@ static int cmd_convert(struct command *cmd)
RSA_free(key);
return err;
}
#endif
static int cmd_import(struct command *cmd)
{
@ -1091,6 +1092,7 @@ static int cmd_import(struct command *cmd)
calc_keyid_v2((uint32_t *)keyid, name, pkey);
EVP_PKEY_free(pkey);
} else {
#if CONFIG_SIGV1
RSA *key = read_pub_key(inkey, imaevm_params.x509);
if (!key)
@ -1098,6 +1100,10 @@ static int cmd_import(struct command *cmd)
len = key2bin(key, pub);
calc_keyid_v1(keyid, name, pub, len);
RSA_free(key);
#else
log_info("Importing public RSA key is not supported\n");
return 1;
#endif
}
log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
@ -2601,7 +2607,9 @@ static void usage(void)
" -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
" --xattr-user store xattrs in user namespace (for testing purposes)\n"
" --rsa use RSA key type and signing scheme v1\n"
#if CONFIG_SIGV1
" --rsa use RSA key type and signing scheme v1 (deprecated)\n"
#endif
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
" or a pkcs11 URI\n"
" --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n"
@ -2640,8 +2648,12 @@ static void usage(void)
struct command cmds[] = {
{"--version", NULL, 0, ""},
{"help", cmd_help, 0, "<command>"},
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
#if CONFIG_SIGV1
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. ([--rsa] deprecated)\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
#else
{"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"},
#endif
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},