diff --git a/README b/README index 2bb363c..5b5ecb5 100644 --- a/README +++ b/README @@ -41,7 +41,7 @@ COMMANDS OPTIONS ------- - -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512 + -a, --hashalgo sha1, sha224, sha256, sha384, sha512 -s, --imasig make IMA signature -d, --imahash make IMA hash -f, --sigfile store IMA signature in .sig file instead of xattr diff --git a/configure.ac b/configure.ac index a2d91b3..aff6fdf 100644 --- a/configure.ac +++ b/configure.ac @@ -62,6 +62,7 @@ else fi EVMCTL_MANPAGE_DOCBOOK_XSL +AX_DEFAULT_HASH_ALGO([$KERNEL_HEADERS]) # for gcov #CFLAGS="$CFLAGS -Wall -fprofile-arcs -ftest-coverage" @@ -81,6 +82,7 @@ echo echo echo "Configuration:" echo " debug: $pkg_cv_enable_debug" +echo " default-hash: $HASH_ALGO" echo " openssl-conf: $enable_openssl_conf" echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free" echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode" diff --git a/m4/default-hash-algo.m4 b/m4/default-hash-algo.m4 new file mode 100644 index 0000000..b6164a5 --- /dev/null +++ b/m4/default-hash-algo.m4 @@ -0,0 +1,36 @@ +dnl Copyright (c) 2021 Bruno Meneguele +dnl Check hash algorithm availability in the kernel +dnl +dnl $1 - $KERNEL_HEADERS + +AC_DEFUN([AX_DEFAULT_HASH_ALGO], [ + HASH_INFO_HEADER="$1/include/uapi/linux/hash_info.h" + + AC_ARG_WITH([default_hash], + AS_HELP_STRING([--with-default-hash=ALGORITHM], [specifies the default hash algorithm to be used]), + [HASH_ALGO=$withval], + [HASH_ALGO=sha1]) + + AC_PROG_SED() + HASH_ALGO="$(echo $HASH_ALGO | $SED 's/\(.*\)/\L\1\E/')" + + AC_CHECK_HEADER([$HASH_INFO_HEADER], + [HAVE_HASH_INFO_HEADER=yes], + [AC_MSG_WARN([$HASH_INFO_HEADER not found.])]) + + if test "x$HAVE_HASH_INFO_HEADER" = "x"; then + AC_MSG_RESULT([using $HASH_ALGO algorithm as default hash algorith]) + AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm]) + else + AC_PROG_GREP() + $SED -n 's/HASH_ALGO_\(.*\),/\L\1\E/p' $HASH_INFO_HEADER | $GREP -w $HASH_ALGO > /dev/null + have_hash=$? + + if test $have_hash -ne 0; then + AC_MSG_ERROR([$HASH_ALGO algorithm specified, but not provided by the kernel], 1) + else + AC_MSG_NOTICE([using $HASH_ALGO as default hash algorithm]) + AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm]) + fi + fi +]) diff --git a/src/evmctl.c b/src/evmctl.c index 05b3b17..8bdd348 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -2500,7 +2500,7 @@ static void usage(void) printf( "\n" - " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n" + " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n" " -s, --imasig make IMA signature\n" " -d, --imahash make IMA hash\n" " -f, --sigfile store IMA signature in .sig file instead of xattr\n" @@ -2538,7 +2538,7 @@ static void usage(void) "\n" "Environment variables:\n\n" "EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass option\n" - "\n"); + "\n", DEFAULT_HASH_ALGO); } struct command cmds[] = { diff --git a/src/imaevm.h b/src/imaevm.h index 8792aa2..ec8551f 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -75,6 +75,10 @@ #define log_err(fmt, args...) do_log(LOG_ERR, fmt, ##args) #define log_errno(fmt, args...) do_log(LOG_ERR, fmt ": errno: %s (%d)\n", ##args, strerror(errno), errno) +#ifndef DEFAULT_HASH_ALGO +#define DEFAULT_HASH_ALGO "sha1" +#endif + #define DATA_SIZE 4096 #define SHA1_HASH_LEN 20 diff --git a/src/libimaevm.c b/src/libimaevm.c index 6855184..388b726 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -89,7 +89,7 @@ static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { struct libimaevm_params imaevm_params = { .verbose = LOG_INFO, .x509 = 1, - .hash_algo = "sha1", + .hash_algo = DEFAULT_HASH_ALGO, }; static void __attribute__ ((constructor)) libinit(void);