dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

Added signature write to .sig file

Browse Source 
To enable module signature verification working on file systems
without extended attributes, or to be able to copy modules by methods,
which does not support extended attribute copying, it is necessary
to store signature in the file. This patch provides command line parameter
for storing signature in .sig file.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
This commit is contained in:
Dmitry Kasatkin 2012-02-01 14:30:30 +02:00
parent e3f11d343a
commit f2b486e053
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README
View File

@ -43,6 +43,9 @@ find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}'
# security.ima needs to have signature for modules # security.ima needs to have signature for modules
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \; find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
# generate signatures in .sig files
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
8. Label filesystem in fix mode... 8. Label filesystem in fix mode...
ima_fix_dir.sh <dir> ima_fix_dir.sh <dir>

12
src/evmctl.c
View File

@ -149,6 +149,7 @@ static int digsig;
static char *hash_algo = "sha1"; static char *hash_algo = "sha1";
static int binkey; static int binkey;
static char *keypass; static char *keypass;
static int sigfile;
struct command cmds[]; struct command cmds[];
static void print_usage(struct command *cmd); static void print_usage(struct command *cmd);
@ -679,6 +680,9 @@ static int sign_ima(const char *file, const char *key)
if (err < 0) if (err < 0)
return err; return err;
if (sigfile)
bin2file(file, "sig", sig, err + 1);
if (xattr) { if (xattr) {
err = setxattr(file, "security.ima", sig, err + 1, 0); err = setxattr(file, "security.ima", sig, err + 1, 0);
if (err < 0) { if (err < 0) {
@ -1150,7 +1154,7 @@ struct command cmds[] = {
{"convert", cmd_convert, 0, "inkey outkey", "Convert PEM public key into IMA/EVM kernel friendly format.\n"}, {"convert", cmd_convert, 0, "inkey outkey", "Convert PEM public key into IMA/EVM kernel friendly format.\n"},
{"sign", cmd_sign_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata.\n"}, {"sign", cmd_sign_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "file [key]", "Sign file content.\n"}, {"ima_sign", cmd_sign_ima, 0, "[--sigfile] file [key]", "Sign file content.\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Hash file content.\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Hash file content.\n"},
{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata with HMAC (for debugging).\n"}, {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata with HMAC (for debugging).\n"},
{0, 0, 0, NULL} {0, 0, 0, NULL}
@ -1164,6 +1168,7 @@ static struct option opts[] = {
{"hashalgo", 1, 0, 'a'}, {"hashalgo", 1, 0, 'a'},
{"bin", 0, 0, 'b'}, {"bin", 0, 0, 'b'},
{"pass", 1, 0, 'p'}, {"pass", 1, 0, 'p'},
{"sigfile", 0, 0, 'f'},
{} {}
}; };
@ -1176,7 +1181,7 @@ int main(int argc, char *argv[])
g_argc = argc; g_argc = argc;
while (1) { while (1) {
c = getopt_long(argc, argv, "hk:vnsda:bp:", opts, &lind); c = getopt_long(argc, argv, "hk:vnsda:bp:f", opts, &lind);
if (c == -1) if (c == -1)
break; break;
@ -1210,6 +1215,9 @@ int main(int argc, char *argv[])
case 'p': case 'p':
keypass = optarg; keypass = optarg;
break; break;
case 'f':
sigfile = 1;
break;
case '?': case '?':
exit(1); exit(1);
break; break;