Remove AC_PROG_LIBTOOL and AC_HEAD_STDC. Replace AC_HELP_STRING with
AS_HELP_STRING.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Although Github Actions is available on Github Enterprise Server 3.x
single server edition, as well as the unpaid version, it is not
available in Github Enterprise Server 3.x cluster edition[1].
Continue updating travis.yml.
[1] https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#github-packages
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Writing either security.ima hashes or security.evm hmacs from userspace
will fail regardless of the IMA or EVM fix mode. In fix mode, 'touch'
will force security.ima and security.evm to be updated.
Make the setxattr error messages more explicit and clear errno.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Define a log_errno_reset macro to emit the errno string at or near the
time of error, similar to the existing log_errno macro, but also reset
errno to avoid dangling or duplicate errno messages on exit.
The initial usage is for non-critical file open failures.
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This reverts commit acb19d1894a4a95471b8d2346cd6c3ecf3385110, based on
the mailing list discussion and will be fixed in the next commit.
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Link: https://lore.kernel.org/linux-integrity/20220915153659.dtykhzitxdrlpasq@altlinux.org/
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
bash is a dependency for tests, not being installed by default on
containers.
This fixes:
../test-driver: line 112: ./ima_hash.test: not found
../test-driver: line 112: ./sign_verify.test: not found
../test-driver: line 112: ./boot_aggregate.test: not found
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Ubuntu 21.10 impish EOL in 2022-04 (next month).
Replace it with the latest stable release (EOL 2027-04).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
ima-evm-utils does not attempt to calculate or even read the fs-verity
file hash, but can verify the fs-verity signature based on the fsverity
file hash, both contained in the measurement list record.
Example:
evmctl ima_measurement --key <DER encoded public key> \
--verify-sig /sys/kernel/security/ima/binary_runtime_measurements
Modify 'sig' argument of verify_hash() to be the full xattr in order to
differentiate signatures types.
Note:
Kernel commit b1aaab22e263 ("ima: pass full xattr with the signature")
added the 'type' to signature_v2_hdr struct, which hasn't been reflected
here. (todo)
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Sign fs-verity file digests provided in the format as produced by
"fsverity digest". The output is of the same format as the input,
but with the file signature appended. Use setfattr to write the
signature as security.ima xattr.
fsverity digest format: <algo>:<hash> <pathname>
output format: <algo>:<hash> <pathname> <signature>
Instead of directly signing the fsverity hash, to disambiguate the
original IMA signatures from the fs-verity signatures stored in the
security.ima xattr a new signature format version 3 (sigv3) was
defined as the hash of the xattr type (enum evm_ima_xattr_type),
the hash algorithm (enum hash_algo), and the hash.
Example:
fsverity digest <pathname> | evmctl sign_hash --veritysig \
--key <pem encoded private key>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Not being able to open a file is not necessarily a problem. If
and when it occurs, an informational or error message with the
actual filename is emitted as needed.
Reset 'errno' to prevent the "errno: No such file or directory (2)"
generic message.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Replace CentOS 8 with CentOS stream 8.
Use podman for both CentOS 7 & 8.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
It EOL in 12/2021 and CI is failing due removed repo:
CentOS Linux 8 - AppStream 232 B/s | 38 B 00:00
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
Removing only from GitHub Actions, because Mimi Zohar reported Travis
can use centos:stream8.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Updated both the release and library (ABI change) versions. See the
NEWS file for a short summary and the git history for details.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Instead of returning an image, it prompts for a response. Hardcode
to use docker.io.
Please select an image:
▸ docker.io/library/alt:sisyphus
quay.io/alt:sisyphus
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
As expected, for the same reasons as commit 6287cb76d186 ("travis: Fix
openSUSE Tumbleweed"), replace using docker with podman, but now use
crun.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Both opensuse/tumbleweed and Alt Linux have upgraded to glibc-2.34,
causing the CI testing to fail. Disable seccomp (which is not needed
anyway, since GA uses throwable virtual environments anyway).
options: --security-opt seccomp=unconfined
Suggested-by: Vitaly Chikunov <vt@altlinux.org>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Due to SHA1 weaknesses, define a configuration option to set the default
hash algorithm. The set of permitted hash algorithms is defined in the
hash_info.h header file. At the same time, change the default hash
algorithm from SHA1 to SHA256.
The SHA-1 algorithm is considered a weak hash algorithm and there has been
some movement within certain distros to drop its support completely or at
least drop it from the default behavior. ima-evm-utils uses it as the
default algorithm in case the user doesn't explicitly ask for another
through the --with-default-hash configuration time option or --hashalgo/-a
runtime option. With that, make SHA-256 the default hash algorithm instead.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The default hash algorithm for evmctl is today hardcoded in the libimaevm.c
file. To facilitate package maintainers across different distributions to
set their own default hash algorithm, this patch adds the
--with-default-hash=<algo> option to the configuration script.
The chosen algorithm will then be checked by its available in the kernel,
otherwise IMA won't be able to verify files hashed by the user. For that,
the kernel header hash_info.h used as the source of supported hashes. In
case the hash_info.h header is not present, the configuration script warns
about it, but uses whatever the user specified in the option.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
From the cover letter:
Add support for signing with pkcs11 URIs so that pkcs11-enabled devices
can also be used for file signing.
Extend the existing sign_verify.test with tests for the new pkcs11 URI support.
Use SoftHSM, when available, as a pkcs11 device for testing.
Get the packages for pkcs11 testing on the CI/CD system, where available.
On those system where it is not available, skip the two tests.
The following distros cannot run the pkcs11 tests:
- Alpine: package with pkcs11 engine not available
- CentOS7: softhsm 2.1.0 is too old for tests to work; tests also fail when
trying to sign with pkcs11 URI using openssl command line tool
- OpenSuSE Leap: softhsm package not available in main repo
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the sign_verify test with a pkcs11-specific test.
Since the openssl command line tool now needs to use a key provided by
an engine, extend some command lines with the additional parameters
'--keyform engine'. These parameters are passed using the global variable
OPENSSL_KEYFORM, which is only set when pkcs11 URIs are used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Import softhsm_setup script from my swtpm project and contribute
it to this project under dual license BSD 3-clause and GPL 2.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add support for pkcs11 private keys for signing a v2 hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the key has the pkcs11: URI prefix then setup the pkcs11 engine
if the user hasn't chosen a specific engine already.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Extend the global libimaevm_params structure with an ENGINE field 'eng'
and use it in place of the local ENGINE variable in main().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Move the code that sets up an OpenSSL engine into its own function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Handle failure to initialize the openssl engine. For example,
$ ./src/evmctl --engine foo
engine foo isn't available
140322992015168:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/lib64/engines-1.1/foo.so): /usr/lib64/engines-1.1/foo.so: cannot open shared object file: No such file or directory
140322992015168:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
140322992015168:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414:
140322992015168:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:334:id=foo
Segmentation fault (core dumped)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
If the user did not use the --pass option to provide a key password,
get the key password from the EVMCTL_KEY_PASSWORD environment variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
The variable "password" is not freed nor returned in case get_password()
succeeds. Return it instead of the intermediary variable "pwd". Issue found
by Coverity scan tool.
src/evmctl.c:2565: leaked_storage: Variable "password" going out of scope
leaks the storage it points to.
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Use the IBM TSS to implement the functions as an alternative to the
command line tools.
The algorithm_string_to_algid() function supports only the digest
algorithms in use. The table has place holders for other algorithms
as they are needed and the C strings are defined.
The table can also be used for an algorithm ID to string function if
it's ever needed.
When using the IBM TSS, link in its library.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
[zohar@linux.ibm.com: updated configure.ac, replaced license with SPDX,
added comment before TSS_Delete and modified rc1 testing.]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
PCR numbers are naturally unsigned values. Further, they are
32 bits, even on 64-bit machines. This change eliminates the
need for negative value and overflow tests.
The parameter name is changed from j and idx to pcr_handle, which is
more descriptive and is similar to the parameter name used in the TPM
2.0 specification.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Add some of the less obvious package, TPM, and TSS prerequisites.
autoreconf -i is required before ./configure
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
There is no such an algorithm name as sm3-256. This is an ambiguity
caused by the definition of the macro HASH_ALGO_SM3_256. The sed
command is only a special case of sm3, so sm3 is used to replace
the sm3-256 algorithm name.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
algorithm combination. Because in the current version of OpenSSL 1.1.1,
the SM2 algorithm and the public key using the EC algorithm share the
same ID 'EVP_PKEY_EC', and the specific algorithm can only be
distinguished by the curve name used. This patch supports this feature.
Secondly, the openssl 1.1.1 tool does not fully support the signature
of SM2/3 algorithm combination, so the openssl3 tool is used in the
test case, and there is no this problem with directly calling the
openssl 1.1.1 API in evmctl.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Allow to have certificate appended to the private key of `--key'
specified (PEM) file (for v2 signing) to facilitate reading of keyid
from the associated cert. This will allow users to have private and
public key as a single file and avoid the need of manually specifying
keyid. There is no check that public key form the cert matches
associated private key.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Allow user to specify `--keyid-from-cert cert.pem' to extract keyid from
SKID of the certificate file. PEM or DER format is auto-detected.
This commit creates ABI change for libimaevm, due to adding new function
ima_read_keyid(). Newer clients cannot work with older libimaevm.
Together with previous commit it creates backward-incompatible ABI
change, thus soname should be incremented on release.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Allow user to set signature's keyid using `--keyid' option. Keyid should
correspond to SKID in certificate, when keyid is calculated using SHA-1
in libimaevm it may mismatch keyid extracted by the kernel from SKID of
certificate (the way public key is presented to the kernel), thus making
signatures not verifiable. This may happen when certificate is using non
SHA-1 SKID (see rfc7093) or just 'unique number' (see rfc5280 4.2.1.2).
As a last resort user may specify arbitrary keyid using the new option.
This commit creates ABI change for libimaevm, because of adding
additional parameter to imaevm_params - newer libimaevm cannot work
with older clients.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Reported-by: Elvira Khabirova <lineprinter0@gmail.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Since we are not signing directory entries, remove the left-over check
with S_ISDIR().
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Remove the "Logically dead code (DEADCODE)" as reported by Coverity.
Fixes: 9c79b7de7231 ("ima-evm-utils: support verifying the measurement list using multiple keys")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Coverity complains about the existing "if (!fread(....))" and inverse
syntax. Change it to make Coverity happy.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Static analysis reported an "invalid operation involving NULL pointer"
warning. Although the code properly exits the loop without ever
using the variable, test the pointer isn't NULL before incrementing
it.
Fixes: 80d3fda6083f ("ima-evm-utils: Check for tsspcrread in runtime")
Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Build on Sisyphus branch which is bleeding edge repository.
Package manager is apt-rpm (not APT as it may look from the scripts).
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Some distributions, such as ALT, cannot use sudo under root by default.
Error message will appear:
root is not in the sudoers file. This incident will be reported.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Do not need to waste CPU cycles and time to install swtpm in CI
container if distribution does not have tssstartup, because we will
be not able to start it.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
