'ima_hash -a sha256' and 'sign -a sha256 --imahash' commands did set
incorrect xattr header for hash algos other than sha1.
Fix it.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
'-x' option was removed a while ago, but 'x' was not removed
from getopt_long() parameter. Remove it.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
In a number of situations, the file hash has already been calculated.
Instead of reading a file to calculate the file hash, read the file hash
from stdin; and instead of writing the signature as an xattr or creating
a .sig file, output the signature as ascii-hex to stdout.
For example, piping the output of sha256sum <pathname> to evmctl would
display the original sha256 output with the file signature appended.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Currently evmctl supports importing keys onto a particular keyring
based on a numeric keyring identifier. This patch adds support
for importing keys based special values as defined by keyctl.
Thread keyring: @t (-1)
Process keyring: @p (-2)
Session keyring: @s (-3)
User specific keyring: @u (-4)
User default session keyring: @us (-5)
Group specific keyring: @g (-6)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
'--m32|--m64' parameter can be specified to label images for different
architecture size than host.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Recursive signing is needed when doing filesystem image signing.
Using script is very slow due to multiple forking and executing.
C-based implementation provides about 7 times performance improvements.
It is very significant when doing large image signing.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Recursive signing is needed when doing filesystem image signing.
Using script is very slow due to multiple forking and executing.
C-based implementation provides about 7 times performance improvements.
It is very significant when doing large image signing.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Kernel API does not support at the momement reading of inode generation
number of special files, so do not do it also when do HMAC signing.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Kernel API does not support at the momement reading of
generation number of special files, so do not do it.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
IMA/EVM extended attributes should be get for symbolic links themselves,
not to the entries pointed by them. setxattr() dereference symbolic links.
It is necessary to use lgetxattr().
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
IMA/EVM extended attributes should be set for symbolic links themselves,
not to the entries pointed by them. setxattr() dereference symbolic links.
It is necessary to use lsetxattr().
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Using scripts which do many forking and execution is very slow on
embedded/mobile devices. C based implementation is about 7 times faster.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
PCR aggregate value is reconstructed using IMA measurement list and is compared
against TPM PCR-10. It also performs signature verification if it is available in
the measurement list. ima_measurement_new.c (Mimi Zohar) was used as an example.
Example:
evmctl ima_measurement /sys/kernel/security/ima/binary_runtime_measurements
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Proper memory cleanup is not really necessary for command line
utility because all memory is cleaned up when it quits. But as
code does it most of the cases, fix other places.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
-u required to provide uuid or '-', which was confusing.
Now -u does not require '-' argument to read uuid automatically.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Right now if -f option is passed in, we only save the actual signature to
a file and not the full security.ima attribute.
I think it makes more sense to save full security.ima attribute so that
it can act as detached signatures and one can install signature later.
That is signing can take place on build server and detached signatures
can be generated and these signatures can be installed later on target.
One can use following steps.
evmctl ima_sign -f -x -a sha256 /tmp/data.txt
hexdump -v -e '1/1 "%02x"' /tmp/data.txt.sig > /tmp/data.txt.sig.hex
printf "# file: /tmp/data.txt\nsecurity.ima=0x" | cat - /tmp/data.txt.sig.hex | setfattr --restore -
evmctl ima_verify /tmp/data.txt
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently we assume signature version is v1 until and unless -x is
specified on kernel command line. Given the fact that signature version
information is available in signature itself, it is much better to get
it from there and not require user to pass -x during verification phase.
If user passed -x on command line, then honor it.
Now one can do following.
evmctl ima_sign -x /tmp/data.txt
evmctl ima_verify /tmp/data.txt
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Using enums for fixed values looks cleaner. Also I am planning to use
version field in more places in next patch. So use enums intead of
numbers like 1 and 2.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
After applying previous patch, we will always get hash algo info from
signature and if user specified one on command line, that will be overridden.
This is like breaking old behavior. So keep track whether user specified
hash algo on command line or not. If user did not specify one then get
hash algo info from signature otherwise use the one user provided.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
