dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-07-02 05:33:15 +02:00
Code Releases Activity

Compare commits

base: dh:master
Branches Tags
dh:master dh:next dh:next-testing dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1
..
compare: dh:next
Branches Tags
dh:next dh:next-testing dh:master dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1

8 Commits
master ... next

Author SHA1 Message Date
Mimi Zohar
dc0cbaea42 Merge branch 'update-ecc-doc-examples' into next 
From the cover letter:
Update the README and add example scripts for RSA keys to use more
up-to-date values for key sizes and hash being used and adjust the
OpenSSL config files so that the created keys can be used with the
.machine keyring. Add EC key and cert support scripts and describe
EC key and certificate generation in the README.
 2023-04-27 09:59:18 -04:00
Stefan Berger
14bce8a97c Add example scripts for EC key and certs generation 
Add example scripts for EC key and certificate creation and reference
them from the README and Makefile.am.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-04-27 09:48:31 -04:00
Stefan Berger
ce9bfdd091 Add openssl command line examples for creation of EC keys 
Add openssl command line examples for creation of EC keys for EVM and IMA
CA and signing key.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-04-26 19:44:09 -04:00
Stefan Berger
9f669a6b38 Update OpenSSL config files for support for .machine keyring 
Update the OpenSSL config files for support for loading certs onto
the .machine keyring where certain key usage flags must be set.

Also update the OpenSSL config files shown in the README.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-04-26 19:44:09 -04:00
Stefan Berger
6e1b9b1521 Update default key sizes and hash to up-to-date values 
Update the documentation and example scripts to use 2048 bit RSA keys
and sha256.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-04-26 19:44:09 -04:00
Stefan Berger
31f4a22b57 Do not get 'generation' using ioctl when evm_portable is true 
If a signatures is detected as being portable do not attempt to read the
generation with the ioctl since in some cases this may not be supported
by the filesystem and is also not needed for computing a portable
signature.

This avoids the current work-around of passing --generation 0 when the
ioctl is not supported by the filesystem.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-04-25 08:43:25 -04:00
Vitaly Chikunov
29c4268764 Fix fsverity.test mount failure for ppc64 
fsverity requires fs blocksize to be equal to pagesoze, which is
different on ppc64 (64K). Default mkfs blocksize if 4K. This difference
causes mount failure and following error message:

  INFO: Mounting loopback filesystem
  mount: /tmp/fsverity-test: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.
         dmesg(1) may have more information after failed mount system call.
  FAILURE: mounting loopback filesystem

It's said this limitation is removed in Linux v6.3, but for backward
compatibility better to leave workaround for it.

Fixes: b259a2b ("tests: add fsverity measurement test")
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-03-14 18:09:53 -04:00
Petr Vorel
0924a739e2 fsverity.test: Add /usr/sbin into $PATH 
Unlike GitHub CI, tests which run by packaging tools often run as non-root,
thus required tools aren't visible:

./functions.sh: line 45: type: mkfs: not found
mkfs is required for test
./functions.sh: line 45: type: blkid: not found
blkid is required for test
./functions.sh: line 45: type: e2fsck: not found
e2fsck is required for test
./functions.sh: line 45: type: tune2fs: not found
tune2fs is required for test

Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2023-03-10 10:48:37 -05:00
10 changed files with 142 additions and 18 deletions
Expand all files Collapse all files

8
Makefile.am
View File

@ -7,7 +7,13 @@ if MANPAGE_DOCBOOK_XSL
dist_man_MANS = evmctl.1
endif
doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
doc_DATA = \
examples/ima-genkey-self.sh \
examples/ima-genkey.sh \
examples/ima-gen-local-ca.sh \
examples/ima-genkey-self-ecc.sh \
examples/ima-genkey-ecc.sh \
examples/ima-gen-local-ca-ecc.sh
EXTRA_DIST = autogen.sh $(doc_DATA)
CLEANFILES = *.html *.xsl

41
README
View File

@ -200,11 +200,11 @@ Generate signing and verification keys
Generate private key in plain text format:
openssl genrsa -out privkey_evm.pem 1024
openssl genrsa -out privkey_evm.pem 2048
Generate encrypted private key:
openssl genrsa -des3 -out privkey_evm.pem 1024
openssl genrsa -des3 -out privkey_evm.pem 2048
Make encrypted private key from unencrypted:
@ -213,15 +213,27 @@ Make encrypted private key from unencrypted:
Generate self-signed X509 public key certificate and private key for using kernel
asymmetric keys support:
openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \
-x509 -config x509_evm.genkey \
-outform DER -out x509_evm.der -keyout privkey_evm.pem
Create an elliptic curve (EC) key (supported since Linux v5.13)
openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem
Generate self-signed x509 EC public key certificate and private key for using
kernel asymmetric key support (supported since Linux v5.13):
openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
-x509 -config x509_evm.genkey \
-outform DER -out x509_evm.der -keyout privkey_evm.pem \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
Configuration file x509_evm.genkey:
# Beginning of the file
[ req ]
default_bits = 1024
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@ -235,6 +247,7 @@ Configuration file x509_evm.genkey:
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
# EOF
@ -244,6 +257,9 @@ Generate public key for using RSA key format:
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
Similarly generate public EC key:
openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
Copy keys to /etc/keys:
@ -287,12 +303,18 @@ Configuration file ima-local-ca.genkey:
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# keyUsage = cRLSign, keyCertSign
keyUsage = cRLSign, keyCertSign
# EOF
Note: To generated elliptic curve keys add the following parameters to
the 'req' commands below (supported since Linux v5.13):
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
Generate private key and X509 public key certificate:
openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
Produce X509 in DER format for using while building the kernel:
@ -303,7 +325,7 @@ Configuration file ima.genkey:
# Beginning of the file
[ req ]
default_bits = 1024
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@ -327,7 +349,7 @@ Configuration file ima.genkey:
Generate private key and X509 public key certificate signing request:
openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
-out csr_ima.pem -keyout privkey_ima.pem
Sign X509 public key certificate signing request with local IMA CA private key:
@ -448,6 +470,9 @@ Examples of scripts to generate X509 public key certificates:
/usr/share/doc/ima-evm-utils/ima-genkey-self.sh
/usr/share/doc/ima-evm-utils/ima-genkey.sh
/usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
/usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
/usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
/usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
AUTHOR

28
examples/ima-gen-local-ca-ecc.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
GENKEY=ima-local-ca.genkey
cat << __EOF__ >$GENKEY
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
O = IMA-CA
CN = IMA/EVM certificate signing key
emailAddress = ca@ima-ca
[ v3_ca ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = cRLSign, keyCertSign
__EOF__
openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem

4
examples/ima-gen-local-ca.sh
View File

@ -19,10 +19,10 @@ emailAddress = ca@ima-ca
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# keyUsage = cRLSign, keyCertSign
keyUsage = cRLSign, keyCertSign
__EOF__
openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem

33
examples/ima-genkey-ecc.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/sh
GENKEY=ima.genkey
cat << __EOF__ >$GENKEY
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_usr
[ req_distinguished_name ]
O = `hostname`
CN = `whoami` signing key
emailAddress = `whoami`@`hostname`
[ v3_usr ]
basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
-out csr_ima.pem -keyout privkey_ima.pem \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
-outform DER -out x509_ima.der

28
examples/ima-genkey-self-ecc.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
GENKEY=x509_evm.genkey
cat << __EOF__ >$GENKEY
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = `hostname`
CN = `whoami` signing key
emailAddress = `whoami`@`hostname`
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
__EOF__
openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out x509_evm.der -keyout privkey_evm.pem \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem

4
examples/ima-genkey-self.sh
View File

@ -4,7 +4,7 @@ GENKEY=x509_evm.genkey
cat << __EOF__ >$GENKEY
[ req ]
default_bits = 1024
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@ -22,7 +22,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
__EOF__
openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out x509_evm.der -keyout privkey_evm.pem
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem

5
examples/ima-genkey.sh
View File

@ -4,7 +4,7 @@ GENKEY=ima.genkey
cat << __EOF__ >$GENKEY
[ req ]
default_bits = 1024
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@ -20,12 +20,13 @@ basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
-out csr_ima.pem -keyout privkey_ima.pem
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \

2
src/evmctl.c
View File

@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (mode_str)
st.st_mode = strtoul(mode_str, NULL, 10);
if (!evm_immutable) {
if (!evm_immutable && !evm_portable) {
if (S_ISREG(st.st_mode) && !generation_str) {
int fd = open(file, 0);

7
tests/fsverity.test
View File

@ -30,7 +30,7 @@
# custom policy rules might take precedence.
cd "$(dirname "$0")" || exit 1
PATH=../src:../fsverity-utils:$PATH
PATH=../src:../fsverity-utils:/usr/sbin:$PATH
source ./functions.sh
# Base VERBOSE on the environment variable, if set.
@ -120,6 +120,9 @@ create_loopback_file() {
case $fs_type in
ext4|f2fs)
options="-O verity"
# verity requires blocksize to be equal to pagesize.
pagesize=$(getconf PAGE_SIZE)
[ "$pagesize" -eq 4096 ] || options+=" -b $pagesize"
;;
btrfs)
;;
@ -136,7 +139,7 @@ create_loopback_file() {
fi
echo "INFO: Building an $fs_type filesystem"
if ! mkfs -t "$fs_type" -q "${TST_IMG}" "$options"; then
if ! mkfs -t "$fs_type" -q "${TST_IMG}" $options; then
echo "${RED}FAILURE: Creating $fs_type filesystem${NORM}"
exit "$FAIL"
fi