ima-evm-utils: Release version 1.2

Updated both the release and library (ABI change) versions.  See the
"Changelog" for a short list of the new features, bug fixes, and code
cleanup.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

.gitignore

@@ -2,6 +2,8 @@
 *~
 
 # Generated by autotools
+.libs
+m4
 .deps
 aclocal.m4
 autom4te.cache
@@ -20,9 +22,12 @@ compile
 libtool
 ltmain.sh
 
+
 # Compiled executables
 *.o
 *.a
+*.lo
+*.la
 src/evmctl
 tests/openclose
 config.h
@@ -40,6 +45,7 @@ cscope.*
 ncscope.*
 
 # Generated documentation
+*.1
 *.8
 *.5
 manpage.links

AUTHORS

@@ -2,4 +2,5 @@ Dmitry Kasatkin <d.kasatkin@samsung.com>
 
 CONTRIBUTORS:
 Vivek Goyal <vgoyal@redhat.com>
+Mimi Zohar <zohar@linux.vnet.ibm.com>
 

COPYING

@@ -1,8 +1,8 @@
                     GNU GENERAL PUBLIC LICENSE
                        Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,7 +55,7 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
+
                     GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -278,7 +278,7 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
                      END OF TERMS AND CONDITIONS
-
+
             How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
@@ -303,10 +303,9 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -336,5 +335,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.

ChangeLog

@@ -1,3 +1,77 @@
+
+2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.2 new features:
+	* Generate EVM signatures based on the specified hash algorithm
+	* include "security.apparmor" in EVM signature
+	* Add support for writing & verifying "user.xxxx" xattrs for testing
+	* Support Strebog/Gost hash functions
+	* Add OpenSSL engine support
+	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
+	* Support verifying multiple signatures at once
+	* Support new template "buf" field and warn about other unknown fields
+	* Improve OpenSSL error reporting
+	* Support reading TPM 2.0 PCRs using tsspcrread
+
+	Bug fixes and code cleanup:
+	* Update manpage stylesheet detection
+	* Fix xattr.h include file
+	* On error when reading TPM PCRs, don't log gargabe
+	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
+	  limiting keyid output to verbose mode
+	* Fix hash buffer overflow caused by EVM support for larger hashes,
+	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
+	* Linked with libcrypto instead of OpenSSL
+	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
+	* Include new "hash-info.gen" in tar
+	* Log the hash algorithm, not just the hash value
+	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
+	* Fixed other warnings/bugs discovered by clang, coverity
+	* Remove indirect calls in verify_hash() to improve code readability
+	* Don't fallback to using sha1
+	* Namespace some too generic object names
+	* Make functions/arrays static if possible
+
+
+2018-01-28  Mimi Zohar <zohar@us.ibm.com>
+
+	version 1.1
+	* Support the new openssl 1.1 api
+	* Support for validating multiple pcrs
+	* Verify the measurement list signature based on the list digest
+	* Verify the "ima-sig" measurement list using multiple keys
+	* Fixed parsing the measurement template data field length
+	* Portable & immutable EVM signatures (new format)
+	* Multiple fixes that have been lingering in the next branch. Some
+	  are for experimental features that are not yet supported in the
+	  kernel.
+
+2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
+
+	version 1.0
+	* Recursive hashing
+	* Immutable EVM signatures (experimental)
+	* Command 'ima_clear' to remove xattrs
+	* Support for passing password to the library
+	* Support for asking password safely from the user
+
+2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.9
+	* Updated README
+	* man page generated and added to the package
+	* Use additional SMACK xattrs for EVM signature generation
+	* Signing functions moved to libimaevm for external use (RPM)
+	* Fixed setting of correct hash header
+
+2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.8
+	* Symbilic names for keyrings
+	* Hash list signing
+	* License text fix for using OpenSSL
+	* Help output fix
+
 2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
 
 	version 0.7

Makefile.am

@@ -1,6 +1,10 @@
 SUBDIRS = src
+dist_man_MANS = evmctl.1
 
-EXTRA_DIST = autogen.sh
+doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+EXTRA_DIST = autogen.sh $(doc_DATA)
+
+CLEANFILES = *.html *.xsl
 
 ACLOCAL_AMFLAGS = -I m4
 
@@ -19,4 +23,17 @@ rpm: $(tarname)
 	cp $(tarname) $(SRCS)/
 	rpmbuild -ba --nodeps $(SPEC)
 
+evmctl.1.html: README
+	@asciidoc -o $@ $<
+
+evmctl.1:
+	asciidoc -d manpage -b docbook -o evmctl.1.xsl README
+	xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
+	rm -f evmctl.1.xsl
+
+rmman:
+	rm -f evmctl.1
+
+doc: evmctl.1.html rmman evmctl.1
+
 .PHONY: $(tarname)

README

@@ -1,47 +1,189 @@
-ima-evm-utils - IMA/EVM signing utility
-=========================================
+EVMCTL(1)
+=========
 
-Contents:
+NAME
+----
 
-   1. Key and signature formats
-   2. Key generation
-   3. Initialization
-   4. Signing
+evmctl - IMA/EVM signing utility
+
+
+SYNOPSIS
+--------
+
+evmctl [options] <command> [OPTIONS]
+
+
+DESCRIPTION
+-----------
+
+The evmctl utility can be used for producing and verifying digital signatures,
+which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
+used to import keys into the kernel keyring.
+
+COMMANDS
+--------
+
+ --version
+ help <command>
+ import [--rsa] pubkey keyring
+ sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
+ verify file
+ ima_sign [--sigfile] [--key key] [--pass password] file
+ ima_verify file
+ ima_hash file
+ ima_measurement [--key "key1, key2, ..."] [--list] file
+ ima_fix [-t fdsxm] path
+ sign_hash [--key key] [--pass password]
+ hmac [--imahash | --imasig ] file
+
+
+OPTIONS
+-------
+
+  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512
+  -s, --imasig       make IMA signature
+  -d, --imahash      make IMA hash
+  -f, --sigfile      store IMA signature in .sig file instead of xattr
+      --xattr-user   store xattrs in user namespace (for testing purposes)
+      --rsa          use RSA key type and signing scheme v1
+  -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
+  -o, --portable     generate portable EVM signatures
+  -p, --pass         password for encrypted signing key
+  -r, --recursive    recurse into directories (sign)
+  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
+                     x - skip fixing if both ima and evm xattrs exist (use with caution)
+                     m - stay on the same filesystem (like 'find -xdev')
+  -n                 print result to stdout instead of setting xattr
+  -u, --uuid         use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
+      --smack        use extra SMACK xattrs for EVM
+      --m32          force EVM hmac/signature for 32 bit target system
+      --m64          force EVM hmac/signature for 64 bit target system
+      --engine e     preload OpenSSL engine e (such as: gost)
+  -v                 increase verbosity level
+  -h, --help         display this help and exit
+
+
+INTRODUCTION
+------------
+
+Linux kernel integrity subsystem is comprised of a number of different components
+including the Integrity Measurement Architecture (IMA), Extended Verification Module
+(EVM), IMA-appraisal extension, digital signature verification extension and audit
+measurement log support.
+
+The evmctl utility is used for producing and verifying digital signatures, which
+are used by the Linux kernel integrity subsystem. It is also used for importing keys
+into the kernel keyring.
+
+Linux integrity subsystem allows to use IMA and EVM signatures. EVM signature
+protects file metadata, such as file attributes and extended attributes. IMA
+signature protects file content.
+
+For more detailed information about integrity subsystem it is recommended to follow
+resources in RESOURCES section.
+
+
+EVM HMAC and signature metadata
+-------------------------------
+
+EVM protects file metadata by including following attributes into HMAC and signature
+calculation: inode number, inode generation, UID, GID, file mode, security.selinux,
+security.SMACK64, security.ima, security.capability.
+
+EVM HMAC and signature in may also include additional file and file system attributes.
+Currently supported additional attributes are filesystem UUID and extra SMACK
+extended attributes.
+
+Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
+filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
+fsuuid by default. Providing '--uuid' option without parameter allows to disable
+usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use
+custom UUID. Providing the '--portable' option will disable usage of the fs uuid
+and also the inode number and generation.
+
+Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
+include additional SMACK extended attributes into HMAC. They are following:
+security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP.
+evmctl '--smack' options enables that.
 
 
 Key and signature formats
 -------------------------
 
-EVM support (v2) in latest version of the kernel adds the file system UUID to
-the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
-version 2 is enabled by default. In this version default UUID is included by
-default. Custom value can be supplied via '--uuid=UUID' or '-uUUID' parameter
-to the 'sign' command. To use old format HMAC format use '-' as a parameter.
+Linux integrity subsystem supports two type of signature and respectively two
+key formats.
 
-Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
-support for verifying digital signatures. This version uses x509 format by default.
-Use '--rsa' or '-1' parameter to use old signature format and API.
+First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
+format. It is now non-default format and requires to provide evmctl '--rsa' option
+for signing and importing the key.
+
+Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
+in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
 
 
-Key generation
---------------
+Integrity keyrings
+----------------
 
-Generate private key in plain text format
+Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification
+keys - '_ima' and '_evm' respectively.
 
-    $ openssl genrsa -out privkey_evm.pem 1024
+Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only to load keys,
+signed by a key from the system keyring (.system). It means self-signed keys are not
+allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined.
+IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509
+public key certificates. Old version RSA public keys are not compatible with trusted
+keyring.
 
-Generate encrypted private key
 
-    $ openssl genrsa -des3 -out privkey_evm.pem 1024
+Generate EVM encrypted keys
+---------------------------
 
-Make encrypted private key from unencrypted
+EVM encrypted key is used for EVM HMAC calculation:
 
-    $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+    # create and save the key kernel master key (user type)
+    # LMK is used to encrypt encrypted keys
+    keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
+    keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
 
-Generate self-signed X509 certificate and private key for using kernel asymmetric
-keys support
+    # create the EVM encrypted key
+    keyctl add encrypted evm-key "new user:kmk 64" @u
+    keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
 
-	$ openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+
+Generate EVM trusted keys (TPM based)
+-------------------------------------
+
+Trusted EVM keys are keys which a generate with the help of TPM.
+They are not related to integrity trusted keys.
+
+    # create and save the key kernel master key (user type)
+    keyctl add trusted kmk "new 32" @u
+    keyctl pipe `keyctl search @u trusted kmk` >kmk
+
+    # create the EVM trusted key
+    keyctl add encrypted evm-key "new trusted:kmk 32" @u
+    keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
+
+
+Generate signing and verification keys
+--------------------------------------
+
+Generate private key in plain text format:
+
+    openssl genrsa -out privkey_evm.pem 1024
+
+Generate encrypted private key:
+
+    openssl genrsa -des3 -out privkey_evm.pem 1024
+
+Make encrypted private key from unencrypted:
+
+    openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+
+Generate self-signed X509 public key certificate and private key for using kernel
+asymmetric keys support:
+
+    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
     	        -x509 -config x509_evm.genkey \
 	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
 
@@ -68,88 +210,232 @@ Configuration file x509_evm.genkey:
 	# EOF
 
 
-Get public key
+Generate public key for using RSA key format:
 
-    $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
 
-Copy keys to /etc/keys
 
-    $ cp pubkey_evm.pem /etc/keys
-    $ scp pubkey_evm.pem target:/etc/keys
+Copy keys to /etc/keys:
 
+    cp pubkey_evm.pem /etc/keys
+    scp pubkey_evm.pem target:/etc/keys
  or
-    $ cp x509_evm.pem /etc/keys
-    $ scp x509_evm.pem target:/etc/keys
+    cp x509_evm.pem /etc/keys
+    scp x509_evm.pem target:/etc/keys
 
 
-Generation of EVM keys
+Generate trusted keys
+---------------------
 
-    $ # create and save the kernel master key (user type)
-    $ keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
-    $ keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
-    $ # create the EVM encrypted key
-    $ keyctl add encrypted evm-key "new user:kmk 32" @u
-    $ keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
+Generation of trusted keys is a bit more complicated process and involves
+following steps:
+
+* Creation of local IMA certification authority (CA).
+  It consist of private and public key certificate which are used
+  to sign and verify other keys.
+* Build Linux kernel with embedded local IMA CA X509 certificate.
+  It is used to verify other keys added to the '.ima' trusted keyring
+* Generate IMA private signing key and verification public key certificate,
+  which is signed using local IMA CA private key.
+
+Configuration file ima-local-ca.genkey:
+
+	# Begining of the file
+	[ req ]
+	default_bits = 2048
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = v3_ca
+
+	[ req_distinguished_name ]
+	O = IMA-CA
+	CN = IMA/EVM certificate signing key
+	emailAddress = ca@ima-ca
+
+	[ v3_ca ]
+	basicConstraints=CA:TRUE
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid:always,issuer
+	# keyUsage = cRLSign, keyCertSign
+	# EOF
+
+Generate private key and X509 public key certificate:
+
+ openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+             -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
+
+Produce X509 in DER format for using while building the kernel:
+
+ openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+
+Configuration file ima.genkey:
+
+	# Begining of the file
+	[ req ]
+	default_bits = 1024
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = v3_usr
+
+	[ req_distinguished_name ]
+	O = `hostname`
+	CN = `whoami` signing key
+	emailAddress = `whoami`@`hostname`
+
+	[ v3_usr ]
+	basicConstraints=critical,CA:FALSE
+	#basicConstraints=CA:FALSE
+	keyUsage=digitalSignature
+	#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid
+	#authorityKeyIdentifier=keyid,issuer
+	# EOF
 
 
-Initialization
---------------
+Generate private key and X509 public key certificate signing request:
+
+ openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+             -out csr_ima.pem -keyout privkey_ima.pem
+
+Sign X509 public key certificate signing request with local IMA CA private key:
+
+ openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+              -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+              -outform DER -out x509_ima.der
+
+
+Sign file data and metadata
+---------------------------
+
+Default key locations:
+
+ Private RSA key: /etc/keys/privkey_evm.pem
+ Public RSA key: /etc/keys/pubkey_evm.pem
+ X509 certificate: /etc/keys/x509_evm.der
+
+Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'.
+
+Sign file with EVM signature and calculate hash value for IMA:
+
+    evmctl sign --imahash test.txt
+
+Sign file with both IMA and EVM signatures:
+
+    evmctl sign --imasig test.txt:
+
+Sign file with IMA signature:
+
+    evmctl ima_sign test.txt
+
+Sign recursively whole filesystem:
+
+    evmctl -r sign --imahash /
+
+Fix recursively whole filesystem:
+
+    evmctl -r ima_fix /
+
+Sign filesystem selectively using 'find' command:
+
+    find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
+
+Fix filesystem selectively using 'find' command:
+
+    find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
+
+
+Initialize IMA/EVM at early boot
+--------------------------------
 
 IMA/EVM initialization should be normally done from initial RAM file system
 before mounting root filesystem.
 
-Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
+Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh)
 
-    # import EVM HMAC key
-    keyctl clear @u
+    # mount securityfs if not mounted
+    SECFS=/sys/kernel/security
+    grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
+
+    # search for IMA trusted keyring, then for untrusted
+    ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
+    if [ -z "$ima_id" ]; then
+        ima_id=`keyctl search @u keyring _ima 2>/dev/null`
+        if [ -z "$ima_id" ]; then
+	    ima_id=`keyctl newring _ima @u`
+        fi
+    fi
+    # import IMA X509 certificate
+    evmctl import /etc/keys/x509_ima.der $ima_id
+
+    # search for EVM keyring
+    evm_id=`keyctl search @u keyring _evm 2>/dev/null`
+    if [ -z "$evm_id" ]; then
+        evm_id=`keyctl newring _evm @u`
+    fi
+    # import EVM X509 certificate
+    evmctl import /etc/keys/x509_evm.der $evm_id
+
+    # a) import EVM encrypted key
     cat /etc/keys/kmk | keyctl padd user kmk @u
     keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
-
-    # import IMA public key
-    ima_id=`keyctl newring _ima @u`
-    evmctl --rsa import /etc/keys/pubkey_evm.pem $ima_id
-
-    # import EVM public key
-    evm_id=`keyctl newring _evm @u`
-    evmctl --rsa import /etc/keys/pubkey_evm.pem $evm_id
+    # OR
+    # b) import EVM trusted key
+    keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
+    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
 
     # enable EVM
     echo "1" > /sys/kernel/security/evm
 
+Optionally it is possible also to forbid adding, removing of new public keys
+and certificates into keyrings and revoking keys using 'keyctl setperm' command:
 
-Import X509 certificate into the kernel keyring (since kernel 3.9?)
-
-    $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
-    $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
+    # protect EVM keyring
+    keyctl setperm $evm_id 0x0b0b0000
+    # protect IMA keyring
+    keyctl setperm $ima_id 0x0b0b0000
+    # protecting IMA key from revoking (against DoS)
+    ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
+    keyctl setperm $ima_key 0x0b0b0000
 
 
-Signing
+When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys:
+
+    evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
+
+Latest version of keyctl allows to import X509 public key certificates:
+
+    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
+
+
+FILES
+-----
+
+Examples of scripts to generate X509 public key certificates:
+
+ /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey.sh
+ /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
+
+
+AUTHOR
+------
+
+Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
+
+
+RESOURCES
+---------
+
+ http://sourceforge.net/p/linux-ima/wiki/Home
+ http://sourceforge.net/p/linux-ima/ima-evm-utils
+
+
+COPYING
 -------
 
-Default public key: /etc/keys/pubkey_evm.pem
-Default private key: /etc/keys/privkey_evm.pem
-Default X509 certificate: /etc/keys/x509_evm.der
-
-Signing for using old RSA format is done using '-1' or '--rsa' parameter.
-Signing for using old EVM HMAC format is done using '-u-' or '--uuid=-' parameter.
-
-Sign file with EVM signature and use hash value for IMA - common case
-
-    $ evmctl sign [-u] [-1] --imahash test.txt
-
-Sign file with both IMA and EVM signatures - for immutable files
-
-    $ evmctl sign [-u] [-1] --imasig test.txt
-
-Sign file with IMA signature - for immutable files
-
-    $ evmctl ima_sign [-1] test.txt
-
-Label whole filesystem with EVM signatures
-
-    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-1] --imahash '{}' \;
-
-Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
-
-    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
+Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under
+the terms of the GNU Public License (GPL).
 

build-static.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl
+

configure.ac

@@ -1,12 +1,13 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 0.7, d.kasatkin@samsung.com)
+AC_INIT(ima-evm-utils, 1.2, zohar@linux.ibm.com)
 AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 
 AC_CANONICAL_HOST
+AC_USE_SYSTEM_EXTENSIONS
 
 # Checks for programs.
 AC_PROG_CC
@@ -24,15 +25,30 @@ LT_INIT
 # Checks for header files.
 AC_HEADER_STDC
 
-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
-AC_SUBST(OPENSSL_CFLAGS)
-AC_SUBST(OPENSSL_LIBS)
+PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
+AC_SUBST(KERNEL_HEADERS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 
-AC_CHECK_HEADERS(attr/xattr.h, , [AC_MSG_ERROR([attr/xattr.h header not found. You need the libattr development package.])])
+AC_CHECK_PROG(TSSPCRREAD, [tsspcrread], yes, no)
+if test "x$TSSPCRREAD" = "xyes"; then
+	AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread binary installed])],
+fi
+
+AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
 
+AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH],
+	    [specifies the Linux kernel-headers package location or kernel root directory you want to use])],
+	    [KERNEL_HEADERS="$withval"],
+	    [KERNEL_HEADERS=/lib/modules/$(uname -r)/source])
+
+AC_ARG_ENABLE([openssl_conf],
+	      [AS_HELP_STRING([--disable-openssl-conf], [disable loading of openssl config by evmctl])],
+	      [if test "$enable_openssl_conf" = "no"; then
+		AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.])
+	      fi], [enable_openssl_conf=yes])
+
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
@@ -41,6 +57,8 @@ else
 	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
 fi
 
+EVMCTL_MANPAGE_DOCBOOK_XSL
+
 # for gcov
 #CFLAGS="$CFLAGS -Wall -fprofile-arcs -ftest-coverage"
 #CXXFLAGS="$CXXFLAGS -Wall -fprofile-arcs -ftest-coverage"
@@ -58,5 +76,6 @@ echo
 echo
 echo	"Configuration:"
 echo	"          debug: $pkg_cv_enable_debug"
+echo	"   openssl-conf: $enable_openssl_conf"
+echo	"     tsspcrread: $TSSPCRREAD"
 echo
-

m4/manpage-docbook-xsl.m4

@@ -0,0 +1,28 @@
+dnl Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
+dnl Find docbook manpage stylesheet
+
+AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
+	AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
+	AC_ARG_WITH([xml-catalog],
+		AC_HELP_STRING([--with-xml-catalog=CATALOG],
+				[path to xml catalog to use]),,
+				[with_xml_catalog=/etc/xml/catalog])
+	XML_CATALOG_FILE="$with_xml_catalog"
+	AC_SUBST([XML_CATALOG_FILE])
+	AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
+	if test -f "$XML_CATALOG_FILE"; then
+		have_xmlcatalog_file=yes
+		AC_MSG_RESULT([found])
+	else
+		AC_MSG_RESULT([not found])
+	fi
+	if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
+		DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
+		DOCBOOK_XSL_PATH="manpages/docbook.xsl"
+		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q')
+	fi
+	if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
+		MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
+	fi
+	AC_SUBST(MANPAGE_DOCBOOK_XSL)
+])

packaging/ima-evm-utils.spec

@@ -1,5 +1,5 @@
 Name:		ima-evm-utils
-Version:	0.7
+Version:	1.2
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries
@@ -11,7 +11,6 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires:    autoconf
 BuildRequires:    automake
 BuildRequires:    openssl-devel
-BuildRequires:    libattr-devel
 BuildRequires:    keyutils-libs-devel
 
 %description

packaging/ima-evm-utils.spec.in

@@ -11,7 +11,6 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires:    autoconf
 BuildRequires:    automake
 BuildRequires:    openssl-devel
-BuildRequires:    libattr-devel
 BuildRequires:    keyutils-libs-devel
 
 %description

src/.gitignore

@@ -0,0 +1 @@
+hash_info.h

src/Makefile.am

@@ -1,22 +1,28 @@
 lib_LTLIBRARIES = libimaevm.la
 
 libimaevm_la_SOURCES = libimaevm.c
-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
+libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 # current[:revision[:age]]
 # result: [current-age].age.revision
-libimaevm_la_LDFLAGS = -version-info 0:0:0
-libimaevm_la_LIBADD =  $(OPENSSL_LIBS)
+libimaevm_la_LDFLAGS = -version-info 1:0:0
+libimaevm_la_LIBADD =  $(LIBCRYPTO_LIBS)
 
 include_HEADERS = imaevm.h
 
+nodist_libimaevm_la_SOURCES = hash_info.h
+BUILT_SOURCES = hash_info.h
+EXTRA_DIST = hash_info.gen
+hash_info.h: Makefile
+	$(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@
+
 bin_PROGRAMS = evmctl
 
 evmctl_SOURCES = evmctl.c
-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
+evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 evmctl_LDFLAGS = $(LDFLAGS_READLINE)
-evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils libimaevm.la
+evmctl_LDADD =  $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
 
-INCLUDES = -I$(top_srcdir) -include config.h
+AM_CPPFLAGS = -I$(top_srcdir) -include config.h
 
+CLEANFILES = hash_info.h
 DISTCLEANFILES = @DISTCLEANFILES@
-

src/hash_info.gen

@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# Generate hash_info.h from kernel headers
+#
+# Copyright (C) 2018 <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+KERNEL_HEADERS=$1
+HASH_INFO_H=uapi/linux/hash_info.h
+HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
+
+# Allow to specify kernel-headers past include/
+if [ ! -e $HASH_INFO ]; then
+  HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
+  if [ -e $HASH_INFO2 ]; then
+    HASH_INFO=$HASH_INFO2
+  fi
+fi
+
+if [ ! -e $HASH_INFO ]; then
+  echo "/* $HASH_INFO is not found */"
+  HASH_INFO=/dev/null
+else
+  echo "/* $HASH_INFO is found */"
+fi
+
+echo "enum hash_algo {"
+grep HASH_ALGO_.*, $HASH_INFO
+printf "\tHASH_ALGO__LAST\n"
+echo "};"
+
+echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
+sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
+  while read a b; do
+    # Normalize text hash name: if it contains underscore between
+    # digits replace it with a dash, other underscores are removed.
+    b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g")
+    printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
+  done
+echo "};"

src/imaevm.h

@@ -1,6 +1,47 @@
+/*
+ * ima-evm-utils - IMA/EVM support utilities
+ *
+ * Copyright (C) 2011 Nokia Corporation
+ * Copyright (C) 2011,2012,2013 Intel Corporation
+ * Copyright (C) 2013,2014 Samsung Electronics
+ *
+ * Authors:
+ * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
+ *                 <dmitry.kasatkin@intel.com>
+ *                 <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ *
+ * File: imaevm.h
+ *	 IMA/EVM header file
+ */
+
 #ifndef _LIBIMAEVM_H
 #define _LIBIMAEVM_H
 
+#include <linux/fs.h>
 #include <stdint.h>
 #include <syslog.h>
 #include <stdbool.h>
@@ -9,8 +50,10 @@
 #include <openssl/rsa.h>
 
 #ifdef USE_FPRINTF
-#define do_log(level, fmt, args...)	({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); })
-#define do_log_dump(level, p, len, cr)	({ if (level <= params.verbose) do_dump(stderr, p, len, cr); })
+#define do_log(level, fmt, args...)	\
+	({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
+#define do_log_dump(level, p, len, cr)	\
+	({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); })
 #else
 #define do_log(level, fmt, args...)	syslog(level, fmt, ##args)
 #define do_log_dump(level, p, len, cr)
@@ -34,16 +77,19 @@
 #define	DATA_SIZE	4096
 #define SHA1_HASH_LEN   20
 
-#define	EXT2_IOC_GETVERSION	_IOR('v', 1, long)
-#define	EXT34_IOC_GETVERSION	_IOR('f', 3, long)
-
-#define	FS_IOC_GETFLAGS		_IOR('f', 1, long)
-#define	FS_IOC_SETFLAGS		_IOW('f', 2, long)
-#define FS_IOC32_GETFLAGS	_IOR('f', 1, int)
-#define FS_IOC32_SETFLAGS	_IOW('f', 2, int)
+#define MAX_DIGEST_SIZE		64
+#define MAX_SIGNATURE_SIZE	1024
 
 #define __packed __attribute__((packed))
 
+enum evm_ima_xattr_type {
+	IMA_XATTR_DIGEST = 0x01,
+	EVM_XATTR_HMAC,
+	EVM_IMA_XATTR_DIGSIG,
+	IMA_XATTR_DIGEST_NG,
+	EVM_XATTR_PORTABLE_DIGSIG,
+};
+
 struct h_misc {
 	unsigned long ino;
 	uint32_t generation;
@@ -68,6 +114,12 @@ struct h_misc_64 {
 	unsigned short mode;
 };
 
+struct h_misc_digsig {
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
 enum pubkey_algo {
 	PUBKEY_ALGO_RSA,
 	PUBKEY_ALGO_MAX,
@@ -102,6 +154,7 @@ struct signature_hdr {
 	char mpi[0];
 } __packed;
 
+/* reflect enum hash_algo from include/uapi/linux/hash_info.h */
 enum pkey_hash_algo {
 	PKEY_HASH_MD4,
 	PKEY_HASH_MD5,
@@ -111,6 +164,18 @@ enum pkey_hash_algo {
 	PKEY_HASH_SHA384,
 	PKEY_HASH_SHA512,
 	PKEY_HASH_SHA224,
+	PKEY_HASH_RIPE_MD_128,
+	PKEY_HASH_RIPE_MD_256,
+	PKEY_HASH_RIPE_MD_320,
+	PKEY_HASH_WP_256,
+	PKEY_HASH_WP_384,
+	PKEY_HASH_WP_512,
+	PKEY_HASH_TGR_128,
+	PKEY_HASH_TGR_160,
+	PKEY_HASH_TGR_192,
+	PKEY_HASH_SM3_256,
+	PKEY_HASH_STREEBOG_256,
+	PKEY_HASH_STREEBOG_512,
 	PKEY_HASH__LAST
 };
 
@@ -125,13 +190,12 @@ struct signature_v2_hdr {
 	uint8_t sig[0];		/* signature payload */
 } __packed;
 
-
-typedef int (*verify_hash_fn_t)(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
-
-struct libevm_params {
+struct libimaevm_params {
 	int verbose;
+	int x509;
 	const char *hash_algo;
-	char *keyfile;
+	const char *keyfile;
+	const char *keypass;
 };
 
 struct RSA_ASN1_template {
@@ -139,17 +203,25 @@ struct RSA_ASN1_template {
 	size_t size;
 };
 
-extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST];
-extern struct libevm_params params;
+#define	NUM_PCRS 20
+#define DEFAULT_PCR 10
 
-void do_dump(FILE *fp, const void *ptr, int len, bool cr);
-void dump(const void *ptr, int len);
-int get_filesize(const char *filename);
+extern struct libimaevm_params imaevm_params;
+
+void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
+void imaevm_hexdump(const void *ptr, int len);
 int ima_calc_hash(const char *file, uint8_t *hash);
-int get_hash_algo(const char *algo);
+int imaevm_get_hash_algo(const char *algo);
 RSA *read_pub_key(const char *keyfile, int x509);
+EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
 
-int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
-int ima_verify_signature(const char *file, unsigned char *sig, int siglen);
+void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len);
+void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey);
+int key2bin(RSA *key, unsigned char *pub);
+
+int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
+int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
+int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
+void init_public_keys(const char *keyfiles);
 
 #endif