Added signature write to .sig file

To enable module signature verification working on file systems without extended attributes, or to be able to copy modules by methods, which does not support extended attribute copying, it is necessary to store signature in the file. This patch provides command line parameter for storing signature in .sig file. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2012-02-01 14:30:30 +02:00 · 2012-02-01 14:30:30 +02:00 · 179664d7e9
commit 179664d7e9
parent c440d2d95f
2 changed files with 13 additions and 2 deletions
--- a/3
+++ b/3
@ -43,6 +43,9 @@ find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}'
 # security.ima needs to have signature for modules
 find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;

+# generate signatures in .sig files
+find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
+
 8. Label filesystem in fix mode...

 ima_fix_dir.sh <dir>
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -149,6 +149,7 @@ static int digsig;
 static char *hash_algo = "sha1";
 static int binkey;
 static char *keypass;
+static int sigfile;

 struct command cmds[];
 static void print_usage(struct command *cmd);
@ -679,6 +680,9 @@ static int sign_ima(const char *file, const char *key)
 	if (err < 0)
 		return err;

+	if (sigfile)
+		bin2file(file, "sig", sig, err + 1);
+
 	if (xattr) {
 		err = setxattr(file, "security.ima", sig, err + 1, 0);
 		if (err < 0) {
@ -1150,7 +1154,7 @@ struct command cmds[] = {
 	{"convert", cmd_convert, 0, "inkey outkey", "Convert PEM public key into IMA/EVM kernel friendly format.\n"},
 	{"sign", cmd_sign_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata.\n"},
 	{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
-	{"ima_sign", cmd_sign_ima, 0, "file [key]", "Sign file content.\n"},
+	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] file [key]", "Sign file content.\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Hash file content.\n"},
 	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata with HMAC (for debugging).\n"},
 	{0, 0, 0, NULL}
@ -1164,6 +1168,7 @@ static struct option opts[] = {
 	{"hashalgo", 1, 0, 'a'},
 	{"bin", 0, 0, 'b'},
 	{"pass", 1, 0, 'p'},
+	{"sigfile", 0, 0, 'f'},
 	{}

 };
@ -1176,7 +1181,7 @@ int main(int argc, char *argv[])
 	g_argc = argc;

 	while (1) {
-		c = getopt_long(argc, argv, "hk:vnsda:bp:", opts, &lind);
+		c = getopt_long(argc, argv, "hk:vnsda:bp:f", opts, &lind);
 		if (c == -1)
 			break;

@ -1210,6 +1215,9 @@ int main(int argc, char *argv[])
 		case 'p':
 			keypass = optarg;
 			break;
+		case 'f':
+			sigfile = 1;
+			break;
 		case '?':
 			exit(1);
 			break;