From 179664d7e9572bbd5a54be210bb4c00de30f7260 Mon Sep 17 00:00:00 2001
From: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Date: Wed, 1 Feb 2012 14:30:30 +0200
Subject: [PATCH] Added signature write to .sig file

To enable module signature verification working on file systems
without extended attributes, or to be able to copy modules by methods,
which does not support extended attribute copying, it is necessary
to store signature in the file. This patch provides command line parameter
for storing signature in .sig file.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
---
 README       |  3 +++
 src/evmctl.c | 12 ++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/README b/README
index 86515eb..55a3345 100644
--- a/README
+++ b/README
@@ -43,6 +43,9 @@ find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}'
 # security.ima needs to have signature for modules
 find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
 
+# generate signatures in .sig files
+find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
+
 8. Label filesystem in fix mode...
 
 ima_fix_dir.sh <dir>
diff --git a/src/evmctl.c b/src/evmctl.c
index 3d0454a..04955e0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -149,6 +149,7 @@ static int digsig;
 static char *hash_algo = "sha1";
 static int binkey;
 static char *keypass;
+static int sigfile;
 
 struct command cmds[];
 static void print_usage(struct command *cmd);
@@ -679,6 +680,9 @@ static int sign_ima(const char *file, const char *key)
 	if (err < 0)
 		return err;
 
+	if (sigfile)
+		bin2file(file, "sig", sig, err + 1);
+
 	if (xattr) {
 		err = setxattr(file, "security.ima", sig, err + 1, 0);
 		if (err < 0) {
@@ -1150,7 +1154,7 @@ struct command cmds[] = {
 	{"convert", cmd_convert, 0, "inkey outkey", "Convert PEM public key into IMA/EVM kernel friendly format.\n"},
 	{"sign", cmd_sign_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata.\n"},
 	{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
-	{"ima_sign", cmd_sign_ima, 0, "file [key]", "Sign file content.\n"},
+	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] file [key]", "Sign file content.\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Hash file content.\n"},
 	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata with HMAC (for debugging).\n"},
 	{0, 0, 0, NULL}
@@ -1164,6 +1168,7 @@ static struct option opts[] = {
 	{"hashalgo", 1, 0, 'a'},
 	{"bin", 0, 0, 'b'},
 	{"pass", 1, 0, 'p'},
+	{"sigfile", 0, 0, 'f'},
 	{}
 
 };
@@ -1176,7 +1181,7 @@ int main(int argc, char *argv[])
 	g_argc = argc;
 
 	while (1) {
-		c = getopt_long(argc, argv, "hk:vnsda:bp:", opts, &lind);
+		c = getopt_long(argc, argv, "hk:vnsda:bp:f", opts, &lind);
 		if (c == -1)
 			break;
 
@@ -1210,6 +1215,9 @@ int main(int argc, char *argv[])
 		case 'p':
 			keypass = optarg;
 			break;
+		case 'f':
+			sigfile = 1;
+			break;
 		case '?':
 			exit(1);
 			break;