Do use x509 by default
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
This commit is contained in:
Dmitry Kasatkin
parent
f9a3d7c378
commit
317fa60467
23
README
23
README
@ -19,9 +19,8 @@ it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command.
|
|||||||
UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
|
UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
|
||||||
|
|
||||||
Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
|
Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
|
||||||
support for verifying digital signatures. The new command line parameter
|
support for verifying digital signatures. This version uses x509 format by default.
|
||||||
'-x' or '--x509' was added to the evmctl to enable using of X509 certificates
|
Use '--rsa' or '-1' parameter to use old signature format and API.
|
||||||
and new signature format.
|
|
||||||
|
|
||||||
|
|
||||||
Key generation
|
Key generation
|
||||||
@ -98,11 +97,11 @@ Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
|
|||||||
|
|
||||||
# import IMA public key
|
# import IMA public key
|
||||||
ima_id=`keyctl newring _ima @u`
|
ima_id=`keyctl newring _ima @u`
|
||||||
evmctl import /etc/keys/pubkey_evm.pem $ima_id
|
evmctl --rsa import /etc/keys/pubkey_evm.pem $ima_id
|
||||||
|
|
||||||
# import EVM public key
|
# import EVM public key
|
||||||
evm_id=`keyctl newring _evm @u`
|
evm_id=`keyctl newring _evm @u`
|
||||||
evmctl import /etc/keys/pubkey_evm.pem $evm_id
|
evmctl --rsa import /etc/keys/pubkey_evm.pem $evm_id
|
||||||
|
|
||||||
# enable EVM
|
# enable EVM
|
||||||
echo "1" > /sys/kernel/security/evm
|
echo "1" > /sys/kernel/security/evm
|
||||||
@ -110,8 +109,8 @@ Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
|
|||||||
|
|
||||||
Import X509 certificate into the kernel keyring (since kernel 3.9?)
|
Import X509 certificate into the kernel keyring (since kernel 3.9?)
|
||||||
|
|
||||||
$ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
|
$ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
|
||||||
$ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
|
$ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
|
||||||
|
|
||||||
|
|
||||||
Signing
|
Signing
|
||||||
@ -121,24 +120,24 @@ Default public key: /etc/keys/pubkey_evm.pem
|
|||||||
Default private key: /etc/keys/privkey_evm.pem
|
Default private key: /etc/keys/privkey_evm.pem
|
||||||
Default X509 certificate: /etc/keys/x509_evm.der
|
Default X509 certificate: /etc/keys/x509_evm.der
|
||||||
|
|
||||||
Signing for using X509 certificates is done using '-x' or '--x509' parameter.
|
Signing for using old RSA format is done using '-1' or '--rsa' parameter.
|
||||||
Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
|
Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
|
||||||
|
|
||||||
Sign file with EVM signature and use hash value for IMA - common case
|
Sign file with EVM signature and use hash value for IMA - common case
|
||||||
|
|
||||||
$ evmctl sign [-u] [-x] --imahash test.txt
|
$ evmctl sign [-u] [-1] --imahash test.txt
|
||||||
|
|
||||||
Sign file with both IMA and EVM signatures - for immutable files
|
Sign file with both IMA and EVM signatures - for immutable files
|
||||||
|
|
||||||
$ evmctl sign [-u] [-x] --imasig test.txt
|
$ evmctl sign [-u] [-1] --imasig test.txt
|
||||||
|
|
||||||
Sign file with IMA signature - for immutable files
|
Sign file with IMA signature - for immutable files
|
||||||
|
|
||||||
$ evmctl ima_sign [-x] test.txt
|
$ evmctl ima_sign [-1] test.txt
|
||||||
|
|
||||||
Label whole filesystem with EVM signatures
|
Label whole filesystem with EVM signatures
|
||||||
|
|
||||||
$ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-x] --imahash '{}' \;
|
$ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-1] --imahash '{}' \;
|
||||||
|
|
||||||
Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
|
Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
|
||||||
|
|
||||||
|
|||||||
10
src/evmctl.c
10
src/evmctl.c
@ -1510,7 +1510,7 @@ static void usage(void)
|
|||||||
" -d, --imahash also make IMA hash\n"
|
" -d, --imahash also make IMA hash\n"
|
||||||
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
|
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
|
||||||
" -m, --modsig store module signature in .sig file instead of xattr\n"
|
" -m, --modsig store module signature in .sig file instead of xattr\n"
|
||||||
" -x, --x509 signing key is in x509 DER format (signing v2 for using asymmetric keys)\n"
|
" -1, --rsa signing key is in RSA DER format (signing v1)\n"
|
||||||
" -k, --key path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
|
" -k, --key path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
|
||||||
" -p, --pass password for encrypted signing key\n"
|
" -p, --pass password for encrypted signing key\n"
|
||||||
" -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
|
" -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
|
||||||
@ -1526,7 +1526,7 @@ static void usage(void)
|
|||||||
|
|
||||||
struct command cmds[] = {
|
struct command cmds[] = {
|
||||||
{"help", cmd_help, 0, "<command>"},
|
{"help", cmd_help, 0, "<command>"},
|
||||||
{"import", cmd_import, 0, "[--x509] pubkey keyring", "Import public key into the keyring.\n"},
|
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
|
||||||
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
|
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
|
||||||
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
|
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
|
||||||
{"ima_sign", cmd_sign_ima, 0, "[--sigfile | --modsig] [--key key] [--pass password] file", "Make file content signature.\n"},
|
{"ima_sign", cmd_sign_ima, 0, "[--sigfile | --modsig] [--key key] [--pass password] file", "Make file content signature.\n"},
|
||||||
@ -1549,7 +1549,7 @@ static struct option opts[] = {
|
|||||||
{"sigfile", 0, 0, 'f'},
|
{"sigfile", 0, 0, 'f'},
|
||||||
{"modsig", 0, 0, 'm'},
|
{"modsig", 0, 0, 'm'},
|
||||||
{"uuid", 2, 0, 'u'},
|
{"uuid", 2, 0, 'u'},
|
||||||
{"x509", 0, 0, 'x'},
|
{"rsa", 0, 0, '1'},
|
||||||
{"key", 1, 0, 'k'},
|
{"key", 1, 0, 'k'},
|
||||||
{"type", 1, 0, 't'},
|
{"type", 1, 0, 't'},
|
||||||
{"recursive", 0, 0, 'r'},
|
{"recursive", 0, 0, 'r'},
|
||||||
@ -1606,8 +1606,8 @@ int main(int argc, char *argv[])
|
|||||||
case 'u':
|
case 'u':
|
||||||
uuid_str = optarg ?: "-";
|
uuid_str = optarg ?: "-";
|
||||||
break;
|
break;
|
||||||
case 'x':
|
case '1':
|
||||||
params.x509 = 1;
|
params.x509 = 0;
|
||||||
break;
|
break;
|
||||||
case 'k':
|
case 'k':
|
||||||
params.keyfile = optarg;
|
params.keyfile = optarg;
|
||||||
|
|||||||
@ -98,7 +98,8 @@ const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST] = {
|
|||||||
|
|
||||||
struct libevm_params params = {
|
struct libevm_params params = {
|
||||||
.verbose = LOG_INFO - 1,
|
.verbose = LOG_INFO - 1,
|
||||||
.hash_algo = "sha1"
|
.hash_algo = "sha1",
|
||||||
|
.x509 = 1,
|
||||||
};
|
};
|
||||||
|
|
||||||
void do_dump(FILE *fp, const void *ptr, int len, bool cr)
|
void do_dump(FILE *fp, const void *ptr, int len, bool cr)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user