Save full security.ima attribute to a file

Right now if -f option is passed in, we only save the actual signature to a file and not the full security.ima attribute. I think it makes more sense to save full security.ima attribute so that it can act as detached signatures and one can install signature later. That is signing can take place on build server and detached signatures can be generated and these signatures can be installed later on target. One can use following steps. evmctl ima_sign -f -x -a sha256 /tmp/data.txt hexdump -v -e '1/1 "%02x"' /tmp/data.txt.sig > /tmp/data.txt.sig.hex printf "# file: /tmp/data.txt\nsecurity.ima=0x" | cat - /tmp/data.txt.sig.hex | setfattr --restore - evmctl ima_verify /tmp/data.txt Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2013-07-12 14:52:12 -04:00 · 2013-07-12 14:52:12 -04:00 · 59ef0a0b99
commit 59ef0a0b99
parent ab18c60ec1
1 changed files with 2 additions and 3 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -1044,7 +1044,7 @@ static int sign_ima(const char *file, const char *key)
 	}

 	if (sigfile)
-		bin2file(file, "sig", sig + 1, len - 1);
+		bin2file(file, "sig", sig, len);

 	if (xattr) {
 		err = setxattr(file, "security.ima", sig, len, 0);
@ -1281,8 +1281,7 @@ static int verify_ima(const char *file)
 	if (sigfile) {
 		void *tmp;
 		tmp = file2bin(file, "sig", &len);
-		sig[0] = 0x03;
-		memcpy(sig+1, tmp, len++);
+		memcpy(sig, tmp, len);
 		free(tmp);
 	}