dh/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use EVM v2 HMAC format by default

Browse Source 
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
This commit is contained in:
Dmitry Kasatkin 2014-01-24 15:06:49 +02:00
parent 317fa60467
commit 86d8772653
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README
View File

@ -14,9 +14,9 @@ Key and signature formats
EVM support (v2) in latest version of the kernel adds the file system UUID to EVM support (v2) in latest version of the kernel adds the file system UUID to
the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
version 2 is enabled by default. To include the UUID to the signature calculation, version 2 is enabled by default. In this version default UUID is included by
it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command. default. Custom value can be supplied via '--uuid=UUID' or '-uUUID' parameter
UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'. to the 'sign' command. To use old format HMAC format use '-' as a parameter.
Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
support for verifying digital signatures. This version uses x509 format by default. support for verifying digital signatures. This version uses x509 format by default.
@ -121,7 +121,7 @@ Default private key: /etc/keys/privkey_evm.pem
Default X509 certificate: /etc/keys/x509_evm.der Default X509 certificate: /etc/keys/x509_evm.der
Signing for using old RSA format is done using '-1' or '--rsa' parameter. Signing for using old RSA format is done using '-1' or '--rsa' parameter.
Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter. Signing for using old EVM HMAC format is done using '-u-' or '--uuid=-' parameter.
Sign file with EVM signature and use hash value for IMA - common case Sign file with EVM signature and use hash value for IMA - common case

8
src/evmctl.c
View File

@ -72,7 +72,7 @@ static int digsig;
static char *keypass; static char *keypass;
static int sigfile; static int sigfile;
static int modsig; static int modsig;
static char *uuid_str; static char *uuid_str = "+";
static char *search_type; static char *search_type;
static int recursive; static int recursive;
static dev_t fs_dev; static dev_t fs_dev;
@ -434,7 +434,7 @@ static int get_uuid(struct stat *st, char *uuid)
FILE *fp; FILE *fp;
size_t len; size_t len;
if (uuid_str[0] != '-') if (uuid_str[0] != '+')
return pack_uuid(uuid_str, uuid); return pack_uuid(uuid_str, uuid);
dev = st->st_dev; dev = st->st_dev;
@ -540,7 +540,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return 1; return 1;
} }
if (uuid_str) { if (*uuid_str != '-') {
err = get_uuid(&st, uuid); err = get_uuid(&st, uuid);
if (err) if (err)
return -1; return -1;
@ -1604,7 +1604,7 @@ int main(int argc, char *argv[])
xattr = 0; xattr = 0;
break; break;
case 'u': case 'u':
uuid_str = optarg ?: "-"; uuid_str = optarg ?: "+";
break; break;
case '1': case '1':
params.x509 = 0; params.x509 = 0;