Produce immutable EVM signature

'evmctl sign -i <file>' generates immutable EVM signature. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
2014-10-29 12:32:21 +02:00 · 2014-10-29 12:32:21 +02:00 · 92033dc404
commit 92033dc404
parent f805d4d0fe
2 changed files with 39 additions and 18 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -107,6 +107,7 @@ static char *search_type;
 static int recursive;
 static int msize;
 static dev_t fs_dev;
+static bool evm_immutable;

 #define HMAC_FLAG_UUID			0x0001
 #define HMAC_FLAG_UUID_SET		0x0002
@ -318,24 +319,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return -1;
 	}

-	if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
-		/* we cannot at the momement to get generation of special files..
-		 * kernel API does not support it */
-		int fd = open(file, 0);
+	if (!evm_immutable) {
+		if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
+			/* we cannot at the momement to get generation of special files..
+			 * kernel API does not support it */
+			int fd = open(file, 0);

-		if (fd < 0) {
-			log_err("Failed to open: %s\n", file);
-			return -1;
+			if (fd < 0) {
+				log_err("Failed to open: %s\n", file);
+				return -1;
+			}
+			if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
+				log_err("ioctl() failed\n");
+				return -1;
+			}
+			close(fd);
 		}
-		if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
-			log_err("ioctl() failed\n");
-			return -1;
-		}
-		close(fd);
+		log_info("generation: %u\n", generation);
 	}

-	log_info("generation: %u\n", generation);
-
 	list_size = llistxattr(file, list, sizeof(list));
 	if (list_size < 0) {
 		log_err("llistxattr() failed\n");
@ -370,7 +372,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash)

 	memset(&hmac_misc, 0, sizeof(hmac_misc));

-	if (msize == 0) {
+	if (evm_immutable) {
+		struct h_misc_digsig *hmac = (struct h_misc_digsig *)&hmac_misc;
+
+		hmac_size = sizeof(*hmac);
+		hmac->uid = st.st_uid;
+		hmac->gid = st.st_gid;
+		hmac->mode = st.st_mode;
+	} else if (msize == 0) {
 		struct h_misc *hmac = (struct h_misc *)&hmac_misc;

 		hmac_size = sizeof(*hmac);
@ -408,7 +417,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return 1;
 	}

-	if (hmac_flags & HMAC_FLAG_UUID) {
+	if (!evm_immutable && (hmac_flags & HMAC_FLAG_UUID)) {
 		err = get_uuid(&st, uuid);
 		if (err)
 			return -1;
@ -447,6 +456,9 @@ static int sign_evm(const char *file, const char *key)
 	len++;
 	sig[0] = EVM_IMA_XATTR_DIGSIG;

+	if (evm_immutable)
+		sig[1] = 3; /* immutable signature version */
+
 	if (sigdump || params.verbose >= LOG_INFO)
 		dump(sig, len);

@ -1539,7 +1551,7 @@ int main(int argc, char *argv[])
 	g_argc = argc;

 	while (1) {
-		c = getopt_long(argc, argv, "hvnsda:p:fu::k:t:r", opts, &lind);
+		c = getopt_long(argc, argv, "hvnsda:p:fu::k:t:ri", opts, &lind);
 		if (c == -1)
 			break;

@ -1585,6 +1597,9 @@ int main(int argc, char *argv[])
 		case 'k':
 			params.keyfile = optarg;
 			break;
+		case 'i':
+			evm_immutable = true;
+			break;
 		case 't':
 			search_type = optarg;
 			break;
@ -1635,6 +1650,6 @@ int main(int argc, char *argv[])

 	ERR_free_strings();
 	EVP_cleanup();
-
+	BIO_free(NULL);
 	return err;
 }
--- a/src/imaevm.h
+++ b/src/imaevm.h
@ -108,6 +108,12 @@ struct h_misc_64 {
 	unsigned short mode;
 };

+struct h_misc_digsig {
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
 enum pubkey_algo {
 	PUBKEY_ALGO_RSA,
 	PUBKEY_ALGO_MAX,