License changed from LGPL to GPL as in COPYING

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>

AUTHORS

@@ -1,2 +1,5 @@
-Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+CONTRIBUTORS:
+Vivek Goyal <vgoyal@redhat.com>
 

ChangeLog

@@ -1,3 +1,13 @@
+2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.6
+	* support for asymmetric crypto keys and new signature format (v2)
+	* fixes to set correct hash algo for digital signature v1
+	* uuid support for EVM
+	* signature verification support
+	* test scripts removed
+	* README updates
+
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 
 	version 0.3

Makefile.am

@@ -1,6 +1,6 @@
-SUBDIRS = src tests
+SUBDIRS = src
 
-#EXTRA_DIST = LEGAL acinclude.m4 include
+EXTRA_DIST = autogen.sh
 
 ACLOCAL_AMFLAGS = -I m4
 
@@ -11,7 +11,6 @@ pkgname = $(PACKAGE_NAME)-$(PACKAGE_VERSION)
 tarname = $(pkgname).tar.gz
 
 $(tarname):
-	git tag v$(PACKAGE_VERSION)
 	git archive --format=tar --prefix=$(pkgname)/ v$(PACKAGE_VERSION) $(FILES) | gzip >$@
 
 tar: $(tarname)

README

@@ -1,52 +1,146 @@
+ima-evm-utils - IMA/EVM signing utility
+=========================================
 
-1. Generate private key
+Contents:
 
-# plain key
-openssl genrsa -out privkey_evm.pem 1024
+   1. Key and signature formats
+   2. Key generation
+   3. Initialization
+   4. Signing
 
-# encrypted key
-openssl genrsa -des3 -out privkey_evm.pem 1024
 
-# set password for the key
-openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+Key and signature formats
+-------------------------
+
+EVM support (v2) in latest version of the kernel adds the file system UUID to
+the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
+version 2 is enabled by default. To include the UUID to the signature calculation,
+it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command.
+UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
+
+Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
+support for verifying digital signatures. The new command line parameter
+'-x' or '--x509' was added to the evmctl to enable using of X509 certificates
+and new signature format.
+
+
+Key generation
+--------------
+
+Generate private key in plain text format
+
+    $ openssl genrsa -out privkey_evm.pem 1024
+
+Generate encrypted private key
+
+    $ openssl genrsa -des3 -out privkey_evm.pem 1024
+
+Make encrypted private key from unencrypted
+
+    $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+
+Generate self-signed X509 certificate and private key for using kernel asymmetric
+keys support
+
+	$ openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+	      -x509 -config x509_evm.genkey \
+	      -outform DER -out x509_evm.der -keyout privkey_evm.pem
+
+Configuration file x509_evm.genkey:
+
+	# Begining of the file
+	[ req ]
+	default_bits = 1024
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = myexts
+
+	[ req_distinguished_name ]
+	O = Magrathea
+	CN = Glacier signing key
+	emailAddress = slartibartfast@magrathea.h2g2
+
+	[ myexts ]
+	basicConstraints=critical,CA:FALSE
+	keyUsage=digitalSignature
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid
+	# EOF
+
+
+Get public key
+
+    $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+
+Copy keys to /etc/keys
+
+    $ cp pubkey_evm.pem /etc/keys
+    $ scp pubkey_evm.pem target:/etc/keys
+
 or
-openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
+    $ cp x509_evm.pem /etc/keys
+    $ scp x509_evm.pem target:/etc/keys
 
-2. Generate public key
 
-openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+Initialization
+--------------
 
-3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys
+IMA/EVM initialization should be normally done from initial RAM file system
+before mounting root filesystem.
 
-scp pubkey_evm.pem mad:/etc/keys
+Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
 
-4. Load keys and enable EVM
+    # import EVM HMAC key
+    keyctl clear @u
+    keyctl add user kmk "testing123" @u
+    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
 
-evm_enable.sh
+    # import IMA public key
+    ima_id=`keyctl newring _ima @u`
+    evmctl import /etc/keys/pubkey_evm.pem $ima_id
 
-This should be done at early phase, before mounting root filesystem.
+    # import EVM public key
+    evm_id=`keyctl newring _evm @u`
+    evmctl import /etc/keys/pubkey_evm.pem $evm_id
 
-5. Sign EVM and use hash value for IMA - common case
+    # enable EVM
+    echo "1" > /sys/kernel/security/evm
 
-evmctl sign --imahash test.txt
 
-6. Sign IMA and EVM - for immutable files and modules
+Import X509 certificate into the kernel keyring (since kernel 3.9?)
 
-evmctl sign --imasig test.txt
+    $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
+    $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
 
-7. Sign whole filesystem
 
-evm_sign_all.sh
-or
-find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
-find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
-# security.ima needs to have signature for modules
-find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
+Signing
+-------
 
-# generate signatures in .sig files
-find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
+Default public key: /etc/keys/pubkey_evm.pem
+Default private key: /etc/keys/privkey_evm.pem
+Default X509 certificate: /etc/keys/x509_evm.der
 
-8. Label filesystem in fix mode...
+Signing for using X509 certificates is done using '-x' or '--x509' parameter.
+Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
 
-ima_fix_dir.sh <dir>
+Sign file with EVM signature and use hash value for IMA - common case
+
+    $ evmctl sign [-u] [-x] --imahash test.txt
+
+Sign file with both IMA and EVM signatures - for immutable files
+
+    $ evmctl sign [-u] [-x] --imasig test.txt
+
+Sign file with IMA signature - for immutable files
+
+    $ evmctl ima_sign [-x] test.txt
+
+Label whole filesystem with EVM signatures
+
+    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-x] --imahash '{}' \;
+
+Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
+
+    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
 

configure.ac

@@ -1,7 +1,7 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 0.3, dmitry.kasatkin@intel.com)
+AC_INIT(ima-evm-utils, 0.6, d.kasatkin@samsung.com)
 AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -30,6 +30,9 @@ AC_SUBST(OPENSSL_LIBS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 
+AC_CHECK_HEADERS(attr/xattr.h, , [AC_MSG_ERROR([attr/xattr.h header not found. You need the libattr development package.])])
+AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
+
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
@@ -46,7 +49,6 @@ fi
 
 AC_CONFIG_FILES([Makefile
 		src/Makefile
-		tests/Makefile
 		ima-evm-utils.spec
 		])
 AC_OUTPUT

ima-evm-utils.spec.in

@@ -3,7 +3,7 @@ Version:	@PACKAGE_VERSION@
 Release:	1%{?dist}
 Summary:	@PACKAGE_NAME@ - IMA/EVM control utility
 Group:		System/Libraries
-License:	LGPLv2
+License:	GPLv2
 #URL:		
 Source0:	%{name}-%{version}.tar.gz
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root

tests/Makefile.am

@@ -1,7 +0,0 @@
-pkglibexec_PROGRAMS = openclose
-
-openclose_SOURCES = openclose.c
-
-dist_pkglibexec_SCRIPTS = evm_enable.sh evm_genkey.sh evm_sign_all.sh evm_sign_modules.sh \
-			ima_fix_dir.sh evm_hmac_all.sh evm_hmac_modules.sh
-

tests/evm_enable.sh

@@ -1,25 +0,0 @@
-#!/bin/sh
-
-# import EVM HMAC key
-keyctl clear @u
-keyctl add user kmk "testing123" @u
-keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
-
-# import Moule public key
-mod_id=`keyctl newring _module @u`
-evmctl import /etc/keys/pubkey_evm.pem $mod_id
-
-# import IMA public key
-ima_id=`keyctl newring _ima @u`
-evmctl import /etc/keys/pubkey_evm.pem $ima_id
-
-# import EVM public key
-evm_id=`keyctl newring _evm @u`
-evmctl import /etc/keys/pubkey_evm.pem $evm_id
-
-# enable EVM
-echo "1" > /sys/kernel/security/evm
-
-# enable module checking
-echo "1" > /sys/kernel/security/ima/module_check
-

tests/evm_genkey.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-keyctl add user kmk "testing123" @u
-key=`keyctl add encrypted evm-key "new user:kmk 32" @u`
-keyctl print $key >/etc/keys/evm-key
-
-keyctl list @u
-

tests/evm_hmac_all.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/}
-
-echo "Label: $dir"
-
-find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) \( -type f -o -type d \) -exec evmctl hmac --imahash $verbose '{}' \;
-

tests/evm_hmac_modules.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/lib/modules}
-
-echo "HMAC modules: $dir"
-
-find $dir -name "*.ko" -type f -exec evmctl hmac --imasig $verbose '{}' \;
-

tests/evm_sign_all.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/}
-
-echo "Label: $dir"
-
-find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec evmctl sign --imahash $verbose '{}' \;
-

tests/evm_sign_modules.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/lib/modules}
-
-echo "Signing modules: $dir"
-
-find $dir -name "*.ko" -type f -exec evmctl sign --imasig $verbose '{}' \;
-

tests/ima_fix_dir.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-dir=${1:-/}
-
-echo "Fixing dir: $dir"
-
-find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec openclose '{}' \;
-

tests/openclose.c

@@ -1,20 +0,0 @@
-#include <unistd.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <stdlib.h>
-
-int main(int argc, char *argv[])
-{
-	int fd;
-
-	fd = open(argv[1], O_RDONLY);
-	if (fd < 0) {
-		perror("open()");
-		exit(1);
-	}
-
-	close(fd);
-
-	return 0;
-}
-