Hi Mikhail,
On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote:
> From 4ae52f3cfb459c59e2e48f0d30c20c3763c8a0e7 Mon Sep 17 00:00:00 2001
> From: Mikhail Novosyolov <m.novosyolov@xxxxxxxxxxxx>
> Date: Wed, 4 Dec 2019 01:07:50 +0300
> Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL
>
> LibreSSL in most cases can be used as a drop-in replacement of OpenSSL.
> Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option"
> added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago.
> Instead of requiring to attach GOST support via an external library ("engine"),
> LibreSSL has build-in implementation of GOST.
>
> Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK
> for LibreSSL because LibreSSL uses different digest names:
> md_gost12_256 -> streebog256
> md_gost12_512 -> streebog512
>
> Example how it works when linked with LibreSSL:
> $ libressl dgst -streebog256 testfile
> streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> $ evmctl -v ima_hash -a streebog256 testfile
> hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> $ evmctl -v ima_hash -a md_gost12_256 testfile
> EVP_get_digestbyname(md_gost12_256) failed
>
> TODO: it would be nice to map
> md_gost12_256 <-> streebog256
> md_gost12_512 <-> streebog512
> in evmctl CLI arguements to make the same commands work on systems both
> where evmctl is linked with LibreSSL and with OpenSSL.
>
> Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option")
> Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias")
> Signed-off-by: Mikhail Novosyolov <m.novosyolov@xxxxxxxxxxxx>
Since you posted this patch, I've added support for calculating the
boot_aggregate. Could you verify that this patch still works?
As I mentioned in response to Patrick Uiterwijk's support for Intel's
TSS2, "testing ima-evm-utils support for multiple crypto and TSS
packages requires building a matrix. As I'm new to travis, the travis
code is in the next-testing-travis branch, but will not be upstreamed
at this point."
>From .travis.yml:
matrix:
include:
- env: TSS=ibmtss SSL=openssl
- env: TSS=ibmtss SSL=libressl;
- env: TSS=tpm2-tss SSL=openssl
I might have set up libressl incorrectly. (Refer to tests/install-
libressl.sh). Here's the report:
libtool: link: ranlib .libs/libimaevm.a
libtool: link: ( cd ".libs" && rm -f "libimaevm.la" && ln -s "../libimaevm.la" "libimaevm.la" )
/bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -o evmctl evmctl-evmctl.o evmctl-utils.o evmctl-pcr_tsspcrread.o -lcrypto -lkeyutils libimaevm.la
libtool: link: gcc -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -o .libs/evmctl evmctl-evmctl.o evmctl-utils.o evmctl-pcr_tsspcrread.o -lcrypto -lkeyutils ./.libs/libimaevm.so
evmctl-evmctl.o: In function `main':
/home/travis/build/linux-integrity/ima-evm-utils/src/evmctl.c:2353: undefined reference to `ERR_free_strings'
/home/travis/build/linux-integrity/ima-evm-utils/src/evmctl.c:2354: undefined reference to `EVP_cleanup'
./.libs/libimaevm.so: undefined reference to `ERR_load_crypto_strings'
collect2: error: ld returned 1 exit status
Makefile:500: recipe for target 'evmctl' failed
make[3]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils/src'
Makefile:378: recipe for target 'all' failed
make[2]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils/src'
make[3]: *** [evmctl] Error 1
make[2]: *** [all] Error 2
Makefile:515: recipe for target 'all-recursive' failed
make[1]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils'
make[1]: *** [all-recursive] Error 1
Makefile:381: recipe for target 'all' failed
make: *** [all] Error 2
The command "autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;" exited with 2.
thank,
Mimi
