On Tue, 2023-03-21 at 17:47 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Modify calc_evm_hmac() to include, similarly to calc_evm_hash(), the
> filesystem UUID in the HMAC calculation.
>
> If the -u option is not specified in the evmctl command line, the UUID of
> the filesystem the input file resides on is taken for the calculation.
>
> If a string is specified as a value for the -u option, that string is taken
> as UUID (assuming that it is formatted correctly).
>
> If no value is specified for the -u option, the filesystem UUID is not
> included in the HMAC calculation.
>
> Not including the filesystem UUID in the digest/HMAC calculation is needed
> for the case where the kernel is compiled with CONFIG_EVM_ATTR_FSUUID=n, or
> the digest/HMAC is not for an EVM portable signature.
>
Fixes: 1d24a94bb556 ("added uuid support for EVM")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Roberto
> ---
> src/evmctl.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 6d2bb67427d..304b70de40f 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1199,6 +1199,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
> int keylen;
> unsigned char evmkey[MAX_KEY_SIZE];
> char list[1024];
> + char uuid[16];
> ssize_t list_size;
> struct h_misc_64 hmac_misc;
> int hmac_size;
> @@ -1330,6 +1331,18 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
> log_err("EVP_DigestSignUpdate() failed\n");
> goto out_ctx_cleanup;
> }
> + if (!(hmac_flags & HMAC_FLAG_NO_UUID)) {
> + err = get_uuid(&st, uuid);
> + if (err)
> + goto out_ctx_cleanup;
> +
> + err = EVP_DigestSignUpdate(pctx, (const unsigned char *)uuid,
> + sizeof(uuid));
> + if (!err) {
> + log_err("EVP_DigestSignUpdate() failed\n");
> + goto out_ctx_cleanup;
> + }
> + }
> err = EVP_DigestSignFinal(pctx, sig, &siglen);
> if (err != 1)
> log_err("EVP_DigestSignFinal() failed\n");
