From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Add the --hmackey option, to specify an alternate path for the file
containing the HMAC key. By default evmctl looks in
/etc/keys/evm-key-plain.
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
README | 3 ++-
src/evmctl.c | 12 ++++++++++--
src/imaevm.h | 1 +
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/README b/README
index 40a61f94315..7239dda257e 100644
--- a/README
+++ b/README
@@ -40,7 +40,7 @@ COMMANDS
ima_fix [-t fdsxm] path
ima_clear [-t fdsxm] path
sign_hash [--veritysig] [--key key] [--pass=<password>]
- hmac [--imahash | --imasig ] file
+ hmac [--imahash | --imasig] [--hmackey key] file
OPTIONS
@@ -82,6 +82,7 @@ OPTIONS
--ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
+ --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)
-v increase verbosity level
-h, --help display this help and exit
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a3ffd7c823..8caf9bd83fb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
return err;
}
- return hmac_evm(file, "/etc/keys/evm-key-plain");
+ return hmac_evm(file, imaevm_params.hmackeyfile ? :
+ "/etc/keys/evm-key-plain");
}
static int ima_fix(const char *path)
@@ -2873,6 +2874,9 @@ static void usage(void)
" --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
#endif
" --ignore-violations ignore ToMToU measurement violations\n"
+#ifdef DEBUG
+ " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n"
+#endif
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n"
@@ -2902,7 +2906,7 @@ struct command cmds[] = {
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
#ifdef DEBUG
- {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
+ {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
#endif
{0, 0, 0, NULL}
};
@@ -2944,6 +2948,7 @@ static struct option opts[] = {
{"keyid-from-cert", 1, 0, 145},
{"veritysig", 0, 0, 146},
{"hwtpm", 0, 0, 147},
+ {"hmackey", 1, 0, 148},
{}
};
@@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
case 147:
hwtpm = 1;
break;
+ case 148:
+ imaevm_params.hmackeyfile = optarg;
+ break;
case '?':
exit(1);
break;
diff --git a/src/imaevm.h b/src/imaevm.h
index 78e7ed5e89d..18d7b0e447e 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -221,6 +221,7 @@ struct libimaevm_params {
const char *keypass;
uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */
ENGINE *eng;
+ const char *hmackeyfile;
};
struct RSA_ASN1_template {
--
2.25.1
