From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Add the --hmackey option, to specify an alternate path for the file containing the HMAC key. By default evmctl looks in /etc/keys/evm-key-plain. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> --- README | 3 ++- src/evmctl.c | 12 ++++++++++-- src/imaevm.h | 1 + 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/README b/README index 40a61f94315..7239dda257e 100644 --- a/README +++ b/README @@ -40,7 +40,7 @@ COMMANDS ima_fix [-t fdsxm] path ima_clear [-t fdsxm] path sign_hash [--veritysig] [--key key] [--pass=<password>] - hmac [--imahash | --imasig ] file + hmac [--imahash | --imasig] [--hmackey key] file OPTIONS @@ -82,6 +82,7 @@ OPTIONS --ignore-violations ignore ToMToU measurement violations --verify-sig verify the file signature based on the file hash, both stored in the template data. + --hmackey path to symmetric key (default: /etc/keys/evm-key-plain) -v increase verbosity level -h, --help display this help and exit diff --git a/src/evmctl.c b/src/evmctl.c index 7a3ffd7c823..8caf9bd83fb 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd) return err; } - return hmac_evm(file, "/etc/keys/evm-key-plain"); + return hmac_evm(file, imaevm_params.hmackeyfile ? : + "/etc/keys/evm-key-plain"); } static int ima_fix(const char *path) @@ -2873,6 +2874,9 @@ static void usage(void) " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n" #endif " --ignore-violations ignore ToMToU measurement violations\n" +#ifdef DEBUG + " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n" +#endif " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n" @@ -2902,7 +2906,7 @@ struct command cmds[] = { {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"}, #ifdef DEBUG - {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, + {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, #endif {0, 0, 0, NULL} }; @@ -2944,6 +2948,7 @@ static struct option opts[] = { {"keyid-from-cert", 1, 0, 145}, {"veritysig", 0, 0, 146}, {"hwtpm", 0, 0, 147}, + {"hmackey", 1, 0, 148}, {} }; @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[]) case 147: hwtpm = 1; break; + case 148: + imaevm_params.hmackeyfile = optarg; + break; case '?': exit(1); break; diff --git a/src/imaevm.h b/src/imaevm.h index 78e7ed5e89d..18d7b0e447e 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -221,6 +221,7 @@ struct libimaevm_params { const char *keypass; uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */ ENGINE *eng; + const char *hmackeyfile; }; struct RSA_ASN1_template { -- 2.25.1