Re: [PATCH v2 ima-evm-utils 3/4] Add --hmackey option for evmctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/5/2023 9:55 AM, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Add the --hmackey option

At first glance I read this as "hackey", as in the option is a hack.
The name you have is the obvious choice, but it caught my attention
for the wrong reason. 

> , to specify an alternate path for the file
> containing the HMAC key. By default evmctl looks in
> /etc/keys/evm-key-plain.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
>  README       |  3 ++-
>  src/evmctl.c | 12 ++++++++++--
>  src/imaevm.h |  1 +
>  3 files changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/README b/README
> index 40a61f94315..7239dda257e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,7 @@ COMMANDS
>   ima_fix [-t fdsxm] path
>   ima_clear [-t fdsxm] path
>   sign_hash [--veritysig] [--key key] [--pass=<password>]
> - hmac [--imahash | --imasig ] file
> + hmac [--imahash | --imasig] [--hmackey key] file
>  
>  
>  OPTIONS
> @@ -82,6 +82,7 @@ OPTIONS
>        --ignore-violations ignore ToMToU measurement violations
>        --verify-sig   verify the file signature based on the file hash, both
>                       stored in the template data.
> +      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
>    -v                 increase verbosity level
>    -h, --help         display this help and exit
>  
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7a3ffd7c823..8caf9bd83fb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
>  			return err;
>  	}
>  
> -	return hmac_evm(file, "/etc/keys/evm-key-plain");
> +	return hmac_evm(file, imaevm_params.hmackeyfile ? :
> +			"/etc/keys/evm-key-plain");
>  }
>  
>  static int ima_fix(const char *path)
> @@ -2873,6 +2874,9 @@ static void usage(void)
>  		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
>  #endif
>  		"      --ignore-violations ignore ToMToU measurement violations\n"
> +#ifdef DEBUG
> +		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
> +#endif
>  		"  -v                 increase verbosity level\n"
>  		"  -h, --help         display this help and exit\n"
>  		"\n"
> @@ -2902,7 +2906,7 @@ struct command cmds[] = {
>  	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
>  	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
>  #ifdef DEBUG
> -	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> +	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
>  #endif
>  	{0, 0, 0, NULL}
>  };
> @@ -2944,6 +2948,7 @@ static struct option opts[] = {
>  	{"keyid-from-cert", 1, 0, 145},
>  	{"veritysig", 0, 0, 146},
>  	{"hwtpm", 0, 0, 147},
> +	{"hmackey", 1, 0, 148},
>  	{}
>  
>  };
> @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
>  		case 147:
>  			hwtpm = 1;
>  			break;
> +		case 148:
> +			imaevm_params.hmackeyfile = optarg;
> +			break;
>  		case '?':
>  			exit(1);
>  			break;
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 78e7ed5e89d..18d7b0e447e 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -221,6 +221,7 @@ struct libimaevm_params {
>  	const char *keypass;
>  	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
>  	ENGINE *eng;
> +	const char *hmackeyfile;
>  };
>  
>  struct RSA_ASN1_template {



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux