On 6/5/2023 9:55 AM, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Add the --hmackey option
At first glance I read this as "hackey", as in the option is a hack.
The name you have is the obvious choice, but it caught my attention
for the wrong reason.
> , to specify an alternate path for the file
> containing the HMAC key. By default evmctl looks in
> /etc/keys/evm-key-plain.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
> README | 3 ++-
> src/evmctl.c | 12 ++++++++++--
> src/imaevm.h | 1 +
> 3 files changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/README b/README
> index 40a61f94315..7239dda257e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,7 @@ COMMANDS
> ima_fix [-t fdsxm] path
> ima_clear [-t fdsxm] path
> sign_hash [--veritysig] [--key key] [--pass=<password>]
> - hmac [--imahash | --imasig ] file
> + hmac [--imahash | --imasig] [--hmackey key] file
>
>
> OPTIONS
> @@ -82,6 +82,7 @@ OPTIONS
> --ignore-violations ignore ToMToU measurement violations
> --verify-sig verify the file signature based on the file hash, both
> stored in the template data.
> + --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)
> -v increase verbosity level
> -h, --help display this help and exit
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7a3ffd7c823..8caf9bd83fb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
> return err;
> }
>
> - return hmac_evm(file, "/etc/keys/evm-key-plain");
> + return hmac_evm(file, imaevm_params.hmackeyfile ? :
> + "/etc/keys/evm-key-plain");
> }
>
> static int ima_fix(const char *path)
> @@ -2873,6 +2874,9 @@ static void usage(void)
> " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
> #endif
> " --ignore-violations ignore ToMToU measurement violations\n"
> +#ifdef DEBUG
> + " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n"
> +#endif
> " -v increase verbosity level\n"
> " -h, --help display this help and exit\n"
> "\n"
> @@ -2902,7 +2906,7 @@ struct command cmds[] = {
> {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
> {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
> #ifdef DEBUG
> - {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> + {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> #endif
> {0, 0, 0, NULL}
> };
> @@ -2944,6 +2948,7 @@ static struct option opts[] = {
> {"keyid-from-cert", 1, 0, 145},
> {"veritysig", 0, 0, 146},
> {"hwtpm", 0, 0, 147},
> + {"hmackey", 1, 0, 148},
> {}
>
> };
> @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
> case 147:
> hwtpm = 1;
> break;
> + case 148:
> + imaevm_params.hmackeyfile = optarg;
> + break;
> case '?':
> exit(1);
> break;
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 78e7ed5e89d..18d7b0e447e 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -221,6 +221,7 @@ struct libimaevm_params {
> const char *keypass;
> uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */
> ENGINE *eng;
> + const char *hmackeyfile;
> };
>
> struct RSA_ASN1_template {
