On 6/5/2023 9:55 AM, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Add the --hmackey option At first glance I read this as "hackey", as in the option is a hack. The name you have is the obvious choice, but it caught my attention for the wrong reason. > , to specify an alternate path for the file > containing the HMAC key. By default evmctl looks in > /etc/keys/evm-key-plain. > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > --- > README | 3 ++- > src/evmctl.c | 12 ++++++++++-- > src/imaevm.h | 1 + > 3 files changed, 13 insertions(+), 3 deletions(-) > > diff --git a/README b/README > index 40a61f94315..7239dda257e 100644 > --- a/README > +++ b/README > @@ -40,7 +40,7 @@ COMMANDS > ima_fix [-t fdsxm] path > ima_clear [-t fdsxm] path > sign_hash [--veritysig] [--key key] [--pass=<password>] > - hmac [--imahash | --imasig ] file > + hmac [--imahash | --imasig] [--hmackey key] file > > > OPTIONS > @@ -82,6 +82,7 @@ OPTIONS > --ignore-violations ignore ToMToU measurement violations > --verify-sig verify the file signature based on the file hash, both > stored in the template data. > + --hmackey path to symmetric key (default: /etc/keys/evm-key-plain) > -v increase verbosity level > -h, --help display this help and exit > > diff --git a/src/evmctl.c b/src/evmctl.c > index 7a3ffd7c823..8caf9bd83fb 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd) > return err; > } > > - return hmac_evm(file, "/etc/keys/evm-key-plain"); > + return hmac_evm(file, imaevm_params.hmackeyfile ? : > + "/etc/keys/evm-key-plain"); > } > > static int ima_fix(const char *path) > @@ -2873,6 +2874,9 @@ static void usage(void) > " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n" > #endif > " --ignore-violations ignore ToMToU measurement violations\n" > +#ifdef DEBUG > + " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n" > +#endif > " -v increase verbosity level\n" > " -h, --help display this help and exit\n" > "\n" > @@ -2902,7 +2906,7 @@ struct command cmds[] = { > {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, > {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"}, > #ifdef DEBUG > - {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, > + {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, > #endif > {0, 0, 0, NULL} > }; > @@ -2944,6 +2948,7 @@ static struct option opts[] = { > {"keyid-from-cert", 1, 0, 145}, > {"veritysig", 0, 0, 146}, > {"hwtpm", 0, 0, 147}, > + {"hmackey", 1, 0, 148}, > {} > > }; > @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[]) > case 147: > hwtpm = 1; > break; > + case 148: > + imaevm_params.hmackeyfile = optarg; > + break; > case '?': > exit(1); > break; > diff --git a/src/imaevm.h b/src/imaevm.h > index 78e7ed5e89d..18d7b0e447e 100644 > --- a/src/imaevm.h > +++ b/src/imaevm.h > @@ -221,6 +221,7 @@ struct libimaevm_params { > const char *keypass; > uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */ > ENGINE *eng; > + const char *hmackeyfile; > }; > > struct RSA_ASN1_template {