On 6/16/23 15:23, Roberto Sassu wrote:
From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Modify calc_evm_hmac() to include, similarly to calc_evm_hash(), the
filesystem UUID in the HMAC calculation.
If the -u option is not specified in the evmctl command line, the UUID of
the filesystem the input file resides on is taken for the calculation.
If a string is specified as a value for the -u option, that string is taken
as UUID (assuming that it is formatted correctly).
If no value is specified for the -u option, the filesystem UUID is not
included in the HMAC calculation.
Not including the filesystem UUID in the digest/HMAC calculation is needed
for the case where the kernel is compiled with CONFIG_EVM_ATTR_FSUUID=n, or
the digest/HMAC is not for an EVM portable signature.
Fixes: 1d24a94bb556 ("added uuid support for EVM")
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
src/evmctl.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/evmctl.c b/src/evmctl.c
index c35a28c58f4..c24261cf0e6 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1199,6 +1199,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
int keylen;
unsigned char evmkey[MAX_KEY_SIZE];
char list[1024];
+ char uuid[16];
ssize_t list_size;
struct h_misc_64 hmac_misc;
int hmac_size;
@@ -1330,6 +1331,18 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s
log_err("EVP_DigestSignUpdate() failed\n");
goto out_ctx_cleanup;
}
+ if (!(hmac_flags & HMAC_FLAG_NO_UUID)) {
+ err = get_uuid(&st, uuid);
+ if (err)
+ goto out_ctx_cleanup;
+
+ err = EVP_DigestSignUpdate(pctx, (const unsigned char *)uuid,
+ sizeof(uuid));
+ if (!err) {
+ log_err("EVP_DigestSignUpdate() failed\n");
+ goto out_ctx_cleanup;
+ }
+ }
err = EVP_DigestSignFinal(pctx, sig, &siglen);
if (err != 1)
log_err("EVP_DigestSignFinal() failed\n");
Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
