From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
"evmctl --hmac" was only enabled in debug mode, since the hmac key was not
exposed to userspace. It was never really used. With the ability of
creating an encrypted key based on user-provided decrypted data, verifying
the EVM hmac is now feasible.
Make "evmctl --hmac" more configurable by adding the --hmackey option, to
specify an alternate path for the file containing the HMAC key. By default
evmctl looks in /etc/keys/evm-key-plain.
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
README | 3 ++-
src/evmctl.c | 12 ++++++++++--
src/imaevm.h | 1 +
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/README b/README
index 40a61f94315..7239dda257e 100644
--- a/README
+++ b/README
@@ -40,7 +40,7 @@ COMMANDS
ima_fix [-t fdsxm] path
ima_clear [-t fdsxm] path
sign_hash [--veritysig] [--key key] [--pass=<password>]
- hmac [--imahash | --imasig ] file
+ hmac [--imahash | --imasig] [--hmackey key] file
OPTIONS
@@ -82,6 +82,7 @@ OPTIONS
--ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
+ --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)
-v increase verbosity level
-h, --help display this help and exit
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a3ffd7c823..8caf9bd83fb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
return err;
}
- return hmac_evm(file, "/etc/keys/evm-key-plain");
+ return hmac_evm(file, imaevm_params.hmackeyfile ? :
+ "/etc/keys/evm-key-plain");
}
static int ima_fix(const char *path)
@@ -2873,6 +2874,9 @@ static void usage(void)
" --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
#endif
" --ignore-violations ignore ToMToU measurement violations\n"
+#ifdef DEBUG
+ " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n"
+#endif
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n"
@@ -2902,7 +2906,7 @@ struct command cmds[] = {
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
#ifdef DEBUG
- {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
+ {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
#endif
{0, 0, 0, NULL}
};
@@ -2944,6 +2948,7 @@ static struct option opts[] = {
{"keyid-from-cert", 1, 0, 145},
{"veritysig", 0, 0, 146},
{"hwtpm", 0, 0, 147},
+ {"hmackey", 1, 0, 148},
{}
};
@@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
case 147:
hwtpm = 1;
break;
+ case 148:
+ imaevm_params.hmackeyfile = optarg;
+ break;
case '?':
exit(1);
break;
diff --git a/src/imaevm.h b/src/imaevm.h
index 78e7ed5e89d..18d7b0e447e 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -221,6 +221,7 @@ struct libimaevm_params {
const char *keypass;
uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */
ENGINE *eng;
+ const char *hmackeyfile;
};
struct RSA_ASN1_template {
