Re: [PATCH v3 ima-evm-utils 3/4] Add --hmackey option for evmctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 6/16/23 15:23, Roberto Sassu wrote:
From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

"evmctl --hmac" was only enabled in debug mode, since the hmac key was not
exposed to userspace. It was never really used. With the ability of
creating an encrypted key based on user-provided decrypted data, verifying
the EVM hmac is now feasible.

Make "evmctl --hmac" more configurable by adding the --hmackey option, to
specify an alternate path for the file containing the HMAC key. By default
evmctl looks in /etc/keys/evm-key-plain.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
  README       |  3 ++-
  src/evmctl.c | 12 ++++++++++--
  src/imaevm.h |  1 +
  3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/README b/README
index 40a61f94315..7239dda257e 100644
--- a/README
+++ b/README
@@ -40,7 +40,7 @@ COMMANDS
   ima_fix [-t fdsxm] path
   ima_clear [-t fdsxm] path
   sign_hash [--veritysig] [--key key] [--pass=<password>]
- hmac [--imahash | --imasig ] file
+ hmac [--imahash | --imasig] [--hmackey key] file
OPTIONS
@@ -82,6 +82,7 @@ OPTIONS
        --ignore-violations ignore ToMToU measurement violations
        --verify-sig   verify the file signature based on the file hash, both
                       stored in the template data.
+      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
    -v                 increase verbosity level
    -h, --help         display this help and exit
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a3ffd7c823..8caf9bd83fb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
  			return err;
  	}
- return hmac_evm(file, "/etc/keys/evm-key-plain");
+	return hmac_evm(file, imaevm_params.hmackeyfile ? :
+			"/etc/keys/evm-key-plain");
  }
static int ima_fix(const char *path)
@@ -2873,6 +2874,9 @@ static void usage(void)
  		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
  #endif
  		"      --ignore-violations ignore ToMToU measurement violations\n"
+#ifdef DEBUG
+		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
+#endif
  		"  -v                 increase verbosity level\n"
  		"  -h, --help         display this help and exit\n"
  		"\n"
@@ -2902,7 +2906,7 @@ struct command cmds[] = {
  	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
  	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
  #ifdef DEBUG
-	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
+	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
  #endif
  	{0, 0, 0, NULL}
  };
@@ -2944,6 +2948,7 @@ static struct option opts[] = {
  	{"keyid-from-cert", 1, 0, 145},
  	{"veritysig", 0, 0, 146},
  	{"hwtpm", 0, 0, 147},
+	{"hmackey", 1, 0, 148},
  	{}
};
@@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
  		case 147:
  			hwtpm = 1;
  			break;
+		case 148:
+			imaevm_params.hmackeyfile = optarg;
+			break;
  		case '?':
  			exit(1);
  			break;
diff --git a/src/imaevm.h b/src/imaevm.h
index 78e7ed5e89d..18d7b0e447e 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -221,6 +221,7 @@ struct libimaevm_params {
  	const char *keypass;
  	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
  	ENGINE *eng;
+	const char *hmackeyfile;
  };
struct RSA_ASN1_template {

Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux