From: Mimi Zohar <zohar@linux.ibm.com>
To: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>,
linux-integrity@vger.kernel.org
Cc: Vitaly Chikunov <vt@altlinux.org>
Subject: Re: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL
Date: Wed, 20 May 2020 12:30:12 -0400 [thread overview]
Message-ID: <1589992212.5111.293.camel@linux.ibm.com> (raw)
In-Reply-To: <85a96cad-dc04-a617-abfa-fb9427412e52@rosalinux.ru>
Hi Mikhail,
On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote:
> From 4ae52f3cfb459c59e2e48f0d30c20c3763c8a0e7 Mon Sep 17 00:00:00 2001
> From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
> Date: Wed, 4 Dec 2019 01:07:50 +0300
> Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL
>
> LibreSSL in most cases can be used as a drop-in replacement of OpenSSL.
> Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option"
> added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago.
> Instead of requiring to attach GOST support via an external library ("engine"),
> LibreSSL has build-in implementation of GOST.
>
> Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK
> for LibreSSL because LibreSSL uses different digest names:
> md_gost12_256 -> streebog256
> md_gost12_512 -> streebog512
>
> Example how it works when linked with LibreSSL:
> $ libressl dgst -streebog256 testfile
> streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> $ evmctl -v ima_hash -a streebog256 testfile
> hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> $ evmctl -v ima_hash -a md_gost12_256 testfile
> EVP_get_digestbyname(md_gost12_256) failed
>
> TODO: it would be nice to map
> md_gost12_256 <-> streebog256
> md_gost12_512 <-> streebog512
> in evmctl CLI arguements to make the same commands work on systems both
> where evmctl is linked with LibreSSL and with OpenSSL.
>
> Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option")
> Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias")
> Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Since you posted this patch, I've added support for calculating the
boot_aggregate. Could you verify that this patch still works?
As I mentioned in response to Patrick Uiterwijk's support for Intel's
TSS2, "testing ima-evm-utils support for multiple crypto and TSS
packages requires building a matrix. As I'm new to travis, the travis
code is in the next-testing-travis branch, but will not be upstreamed
at this point."
From .travis.yml:
matrix:
include:
- env: TSS=ibmtss SSL=openssl
- env: TSS=ibmtss SSL=libressl;
- env: TSS=tpm2-tss SSL=openssl
I might have set up libressl incorrectly. (Refer to tests/install-
libressl.sh). Here's the report:
libtool: link: ranlib .libs/libimaevm.a
libtool: link: ( cd ".libs" && rm -f "libimaevm.la" && ln -s "../libimaevm.la" "libimaevm.la" )
/bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -o evmctl evmctl-evmctl.o evmctl-utils.o evmctl-pcr_tsspcrread.o -lcrypto -lkeyutils libimaevm.la
libtool: link: gcc -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -o .libs/evmctl evmctl-evmctl.o evmctl-utils.o evmctl-pcr_tsspcrread.o -lcrypto -lkeyutils ./.libs/libimaevm.so
evmctl-evmctl.o: In function `main':
/home/travis/build/linux-integrity/ima-evm-utils/src/evmctl.c:2353: undefined reference to `ERR_free_strings'
/home/travis/build/linux-integrity/ima-evm-utils/src/evmctl.c:2354: undefined reference to `EVP_cleanup'
./.libs/libimaevm.so: undefined reference to `ERR_load_crypto_strings'
collect2: error: ld returned 1 exit status
Makefile:500: recipe for target 'evmctl' failed
make[3]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils/src'
Makefile:378: recipe for target 'all' failed
make[2]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils/src'
make[3]: *** [evmctl] Error 1
make[2]: *** [all] Error 2
Makefile:515: recipe for target 'all-recursive' failed
make[1]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils'
make[1]: *** [all-recursive] Error 1
Makefile:381: recipe for target 'all' failed
make: *** [all] Error 2
The command "autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;" exited with 2.
thank,
Mimi
next prev parent reply other threads:[~2020-05-20 16:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-03 22:41 [PATCH] ima-evm-utils: Fix compatibility with LibreSSL Mikhail Novosyolov
2020-03-24 21:05 ` Mimi Zohar
2020-03-24 22:17 ` Mikhail Novosyolov
2020-03-25 0:48 ` Mimi Zohar
2020-03-25 22:44 ` Mimi Zohar
2020-05-20 16:30 ` Mimi Zohar [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-02-16 11:10 Mikhail Novosyolov
2020-02-25 12:11 ` Mimi Zohar
2020-02-25 13:44 ` Mimi Zohar
2020-02-26 9:51 ` Mikhail Novosyolov
2020-02-27 4:28 ` Mimi Zohar
2020-02-27 15:38 ` Vitaly Chikunov
2020-02-27 20:36 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1589992212.5111.293.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=m.novosyolov@rosalinux.ru \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.