Re: [PATCH v3 ima-evm-utils 3/4] Add --hmackey option for evmctl

[Stefan Berger <stefanb@linux.ibm.com>]

On 6/16/23 15:23, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> "evmctl --hmac" was only enabled in debug mode, since the hmac key was not
> exposed to userspace. It was never really used. With the ability of
> creating an encrypted key based on user-provided decrypted data, verifying
> the EVM hmac is now feasible.
> 
> Make "evmctl --hmac" more configurable by adding the --hmackey option, to
> specify an alternate path for the file containing the HMAC key. By default
> evmctl looks in /etc/keys/evm-key-plain.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>   README       |  3 ++-
>   src/evmctl.c | 12 ++++++++++--
>   src/imaevm.h |  1 +
>   3 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/README b/README
> index 40a61f94315..7239dda257e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,7 @@ COMMANDS
>    ima_fix [-t fdsxm] path
>    ima_clear [-t fdsxm] path
>    sign_hash [--veritysig] [--key key] [--pass=<password>]
> - hmac [--imahash | --imasig ] file
> + hmac [--imahash | --imasig] [--hmackey key] file
>   
>   
>   OPTIONS
> @@ -82,6 +82,7 @@ OPTIONS
>         --ignore-violations ignore ToMToU measurement violations
>         --verify-sig   verify the file signature based on the file hash, both
>                        stored in the template data.
> +      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
>     -v                 increase verbosity level
>     -h, --help         display this help and exit
>   
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7a3ffd7c823..8caf9bd83fb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
>   			return err;
>   	}
>   
> -	return hmac_evm(file, "/etc/keys/evm-key-plain");
> +	return hmac_evm(file, imaevm_params.hmackeyfile ? :
> +			"/etc/keys/evm-key-plain");
>   }
>   
>   static int ima_fix(const char *path)
> @@ -2873,6 +2874,9 @@ static void usage(void)
>   		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
>   #endif
>   		"      --ignore-violations ignore ToMToU measurement violations\n"
> +#ifdef DEBUG
> +		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
> +#endif
>   		"  -v                 increase verbosity level\n"
>   		"  -h, --help         display this help and exit\n"
>   		"\n"
> @@ -2902,7 +2906,7 @@ struct command cmds[] = {
>   	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
>   	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
>   #ifdef DEBUG
> -	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> +	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
>   #endif
>   	{0, 0, 0, NULL}
>   };
> @@ -2944,6 +2948,7 @@ static struct option opts[] = {
>   	{"keyid-from-cert", 1, 0, 145},
>   	{"veritysig", 0, 0, 146},
>   	{"hwtpm", 0, 0, 147},
> +	{"hmackey", 1, 0, 148},
>   	{}
>   
>   };
> @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
>   		case 147:
>   			hwtpm = 1;
>   			break;
> +		case 148:
> +			imaevm_params.hmackeyfile = optarg;
> +			break;
>   		case '?':
>   			exit(1);
>   			break;
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 78e7ed5e89d..18d7b0e447e 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -221,6 +221,7 @@ struct libimaevm_params {
>   	const char *keypass;
>   	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
>   	ENGINE *eng;
> +	const char *hmackeyfile;
>   };
>   
>   struct RSA_ASN1_template {

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>