* [PATCH ima-evm-utils 1/2] Update README
@ 2023-03-06 11:36 Mimi Zohar
2023-03-06 11:36 ` [PATCH ima-evm-utils 2/2] tests: fix gen-keys.sh to generate sha256 certificates Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2023-03-06 11:36 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Vitaly Chikunov, Petr Vorel, Roberto Sassu
Update the README to reflect the changes to "evmctl --help".
Update the "--pass" option format in both the README and evmctl usage
to reflect passing an optional password on the command line (not
recommended). When providing the password, the format is:
"[--pass[=<password>]]".
Also fix some typos.
Still include references to both the deprecated "--rsa" and "--engine"
options.
Related confiigure options:
--enable-sigv1 Build ima-evm-utils with signature v1 support
--disable-engine build ima-evm-utils without OpenSSL engine support
Reported-by: Vitaly Chikunov <vt@altlinux.org> # typos, "--pass" format
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
README | 37 +++++++++++++++++++++++++------------
src/evmctl.c | 9 +++++----
2 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/README b/README
index ffe46ad75728..75e4fd2e8948 100644
--- a/README
+++ b/README
@@ -25,29 +25,34 @@ COMMANDS
--version
help <command>
- import [--rsa] pubkey keyring
- sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
+ import [--rsa (deprecated)] pubkey keyring
+ sign [-r] [--imahash | --imasig ] [--key key] [--pass[=<password>] file
verify file
- ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
- ima_sign [--sigfile] [--key key] [--pass password] file
+ ima_sign [--sigfile] [--key key] [--pass[=<password>]] file
ima_verify file
+ ima_setxattr [--sigfile file]
ima_hash file
- ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]
+ [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...]
+ [--verify-bank hash-algorithm] file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
+ [--hwtpm]
ima_fix [-t fdsxm] path
- sign_hash [--veritysig] [--key key] [--pass password]
+ ima_clear [-t fdsxm] path
+ sign_hash [--veritysig] [--key key] [--pass=<password>]
hmac [--imahash | --imasig ] file
OPTIONS
-------
- -a, --hashalgo sha1, sha224, sha256, sha384, sha512
+ -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256)
-s, --imasig make IMA signature
--veritysig sign an fs-verity file digest hash
-d, --imahash make IMA hash
-f, --sigfile store IMA signature in .sig file instead of xattr
--xattr-user store xattrs in user namespace (for testing purposes)
- --rsa use RSA key type and signing scheme v1
+ --rsa use RSA key type and signing scheme v1 (deprecated)
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
or a pkcs11 URI
--keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
@@ -64,7 +69,15 @@ OPTIONS
--smack use extra SMACK xattrs for EVM
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
- --engine e preload OpenSSL engine e (such as: gost)
+ --engine e preload OpenSSL engine e (such as: gost) is deprecated
+ --ino use custom inode for EVM
+ --uid use custom UID for EVM
+ --gid use custom GID for EVM
+ --mode use custom Mode for EVM
+ --generation use custom Generation for EVM(unspecified: from FS, empty: use 0)
+ --ima use custom IMA signature for EVM
+ --selinux use custom Selinux label for EVM
+ --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
--ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
@@ -206,7 +219,7 @@ asymmetric keys support:
Configuration file x509_evm.genkey:
- # Begining of the file
+ # Beginning of the file
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
@@ -257,7 +270,7 @@ following steps:
Configuration file ima-local-ca.genkey:
- # Begining of the file
+ # Beginning of the file
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
@@ -288,7 +301,7 @@ Produce X509 in DER format for using while building the kernel:
Configuration file ima.genkey:
- # Begining of the file
+ # Beginning of the file
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
diff --git a/src/evmctl.c b/src/evmctl.c
index 95281df08051..6d2bb67427da 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2820,6 +2820,7 @@ static void usage(void)
"\n"
" -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n"
" -s, --imasig make IMA signature\n"
+ " --veritysig sign an fs-verity file digest hash\n"
" -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
" --xattr-user store xattrs in user namespace (for testing purposes)\n"
@@ -2867,14 +2868,14 @@ struct command cmds[] = {
{"--version", NULL, 0, ""},
{"help", cmd_help, 0, "<command>"},
#if CONFIG_SIGV1
- {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. ([--rsa] deprecated)\n"},
+ {"import", cmd_import, 0, "[--rsa (deprecated)] pubkey keyring", "Import public key into the keyring.\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
#else
{"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"},
#endif
- {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
+ {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=<password>]] file", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
- {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
+ {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=<password>]] file", "Make file content signature.\n"},
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
@@ -2882,7 +2883,7 @@ struct command cmds[] = {
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
- {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass password]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
+ {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
#ifdef DEBUG
{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
#endif
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH ima-evm-utils 2/2] tests: fix gen-keys.sh to generate sha256 certificates
2023-03-06 11:36 [PATCH ima-evm-utils 1/2] Update README Mimi Zohar
@ 2023-03-06 11:36 ` Mimi Zohar
2023-03-06 12:35 ` R Nageswara Sastry
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2023-03-06 11:36 UTC (permalink / raw)
To: linux-integrity; +Cc: Mimi Zohar, Vitaly Chikunov, Petr Vorel, Roberto Sassu
On systems with OpenSSL sha1 disabled, the sign-verify.test fails:
- openssl dgst -sha1 sha1.txt
- openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt
Error setting context
804BD5CF787F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:343:
sha1 (test-rsa1024.key) test is skipped (openssl is unable to sign)
Instead of enabling sha1 support on these systems by setting the environment
variable OPENSSL_ENABLE_SHA1_SIGNATURES, generate a sha256 certificate.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
tests/gen-keys.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 1a6c22a2f3c4..8905cdf2d216 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -71,7 +71,7 @@ for m in 1024 1024_skid 2048; do
ext=
fi
if [ ! -e test-rsa$m.key ]; then
- log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
+ log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \
-config test-ca.conf \
-newkey rsa:$bits \
-out test-rsa$m.cer -outform DER \
@@ -93,7 +93,7 @@ for curve in prime192v1 prime256v1; do
continue
fi
if [ ! -e test-$curve.key ]; then
- log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+ log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
-config test-ca.conf \
-newkey ec \
-pkeyopt ec_paramgen_curve:$curve \
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH ima-evm-utils 2/2] tests: fix gen-keys.sh to generate sha256 certificates
2023-03-06 11:36 ` [PATCH ima-evm-utils 2/2] tests: fix gen-keys.sh to generate sha256 certificates Mimi Zohar
@ 2023-03-06 12:35 ` R Nageswara Sastry
0 siblings, 0 replies; 3+ messages in thread
From: R Nageswara Sastry @ 2023-03-06 12:35 UTC (permalink / raw)
To: Mimi Zohar, linux-integrity; +Cc: Vitaly Chikunov, Petr Vorel, Roberto Sassu
On 06/03/23 5:06 pm, Mimi Zohar wrote:
> On systems with OpenSSL sha1 disabled, the sign-verify.test fails:
>
> - openssl dgst -sha1 sha1.txt
> - openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt
> Error setting context
> 804BD5CF787F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:343:
> sha1 (test-rsa1024.key) test is skipped (openssl is unable to sign)
>
> Instead of enabling sha1 support on these systems by setting the environment
> variable OPENSSL_ENABLE_SHA1_SIGNATURES, generate a sha256 certificate.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
...
PASS: ima_hash.test
PASS: sign_verify.test
PASS: boot_aggregate.test
SKIP: fsverity.test
SKIP: portable_signatures.test
PASS: ima_policy_check.test
SKIP: mmap_check.test
...
> ---
> tests/gen-keys.sh | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
> index 1a6c22a2f3c4..8905cdf2d216 100755
> --- a/tests/gen-keys.sh
> +++ b/tests/gen-keys.sh
> @@ -71,7 +71,7 @@ for m in 1024 1024_skid 2048; do
> ext=
> fi
> if [ ! -e test-rsa$m.key ]; then
> - log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
> + log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 $ext \
> -config test-ca.conf \
> -newkey rsa:$bits \
> -out test-rsa$m.cer -outform DER \
> @@ -93,7 +93,7 @@ for curve in prime192v1 prime256v1; do
> continue
> fi
> if [ ! -e test-$curve.key ]; then
> - log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
> + log openssl req -verbose -new -nodes -utf8 -sha256 -days 10000 -batch -x509 \
> -config test-ca.conf \
> -newkey ec \
> -pkeyopt ec_paramgen_curve:$curve \
--
Thanks and Regards
R.Nageswara Sastry
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-06 12:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-06 11:36 [PATCH ima-evm-utils 1/2] Update README Mimi Zohar
2023-03-06 11:36 ` [PATCH ima-evm-utils 2/2] tests: fix gen-keys.sh to generate sha256 certificates Mimi Zohar
2023-03-06 12:35 ` R Nageswara Sastry
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).