Re: [PATCH ima-evm-utils v6] ima-evm-utils: Support SM2/3 algorithm for sign and verify

public inbox for linux-integrity@vger.kernel.org
 help / color / mirror / Atom feed

From: Petr Vorel <pvorel@suse.cz>
To: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
	Vitaly Chikunov <vt@altlinux.org>,
	Stefan Berger <stefanb@linux.ibm.com>,
	linux-integrity@vger.kernel.org,
	Jia Zhang <zhang.jia@linux.alibaba.com>,
	"YiLin . Li" <YiLin.Li@linux.alibaba.com>
Subject: Re: [PATCH ima-evm-utils v6] ima-evm-utils: Support SM2/3 algorithm for sign and verify
Date: Tue, 20 Jul 2021 15:41:48 +0200	[thread overview]
Message-ID: <YPbSnDejnYcqY2Ib@pevik> (raw)
In-Reply-To: <20210720075153.17158-1-tianjia.zhang@linux.alibaba.com>

Hi Tianjia,

few notes below, feel free to completely ignore it.

...
> diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
> index 088c041..b890481 100644
> --- a/.github/workflows/ci.yml
> +++ b/.github/workflows/ci.yml
> @@ -17,6 +17,7 @@ jobs:
>                ARCH: i386
>                TSS: tpm2-tss
>                VARIANT: i386
> +              COMPILE_SSL: openssl-3
I'd either put here value openssl-3.0.0-beta1 and pass it to
./tests/install-openssl3.sh or put value as true. Because why define version in
yaml and also in the script? (sooner or later these two will not match).

>            # cross compilation builds
>            - container: "debian:stable"
> @@ -51,6 +52,7 @@ jobs:
>              env:
>                CC: clang
>                TSS: ibmtss
> +              COMPILE_SSL: openssl-3

>            - container: "opensuse/leap"
>              env:
> @@ -61,6 +63,7 @@ jobs:
>              env:
>                CC: gcc
>                TSS: ibmtss
> +              COMPILE_SSL: openssl-3

>            - container: "ubuntu:xenial"
>              env:
> @@ -115,6 +118,7 @@ jobs:
>          INSTALL="${INSTALL%%/*}"
>          if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
>          ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh
> +        if [ "$COMPILE_SSL" ]; then ./tests/install-openssl3.sh; fi

>      - name: Build swtpm
>        run: |
> @@ -128,5 +132,8 @@ jobs:
>      - name: Compiler version
>        run: $CC --version

> +    - name: Default OpenSSL version
> +      run: openssl version
you should run this only on native build:

         run: [ "$VARIANT" != "cross-compile" ] && openssl version

Also aren't ve interested at the version which is actually being used for
compilation?

Also we don't print this info for Travis CI.

> +
>      - name: Compile
>        run: CC="$CC" VARIANT="$VARIANT" ./build.sh
> diff --git a/.travis.yml b/.travis.yml
> index 7a76273..a73f20e 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -9,7 +9,7 @@ matrix:
>      include:
>          # 32 bit build
>          - os: linux
> -          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss
> +          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL: openssl-3
>            compiler: gcc

>          # cross compilation builds
> @@ -32,7 +32,7 @@ matrix:

>          # glibc (gcc/clang)
>          - os: linux
> -          env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/runc --network=host"
> +          env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/runc --network=host" COMPILE_SSL: openssl-3
>            compiler: clang

>          - os: linux
> @@ -40,7 +40,7 @@ matrix:
>            compiler: gcc

>          - os: linux
> -          env: DISTRO=ubuntu:groovy TSS=ibmtss
> +          env: DISTRO=ubuntu:groovy TSS=ibmtss COMPILE_SSL: openssl-3
>            compiler: gcc

>          - os: linux
> @@ -97,4 +97,4 @@ before_install:
>  script:
>      - INSTALL="${DISTRO%%:*}"
>      - INSTALL="${INSTALL%%/*}"
> -    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"
> +    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ "$COMPILE_SSL" ]; then ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 19f1041..8e96157 100644
...
> --- a/tests/gen-keys.sh
> +++ b/tests/gen-keys.sh
> @@ -131,6 +131,31 @@ for m in \
>      fi
>  done

> +# SM2, If openssl 3.0 is installed, gen SM2 keys using
> +if [ -x /opt/openssl3/bin/openssl ]; then
> +  (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
> +  for curve in sm2; do
I'd just export PATH and LD_LIBRARY_PATH than wrap them in ().
> +    if [ "$1" = clean ] || [ "$1" = force ]; then
> +      rm -f test-$curve.cer test-$curve.key test-$curve.pub
> +    fi
> +    if [ "$1" = clean ]; then
> +      continue
> +    fi
> +    if [ ! -e test-$curve.key ]; then
> +      log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
> +        -sm3 -sigopt "distid:1234567812345678" \
> +        -config test-ca.conf \
> +        -copy_extensions copyall \
> +        -newkey $curve \
> +        -out test-$curve.cer -outform DER \
> +        -keyout test-$curve.key
> +      if [ -s test-$curve.key ]; then
> +        log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
> +      fi
> +    fi
> +  done)
> +fi
...

> --- /dev/null
> +++ b/tests/install-openssl3.sh
> @@ -0,0 +1,17 @@
> +#!/bin/sh
> +
> +set -ex
> +
> +# 3.0.0-beta1 is the latest version in July 2021
I'd define a variable and use it.
version="openssl-3.0.0-beta1"


Kind regards,
Petr

> +wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.0-beta1.tar.gz
> +tar --no-same-owner -xzf openssl-3.0.0-beta1.tar.gz
> +cd openssl-openssl-3.0.0-beta1
> +
> +./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
> +make -j$(nproc)
> +# only install apps and library
> +sudo make install_sw
> +
> +cd ..
> +rm -rf openssl-3.0.0-beta1.tar.gz
> +rm -rf openssl-openssl-3.0.0-beta1
...

next prev parent reply	other threads:[~2021-07-20 13:42 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-20  7:51 [PATCH ima-evm-utils v6] ima-evm-utils: Support SM2/3 algorithm for sign and verify Tianjia Zhang
2021-07-20 13:41 ` Petr Vorel [this message]
2021-07-21  3:08   ` Tianjia Zhang
2021-07-20 13:46 ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YPbSnDejnYcqY2Ib@pevik \
    --to=pvorel@suse.cz \
    --cc=YiLin.Li@linux.alibaba.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=stefanb@linux.ibm.com \
    --cc=tianjia.zhang@linux.alibaba.com \
    --cc=vt@altlinux.org \
    --cc=zhang.jia@linux.alibaba.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox