From: Petr Vorel <pvorel@suse.cz>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
Vitaly Chikunov <vt@altlinux.org>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [RFC PATCH ima-evm-utils 04/11] Deprecate IMA signature version 1
Date: Tue, 30 Aug 2022 13:55:24 +0200 [thread overview]
Message-ID: <Yw36rCs7MhTAWFEr@pevik> (raw)
In-Reply-To: <20220830005936.189922-5-zohar@linux.ibm.com>
> The original IMA file signatures were based on a SHA1 hash. Kernel
> support for other hash algorithms was subsequently upstreamed. Deprecate
> "--rsa" support.
> Define "--enable-sigv1" option to configure signature v1 support.
LGTM, few minor comments below.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
...
> +++ b/configure.ac
...
> static int cmd_convert(struct command *cmd)
> {
> +#if CONFIG_SIGV1
> char *inkey;
> unsigned char _pub[1024], *pub = _pub;
> int len, err = 0;
> @@ -1033,6 +1033,8 @@ static int cmd_convert(struct command *cmd)
> RSA_free(key);
> return err;
> +#endif
> + return 77;
What is this this magic number? EBADFD?
Well, git grep shows many places with 77, so it's just a tip for next cleanup :).
...
> log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
> @@ -2598,7 +2605,8 @@ static void usage(void)
> " -d, --imahash make IMA hash\n"
> " -f, --sigfile store IMA signature in .sig file instead of xattr\n"
> " --xattr-user store xattrs in user namespace (for testing purposes)\n"
> - " --rsa use RSA key type and signing scheme v1\n"
> +
nit: was this blank line intentional?
> + " --rsa use RSA key type and signing scheme v1 (deprecated)\n"
> " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
> " or a pkcs11 URI\n"
> " --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n"
> @@ -2637,8 +2645,8 @@ static void usage(void)
> struct command cmds[] = {
> {"--version", NULL, 0, ""},
> {"help", cmd_help, 0, "<command>"},
> - {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
> - {"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
> + {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. (deprecated)\n"},
> + {"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
> {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
> {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
> {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
...
> +++ b/src/libimaevm.c
...
> +#if CONFIG_SIGV1
> static RSA *read_priv_key(const char *keyfile, const char *keypass)
> {
> + RSA *key = NULL;
nit: NULL is safe, I wonder if it is necessary (was needed before).
> EVP_PKEY *pkey;
> - RSA *key;
> pkey = read_priv_pkey(keyfile, keypass);
> if (!pkey)
> @@ -1018,10 +1034,12 @@ static int get_hash_algo_v1(const char *algo)
> return -1;
> }
> +#endif
next prev parent reply other threads:[~2022-08-30 11:55 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-30 0:59 [RFC PATCH ima-evm-utils 00/11] address deprecated warnings Mimi Zohar
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 01/11] travis: use the distro OpenSSL version on jammy Mimi Zohar
2022-08-30 11:30 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 02/11] travis: update dist=focal Mimi Zohar
2022-08-30 11:31 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 03/11] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-08-30 11:32 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 04/11] Deprecate IMA signature version 1 Mimi Zohar
2022-08-30 11:55 ` Petr Vorel [this message]
2022-08-31 18:58 ` Mimi Zohar
2022-08-30 12:12 ` Stefan Berger
2022-08-31 15:17 ` Mimi Zohar
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 05/11] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-08-30 12:55 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 06/11] Replace the low level HMAC calls when calculating the EVM HMAC Mimi Zohar
2022-08-30 12:59 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 07/11] Add missing EVP_MD_CTX_free() call in calc_evm_hash() Mimi Zohar
2022-08-30 13:02 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 08/11] Deprecate use of OpenSSL 3 "engine" support Mimi Zohar
2022-08-30 3:03 ` Vitaly Chikunov
2022-08-30 11:46 ` Mimi Zohar
2022-08-30 20:52 ` Vitaly Chikunov
2022-08-30 22:54 ` Vitaly Chikunov
2022-08-31 11:43 ` Mimi Zohar
2022-08-31 12:02 ` Mimi Zohar
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 09/11] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-08-30 13:04 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 10/11] Limit the file hash algorithm name length Mimi Zohar
2022-08-30 13:04 ` Petr Vorel
2022-08-30 0:59 ` [RFC PATCH ima-evm-utils 11/11] Missing template data size lower bounds checking Mimi Zohar
2022-08-30 13:06 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yw36rCs7MhTAWFEr@pevik \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).