From: Stefan Berger <stefanb@linux.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: Petr Vorel <pvorel@suse.cz>, Vitaly Chikunov <vt@altlinux.org>
Subject: Re: [PATCH ima-evm-utils 04/11] Deprecate IMA signature version 1
Date: Fri, 2 Sep 2022 15:25:54 -0400 [thread overview]
Message-ID: <edb72939-3588-02ec-4a0b-e5d98d93634f@linux.ibm.com> (raw)
In-Reply-To: <20220902162836.554839-5-zohar@linux.ibm.com>
On 9/2/22 12:28, Mimi Zohar wrote:
> The original IMA file signatures were based on a SHA1 hash. Kernel
> support for other hash algorithms was subsequently upstreamed. Deprecate
> "--rsa" support.
>
> Define "--enable-sigv1" option to configure signature v1 support.
>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> configure.ac | 6 ++++++
> src/Makefile.am | 10 ++++++++++
> src/evmctl.c | 20 ++++++++++++++++----
> src/libimaevm.c | 22 +++++++++++++++++++---
> tests/sign_verify.test | 18 ++++++++++++------
> 5 files changed, 63 insertions(+), 13 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 9d3b23ff8def..dc666f2bb1fa 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -49,6 +49,11 @@ AC_ARG_ENABLE([openssl_conf],
> AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.])
> fi], [enable_openssl_conf=yes])
>
> +AC_ARG_ENABLE(sigv1,
> + AS_HELP_STRING([--enable-sigv1], [Build ima-evm-utils with signature v1 support]))
> + AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
> + AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
> +
> #debug support - yes for a while
> PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
> if test $pkg_cv_enable_debug = yes; then
> @@ -83,5 +88,6 @@ echo " openssl-conf: $enable_openssl_conf"
> echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
> echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
> echo " ibmtss: $ac_cv_header_ibmtss_tss_h"
> +echo " sigv1: $enable_sigv1"
> echo " doc: $have_doc"
> echo
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 396496bb439d..90c7249020cf 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -7,6 +7,10 @@ libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
> libimaevm_la_LDFLAGS = -version-info 3:0:0
> libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS)
>
> +if CONFIG_SIGV1
> +libimaevm_la_CFLAGS = -DCONFIG_SIGV1
> +endif
> +
> include_HEADERS = imaevm.h
>
> nodist_libimaevm_la_SOURCES = hash_info.h
> @@ -22,6 +26,12 @@ evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
> evmctl_LDFLAGS = $(LDFLAGS_READLINE)
> evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
>
> +# Enable IMA signature version 1
> +if CONFIG_SIGV1
> +evmctl_CFLAGS = -DCONFIG_SIGV1
> +endif
> +
> +
> # USE_PCRTSS uses the Intel TSS
> if USE_PCRTSS
> evmctl_SOURCES += pcr_tss.c
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 76e2561798fa..13b0105af8c4 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -987,7 +987,6 @@ static int cmd_verify_ima(struct command *cmd)
> init_public_keys("/etc/keys/x509_evm.der");
> }
>
> - errno = 0;
> if (!file) {
> log_err("Parameters missing\n");
> print_usage(cmd);
> @@ -1004,6 +1003,7 @@ static int cmd_verify_ima(struct command *cmd)
> return fails > 0;
> }
>
> +#if CONFIG_SIGV1
> static int cmd_convert(struct command *cmd)
> {
> char *inkey;
> @@ -1034,6 +1034,7 @@ static int cmd_convert(struct command *cmd)
> RSA_free(key);
> return err;
> }
> +#endif
>
> static int cmd_import(struct command *cmd)
> {
> @@ -1088,6 +1089,7 @@ static int cmd_import(struct command *cmd)
> calc_keyid_v2((uint32_t *)keyid, name, pkey);
> EVP_PKEY_free(pkey);
> } else {
> +#if CONFIG_SIGV1
> RSA *key = read_pub_key(inkey, imaevm_params.x509);
>
> if (!key)
> @@ -1095,6 +1097,10 @@ static int cmd_import(struct command *cmd)
> len = key2bin(key, pub);
> calc_keyid_v1(keyid, name, pub, len);
> RSA_free(key);
> +#else
> + log_info("Importing public RSA key is not supported\n");
> + return 1;
> +#endif
> }
>
> log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
> @@ -2598,7 +2604,9 @@ static void usage(void)
> " -d, --imahash make IMA hash\n"
> " -f, --sigfile store IMA signature in .sig file instead of xattr\n"
> " --xattr-user store xattrs in user namespace (for testing purposes)\n"
> - " --rsa use RSA key type and signing scheme v1\n"
> +#if CONFIG_SIGV1
> + " --rsa use RSA key type and signing scheme v1 (deprecated)\n"
> +#endif
> " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
> " or a pkcs11 URI\n"
> " --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n"
> @@ -2637,8 +2645,12 @@ static void usage(void)
> struct command cmds[] = {
> {"--version", NULL, 0, ""},
> {"help", cmd_help, 0, "<command>"},
> - {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
> - {"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
> +#if CONFIG_SIGV1
> + {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. ([--rsa] deprecated)\n"},
> + {"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
> +#else
> + {"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"},
> +#endif
> {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
> {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
> {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index e4b62b4989b2..4b37bf5bd62c 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -292,6 +292,7 @@ out:
> return pkey;
> }
>
> +#if CONFIG_SIGV1
> RSA *read_pub_key(const char *keyfile, int x509)
> {
> EVP_PKEY *pkey;
> @@ -351,6 +352,7 @@ static int verify_hash_v1(const char *file, const unsigned char *hash, int size,
>
> return 0;
> }
> +#endif /* CONFIG_SIGV1 */
>
> struct public_key_entry {
> struct public_key_entry *next;
> @@ -686,6 +688,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size,
> {
> /* Get signature type from sig header */
> if (sig[1] == DIGSIG_VERSION_1) {
> +#if CONFIG_SIGV1
> const char *key = NULL;
>
> /* Read pubkey from RSA key */
> @@ -695,6 +698,10 @@ int verify_hash(const char *file, const unsigned char *hash, int size,
> key = imaevm_params.keyfile;
> return verify_hash_v1(file, hash, size, sig + 1, siglen - 1,
> key);
> +#else
> + log_info("Signature version 1 deprecated.");
> + return -1;
> +#endif
> } else if (sig[1] == DIGSIG_VERSION_2) {
> return verify_hash_v2(file, hash, size, sig, siglen);
> } else if (sig[1] == DIGSIG_VERSION_3) {
> @@ -742,6 +749,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
> return verify_hash(file, hash, hashlen, sig, siglen);
> }
>
> +#if CONFIG_SIGV1
> /*
> * Create binary key representation suitable for kernel
> */
> @@ -800,6 +808,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
> if (imaevm_params.verbose > LOG_INFO)
> log_info("keyid-v1: %s\n", str);
> }
> +#endif /* CONFIG_SIGV1 */
>
> /*
> * Calculate keyid of the public_key part of EVP_PKEY
> @@ -990,6 +999,7 @@ err_engine:
> return NULL;
> }
>
> +#if CONFIG_SIGV1
> static RSA *read_priv_key(const char *keyfile, const char *keypass)
> {
> EVP_PKEY *pkey;
> @@ -1100,6 +1110,7 @@ out:
> RSA_free(key);
> return len;
> }
> +#endif /* CONFIG_SIGV1 */
>
> /*
> * @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size
> @@ -1214,9 +1225,14 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
> if (keypass)
> imaevm_params.keypass = keypass;
>
> - return imaevm_params.x509 ?
> - sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
> - sign_hash_v1(hashalgo, hash, size, keyfile, sig);
> + if (imaevm_params.x509)
> + return sign_hash_v2(hashalgo, hash, size, keyfile, sig);
> +#if CONFIG_SIGV1
> + else
> + return sign_hash_v1(hashalgo, hash, size, keyfile, sig);
> +#endif
> + log_info("Signature version 1 deprecated.");
> + return -1;
> }
>
> static void libinit()
> diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> index c56290aa4932..948892759424 100755
> --- a/tests/sign_verify.test
> +++ b/tests/sign_verify.test
> @@ -17,6 +17,7 @@
>
> cd "$(dirname "$0")" || exit 1
> PATH=../src:$PATH
> +SIGV1=0
> source ./functions.sh
>
> _require cmp evmctl getfattr openssl xxd
> @@ -368,13 +369,18 @@ try_different_sigs() {
>
> ## Test v1 signatures
> # Signature v1 only supports sha1 and sha256 so any other should fail
> -expect_fail \
> - check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
> +if [ $SIGV1 -eq 0 ]; then
> + __skip() { echo "IMA signature v1 tests are skipped: not supported"; return $SKIP; }
> + expect_pass __skip
> +else
> + expect_fail \
> + check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
>
> -sign_verify rsa1024 sha1 0x0301 --rsa
> -sign_verify rsa1024 sha256 0x0301 --rsa
> - try_different_keys
> - try_different_sigs
> + sign_verify rsa1024 sha1 0x0301 --rsa
> + sign_verify rsa1024 sha256 0x0301 --rsa
> + try_different_keys
> + try_different_sigs
> +fi
>
> ## Test v2 signatures with RSA PKCS#1
> # List of allowed hashes much greater but not all are supported.
next prev parent reply other threads:[~2022-09-02 19:26 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-02 16:28 [PATCH ima-evm-utils 00/11] address deprecated warnings Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 01/11] travis: use the distro OpenSSL version on jammy Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 02/11] travis: update dist=focal Mimi Zohar
2022-09-02 20:24 ` Stefan Berger
2022-09-06 18:27 ` Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 03/11] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 04/11] Deprecate IMA signature version 1 Mimi Zohar
2022-09-02 19:25 ` Stefan Berger [this message]
2022-09-02 16:28 ` [PATCH ima-evm-utils 05/11] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-09-02 20:18 ` Stefan Berger
2022-09-02 16:28 ` [PATCH ima-evm-utils 06/11] Replace the low level HMAC calls when calculating the EVM HMAC Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 07/11] Add missing EVP_MD_CTX_free() call in calc_evm_hash() Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 08/11] Deprecate use of OpenSSL v3 "engine" support Mimi Zohar
2022-09-04 3:08 ` Vitaly Chikunov
2022-09-04 16:26 ` Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 09/11] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 10/11] Limit the file hash algorithm name length Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 11/11] Missing template data size lower bounds checking Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=edb72939-3588-02ec-4a0b-e5d98d93634f@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox