From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Petr Vorel <pvorel@suse.cz>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Vitaly Chikunov <vt@altlinux.org>,
Stefan Berger <stefanb@linux.ibm.com>,
linux-integrity@vger.kernel.org,
Jia Zhang <zhang.jia@linux.alibaba.com>,
"YiLin . Li" <YiLin.Li@linux.alibaba.com>
Subject: Re: [PATCH ima-evm-utils v6] ima-evm-utils: Support SM2/3 algorithm for sign and verify
Date: Wed, 21 Jul 2021 11:08:39 +0800 [thread overview]
Message-ID: <f0f48952-7c71-c147-f804-81cf67a1b301@linux.alibaba.com> (raw)
In-Reply-To: <YPbSnDejnYcqY2Ib@pevik>
Hi Petr,
On 7/20/21 9:41 PM, Petr Vorel wrote:
> Hi Tianjia,
>
> few notes below, feel free to completely ignore it.
>
> ...
>> diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
>> index 088c041..b890481 100644
>> --- a/.github/workflows/ci.yml
>> +++ b/.github/workflows/ci.yml
>> @@ -17,6 +17,7 @@ jobs:
>> ARCH: i386
>> TSS: tpm2-tss
>> VARIANT: i386
>> + COMPILE_SSL: openssl-3
> I'd either put here value openssl-3.0.0-beta1 and pass it to
> ./tests/install-openssl3.sh or put value as true. Because why define version in
> yaml and also in the script? (sooner or later these two will not match).
>
This is a good way, I will follow you.
>> # cross compilation builds
>> - container: "debian:stable"
>> @@ -51,6 +52,7 @@ jobs:
>> env:
>> CC: clang
>> TSS: ibmtss
>> + COMPILE_SSL: openssl-3
>
>> - container: "opensuse/leap"
>> env:
>> @@ -61,6 +63,7 @@ jobs:
>> env:
>> CC: gcc
>> TSS: ibmtss
>> + COMPILE_SSL: openssl-3
>
>> - container: "ubuntu:xenial"
>> env:
>> @@ -115,6 +118,7 @@ jobs:
>> INSTALL="${INSTALL%%/*}"
>> if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
>> ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh
>> + if [ "$COMPILE_SSL" ]; then ./tests/install-openssl3.sh; fi
>
>> - name: Build swtpm
>> run: |
>> @@ -128,5 +132,8 @@ jobs:
>> - name: Compiler version
>> run: $CC --version
>
>> + - name: Default OpenSSL version
>> + run: openssl version
> you should run this only on native build:
>
> run: [ "$VARIANT" != "cross-compile" ] && openssl version
>
> Also aren't ve interested at the version which is actually being used for
> compilation?
>
> Also we don't print this info for Travis CI.
>
It's just to facilitate troubleshooting when CI fails. This is not
necessary, and it seems useless now, I will delete.
>> +
>> - name: Compile
>> run: CC="$CC" VARIANT="$VARIANT" ./build.sh
>> diff --git a/.travis.yml b/.travis.yml
>> index 7a76273..a73f20e 100644
>> --- a/.travis.yml
>> +++ b/.travis.yml
>> @@ -9,7 +9,7 @@ matrix:
>> include:
>> # 32 bit build
>> - os: linux
>> - env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss
>> + env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL: openssl-3
>> compiler: gcc
>
>> # cross compilation builds
>> @@ -32,7 +32,7 @@ matrix:
>
>> # glibc (gcc/clang)
>> - os: linux
>> - env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/runc --network=host"
>> + env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/runc --network=host" COMPILE_SSL: openssl-3
>> compiler: clang
>
>> - os: linux
>> @@ -40,7 +40,7 @@ matrix:
>> compiler: gcc
>
>> - os: linux
>> - env: DISTRO=ubuntu:groovy TSS=ibmtss
>> + env: DISTRO=ubuntu:groovy TSS=ibmtss COMPILE_SSL: openssl-3
>> compiler: gcc
>
>> - os: linux
>> @@ -97,4 +97,4 @@ before_install:
>> script:
>> - INSTALL="${DISTRO%%:*}"
>> - INSTALL="${INSTALL%%/*}"
>> - - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"
>> + - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ "$COMPILE_SSL" ]; then ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"
>> diff --git a/src/libimaevm.c b/src/libimaevm.c
>> index 19f1041..8e96157 100644
> ...
>> --- a/tests/gen-keys.sh
>> +++ b/tests/gen-keys.sh
>> @@ -131,6 +131,31 @@ for m in \
>> fi
>> done
>
>> +# SM2, If openssl 3.0 is installed, gen SM2 keys using
>> +if [ -x /opt/openssl3/bin/openssl ]; then
>> + (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
>> + for curve in sm2; do
> I'd just export PATH and LD_LIBRARY_PATH than wrap them in ().
Direct export PATH and LD_LIBRARY_PATH will affect the following
commands. If add other commands after this code block in the future, it
will cause potential problems. Of course, this file will not affect it
now. If you export PATH and LD_LIBRARY_PATH directly in sign_verify.test
script, there will cause error.
>> + if [ "$1" = clean ] || [ "$1" = force ]; then
>> + rm -f test-$curve.cer test-$curve.key test-$curve.pub
>> + fi
>> + if [ "$1" = clean ]; then
>> + continue
>> + fi
>> + if [ ! -e test-$curve.key ]; then
>> + log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
>> + -sm3 -sigopt "distid:1234567812345678" \
>> + -config test-ca.conf \
>> + -copy_extensions copyall \
>> + -newkey $curve \
>> + -out test-$curve.cer -outform DER \
>> + -keyout test-$curve.key
>> + if [ -s test-$curve.key ]; then
>> + log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
>> + fi
>> + fi
>> + done)
>> +fi
> ...
>
>> --- /dev/null
>> +++ b/tests/install-openssl3.sh
>> @@ -0,0 +1,17 @@
>> +#!/bin/sh
will change to #!/bin/bash
>> +
>> +set -ex
>> +
>> +# 3.0.0-beta1 is the latest version in July 2021
> I'd define a variable and use it.
> version="openssl-3.0.0-beta1"
>
Good way.
>
> Kind regards,
> Petr
>
>> +wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.0-beta1.tar.gz
>> +tar --no-same-owner -xzf openssl-3.0.0-beta1.tar.gz
>> +cd openssl-openssl-3.0.0-beta1
>> +
>> +./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
>> +make -j$(nproc)
>> +# only install apps and library
>> +sudo make install_sw
>> +
>> +cd ..
>> +rm -rf openssl-3.0.0-beta1.tar.gz
>> +rm -rf openssl-openssl-3.0.0-beta1
> ...
>
Best regards,
Tianjia
next prev parent reply other threads:[~2021-07-21 3:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 7:51 [PATCH ima-evm-utils v6] ima-evm-utils: Support SM2/3 algorithm for sign and verify Tianjia Zhang
2021-07-20 13:41 ` Petr Vorel
2021-07-21 3:08 ` Tianjia Zhang [this message]
2021-07-20 13:46 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f0f48952-7c71-c147-f804-81cf67a1b301@linux.alibaba.com \
--to=tianjia.zhang@linux.alibaba.com \
--cc=YiLin.Li@linux.alibaba.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
--cc=zhang.jia@linux.alibaba.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox