diff options
| author | Yunguo Wei <yunguo.wei@windriver.com> | 2019-10-10 18:10:52 +0800 |
|---|---|---|
| committer | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2019-10-10 18:10:52 +0800 |
| commit | 701cbaf3c3428e393e93384bcbc94240753a4c40 (patch) | |
| tree | 9acafdc2f54dd6229af2178d2823f5f1a4550caf | |
| parent | 69117bef3a49ce645eee4cc6aaebb234da99c414 (diff) | |
| download | meta-secure-core-701cbaf3c3428e393e93384bcbc94240753a4c40.tar.gz | |
lib-evm-utils: using the correct algo for v2 signature (#120)
When using rpmsign (with --signfiles --fskpath) to sign RPM package,
the IMA signature is not correct, see:
$ getfattr -d -m - rootfs/usr/sbin/grpconv
file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQP3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
And the expected signature is like this:
$ getfattr -d -m - rootfs/usr/sbin/grpconv
file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQEAA6s8DwmRCVutcrE8NvHWWYXlg8L1AwH5teu44prkKRwmhZQ52Oa4UQoZZlxER/SJ9tijbve8ZAv++KW8EqgP4iZjEGh8ke76rpiRU5glnG/U+HUjnilJBpzpMJHxyNbAiFoHMESeCOtrhY0zZIUXK3DnIuIJSwpfl2HaNFxRrE38EaqgV9IQ8QiWFCvgDYXoJDwc3KdhjKjs214tCfZpKO1w4QJl2n4llZHw2RTHIuUOsMhRDEXs6onLHmdmhvqgxIHt7IvsT9v7H8GnoaiX0xgzxk2o/mE5EtPrnMtUoGSQwdY8CAfUbCwAp0c5QlsrHk5RBmewjJ/jxd/K1uKp7w==
The root cause is libimaevm doesn't retrieve correct signing algo, so this patch
is making things right.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2 files changed, 27 insertions, 0 deletions
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-libimaevm-retrieve-correct-algo-for-v2-signature.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-libimaevm-retrieve-correct-algo-for-v2-signature.patch new file mode 100644 index 0000000..25957c1 --- /dev/null +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-libimaevm-retrieve-correct-algo-for-v2-signature.patch | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | From c740d114ca213ece820da39ce2ce99fc4d6ae5c7 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yunguo Wei <yunguo.wei@windriver.com> | ||
| 3 | Date: Thu, 10 Oct 2019 16:40:21 +0800 | ||
| 4 | Subject: [PATCH] libimaevm: retrieve correct algo for v2 signature | ||
| 5 | |||
| 6 | Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com> | ||
| 7 | --- | ||
| 8 | src/libimaevm.c | 2 +- | ||
| 9 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 10 | |||
| 11 | diff --git a/src/libimaevm.c b/src/libimaevm.c | ||
| 12 | index 7c17bf4..3586e02 100644 | ||
| 13 | --- a/src/libimaevm.c | ||
| 14 | +++ b/src/libimaevm.c | ||
| 15 | @@ -939,7 +939,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, | ||
| 16 | if (!EVP_PKEY_sign_init(ctx)) | ||
| 17 | goto err; | ||
| 18 | st = "EVP_get_digestbyname"; | ||
| 19 | - if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) | ||
| 20 | + if (!(md = EVP_get_digestbyname(algo))) | ||
| 21 | goto err; | ||
| 22 | st = "EVP_PKEY_CTX_set_signature_md"; | ||
| 23 | if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) | ||
| 24 | -- | ||
| 25 | 2.7.4 | ||
| 26 | |||
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb index bc98ce6..46722b8 100644 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb | |||
| @@ -10,6 +10,7 @@ SRC_URI = "\ | |||
| 10 | file://0001-Don-t-build-man-pages.patch \ | 10 | file://0001-Don-t-build-man-pages.patch \ |
| 11 | file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ | 11 | file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ |
| 12 | file://0001-ima-evm-utils-include-sys-types.h-in-header-to-fix-b.patch \ | 12 | file://0001-ima-evm-utils-include-sys-types.h-in-header-to-fix-b.patch \ |
| 13 | file://0001-libimaevm-retrieve-correct-algo-for-v2-signature.patch \ | ||
| 13 | " | 14 | " |
| 14 | SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" | 15 | SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" |
| 15 | 16 | ||