From fe4f5b1122378f302bb01ff14951d5401208f49a Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 4 Sep 2019 10:22:57 +0300 Subject: meta-tpm2: tpm2-tss: update to version 2.2.3 Signed-off-by: Dmitry Eremin-Solenikov --- meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss.inc | 2 ++ ...build-update-for-ax_code_coverage.m4-version-2019.01.patch | 6 +++--- meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.0.0.bb | 10 ---------- meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.2.3.bb | 11 +++++++++++ 4 files changed, 16 insertions(+), 13 deletions(-) delete mode 100644 meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.0.0.bb create mode 100644 meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.2.3.bb diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss.inc b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss.inc index e917b87..602cf6a 100644 --- a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss.inc +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss.inc @@ -16,6 +16,8 @@ inherit autotools pkgconfig EXTRA_OECONF += " \ --with-udevrulesdir=${sysconfdir}/udev/rules.d \ + --with-crypto=gcrypt \ + --disable-doxygen-doc \ " PACKAGES = " \ diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch index 56f9d4b..c8b1ddb 100644 --- a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -19,7 +19,7 @@ diff --git a/Makefile.am b/Makefile.am index d78d23f..7815c4b 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -42,7 +42,13 @@ noinst_PROGRAMS = +@@ -19,7 +19,13 @@ noinst_PROGRAMS = ### Add ax_* rules ### # ax_code_coverage @@ -37,8 +37,8 @@ diff --git a/configure.ac b/configure.ac index c8aa314..40883a8 100644 --- a/configure.ac +++ b/configure.ac -@@ -206,6 +206,9 @@ DX_INIT_DOXYGEN($PACKAGE_NAME, [Doxyfile], [doc/doxygen]) - AM_CONDITIONAL(DOXYMAN, [test $DX_FLAG_man -eq 1]) +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xn + [ERROR_IF_NO_PROG([doxygen])]) AX_CODE_COVERAGE +m4_ifdef([_AX_CODE_COVERAGE_RULES], diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.0.0.bb b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.0.0.bb deleted file mode 100644 index 9cc0247..0000000 --- a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.0.0.bb +++ /dev/null @@ -1,10 +0,0 @@ -include ${BPN}.inc - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ - file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch \ -" - -SRC_URI[md5sum] = "048ea77be36f881b7b6ecefbc1cf7dbd" -SRC_URI[sha256sum] = "7dfd05f7d2c4d5339d1c9ecbdba25f4ea6df70e96b09928e15e0560cce02d525" - -S = "${WORKDIR}/${BPN}-${PV}" diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.2.3.bb b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.2.3.bb new file mode 100644 index 0000000..9edc305 --- /dev/null +++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.2.3.bb @@ -0,0 +1,11 @@ +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ + file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch \ +" + +SRC_URI[md5sum] = "593873bb023a0f8bcb93d12bc6640918" +SRC_URI[sha256sum] = "1369aee648b33128b9ee8e3ad87f5fc6dc37c2077b9f134223ea04f4809a99c3" + +S = "${WORKDIR}/${BPN}-${PV}" -- cgit v1.2.3-54-g00ecf From 99ec1bedbbb23252f824137b1a5017275d9467fe Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 4 Sep 2019 10:23:21 +0300 Subject: meta-tpm2: tpm2-tools: update to version 3.2.0 Signed-off-by: Dmitry Eremin-Solenikov --- meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.1.1.bb | 9 --------- meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.2.0.bb | 9 +++++++++ 2 files changed, 9 insertions(+), 9 deletions(-) delete mode 100644 meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.1.1.bb create mode 100644 meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.2.0.bb diff --git a/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.1.1.bb b/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.1.1.bb deleted file mode 100644 index 178ec15..0000000 --- a/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.1.1.bb +++ /dev/null @@ -1,9 +0,0 @@ -include ${BPN}.inc - -SRC_URI = "\ - https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ -" -SRC_URI[md5sum] = "ad9e856c4cbd8a19eb205d74ab635adc" -SRC_URI[sha256sum] = "c7f0cdca51ef2006503f60c462b6d183c9b9dc038f4c3f74a89c111088fed8aa" - -S = "${WORKDIR}/${BPN}-${PV}" diff --git a/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.2.0.bb b/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.2.0.bb new file mode 100644 index 0000000..058982d --- /dev/null +++ b/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_3.2.0.bb @@ -0,0 +1,9 @@ +include ${BPN}.inc + +SRC_URI = "\ + https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ +" +SRC_URI[md5sum] = "af389756402fa26aa3f08aa4abfc5d88" +SRC_URI[sha256sum] = "ad79ee83e2d4b34302e8883eaf313b27dbfabfd9cbc8ebcd95cf78fa097aef14" + +S = "${WORKDIR}/${BPN}-${PV}" -- cgit v1.2.3-54-g00ecf From 26ced755f525311d102e95adbc3a36072c62ce00 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 4 Sep 2019 10:23:51 +0300 Subject: grub-efi: support mok2 verify in multiboot2 protocol Add support for verifying PKCS#7 signatures via MOK2 protocol to multiboot2 command enabling one to load multiboot-capable kernels. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-bsp/grub/grub-efi-efi-secure-boot.inc | 1 + .../grub/grub-efi/mok2verify-multiboot.patch | 54 ++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc index 32da43a..71a2bc1 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc @@ -19,6 +19,7 @@ SRC_URI += "\ file://efi-chainloader-implemented-for-32-bit.patch \ file://Grub-get-and-set-efi-variables.patch \ file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ + file://mok2verify-multiboot.patch \ file://grub-efi.cfg \ file://boot-menu.inc \ ${EXTRA_SRC_URI} \ diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch new file mode 100644 index 0000000..eebc3f1 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch @@ -0,0 +1,54 @@ +Index: grub-2.02/grub-core/loader/multiboot.c +=================================================================== +--- grub-2.02.orig/grub-core/loader/multiboot.c ++++ grub-2.02/grub-core/loader/multiboot.c +@@ -47,6 +47,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + #ifdef GRUB_MACHINE_EFI + #include ++#include + #endif + + struct grub_relocator *GRUB_MULTIBOOT (relocator) = NULL; +@@ -325,6 +326,20 @@ grub_cmd_multiboot (grub_command_t cmd _ + if (! file) + return grub_errno; + ++#if GRUB_MACHINE_EFI ++ err = grub_verify_file (argv[0]); ++ if (err != GRUB_ERR_NONE) ++ { ++ grub_error(err, N_("Failed to verify module %s"), argv[0]); ++ ++ /* An unauthenticated module always causes a complete boot failure. */ ++ if (grub_is_secured () == 1) ++ grub_loader_unset(); ++ ++ return err; ++ } ++#endif ++ + grub_dl_ref (my_mod); + + /* Skip filename. */ +@@ -379,6 +394,20 @@ grub_cmd_module (grub_command_t cmd __at + if (! file) + return grub_errno; + ++#if GRUB_MACHINE_EFI ++ err = grub_verify_file (argv[0]); ++ if (err != GRUB_ERR_NONE) ++ { ++ grub_error(err, N_("Failed to verify module %s"), argv[0]); ++ ++ /* An unauthenticated module always causes a complete boot failure. */ ++ if (grub_is_secured () == 1) ++ grub_loader_unset(); ++ ++ return err; ++ } ++#endif ++ + #ifndef GRUB_USE_MULTIBOOT2 + lowest_addr = 0x100000; + if (grub_multiboot_quirks & GRUB_MULTIBOOT_QUIRK_MODULES_AFTER_KERNEL) -- cgit v1.2.3-54-g00ecf From d139491c9ad4ca3f85ac01432c856ebcd41d706b Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 4 Sep 2019 10:25:09 +0300 Subject: ima-evm-utils: update to release 1.2.1 Bump ima-evm-utils to latest release (1.2.1). Signed-off-by: Dmitry Eremin-Solenikov --- ...tall-evmctl-to-sbindir-rather-than-bindir.patch | 8 +- .../Fix-the-build-failure-with-openssl-1.1.x.patch | 299 --------------------- .../ima-evm-utils/ima-evm-utils_git.bb | 7 +- 3 files changed, 7 insertions(+), 307 deletions(-) delete mode 100644 meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch index 545be42..2a63e80 100644 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch @@ -14,15 +14,15 @@ diff --git a/src/Makefile.am b/src/Makefile.am index deb18fb..aa8f666 100644 --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -9,7 +9,7 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS) - - include_HEADERS = imaevm.h +@@ -15,7 +15,7 @@ EXTRA_DIST = hash_info.gen + hash_info.h: Makefile + $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ -bin_PROGRAMS = evmctl +sbin_PROGRAMS = evmctl evmctl_SOURCES = evmctl.c - evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) + evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) -- 2.7.4 diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch deleted file mode 100644 index 5551678..0000000 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch +++ /dev/null @@ -1,299 +0,0 @@ -From 61595d2d4eb9d6855680ea2f6d74492a4b7a553f Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Wed, 16 Aug 2017 14:32:03 +0800 -Subject: [PATCH] Fix the build failure with openssl-1.1.x - -- Clean up the opaqu EVP_MD_CTX and RSA. -- Similarly, HMAC_CTX is also opaqu. Note that there is no dynamic - allocation function like HMAC_CTX_create|new() available in 1.0.x. -- HMAC_CTX_cleanup() is replaced by HMAC_CTX_reset(). - -Signed-off-by: Lans Zhang ---- - src/evmctl.c | 79 +++++++++++++++++++++++++++++++++++++++++---------------- - src/libimaevm.c | 54 +++++++++++++++++++++++++-------------- - 2 files changed, 92 insertions(+), 41 deletions(-) - -diff --git a/src/evmctl.c b/src/evmctl.c -index c54efbb..9156bcb 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - struct stat st; - int err; - uint32_t generation = 0; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int mdlen; - char **xattrname; - char xattr_value[1024]; -@@ -366,10 +366,17 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - return -1; - } - -- err = EVP_DigestInit(&ctx, EVP_sha1()); -+ ctx = EVP_MD_CTX_create(); -+ if (!ctx) { -+ log_err("EVP_MD_CTX_create() failed\n"); -+ return -1; -+ } -+ -+ err = EVP_DigestInit(ctx, EVP_sha1()); - if (!err) { - log_err("EVP_DigestInit() failed\n"); -- return 1; -+ err = 1; -+ goto out; - } - - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { -@@ -398,10 +405,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ - log_info("name: %s, size: %d\n", *xattrname, err); - log_debug_dump(xattr_value, err); -- err = EVP_DigestUpdate(&ctx, xattr_value, err); -+ err = EVP_DigestUpdate(ctx, xattr_value, err); - if (!err) { - log_err("EVP_DigestUpdate() failed\n"); -- return 1; -+ err = 1; -+ goto out; - } - } - -@@ -446,31 +454,38 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - log_debug("hmac_misc (%d): ", hmac_size); - log_debug_dump(&hmac_misc, hmac_size); - -- err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); -+ err = EVP_DigestUpdate(ctx, &hmac_misc, hmac_size); - if (!err) { - log_err("EVP_DigestUpdate() failed\n"); -- return 1; -+ err = 1; -+ goto out; - } - - if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) { - err = get_uuid(&st, uuid); -- if (err) -- return -1; -+ if (err) { -+ err = -1; -+ goto out; -+ } - -- err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); -+ err = EVP_DigestUpdate(ctx, (const unsigned char *)uuid, sizeof(uuid)); - if (!err) { - log_err("EVP_DigestUpdate() failed\n"); -- return 1; -+ err = 1; -+ goto out; - } - } - -- err = EVP_DigestFinal(&ctx, hash, &mdlen); -- if (!err) { -+ if (!EVP_DigestFinal(ctx, hash, &mdlen)) { - log_err("EVP_DigestFinal() failed\n"); -- return 1; -- } -+ err = 1; -+ } else -+ err = 0; -+ -+out: -+ EVP_MD_CTX_destroy(ctx); - -- return mdlen; -+ return err ?: mdlen; - } - - static int sign_evm(const char *file, const char *key) -@@ -908,7 +923,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h - struct stat st; - int err = -1; - uint32_t generation = 0; -- HMAC_CTX ctx; -+ HMAC_CTX *ctx = NULL; - unsigned int mdlen; - char **xattrname; - unsigned char xattr_value[1024]; -@@ -965,7 +980,17 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h - goto out; - } - -- err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ ctx = malloc(sizeof(*ctx)); -+#else -+ ctx = HMAC_CTX_new(); -+#endif -+ if (!ctx) { -+ log_err("HMAC_CTX_new() failed\n"); -+ goto out; -+ } -+ -+ err = !HMAC_Init(ctx, evmkey, sizeof(evmkey), EVP_sha1()); - if (err) { - log_err("HMAC_Init() failed\n"); - goto out; -@@ -984,7 +1009,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h - /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ - log_info("name: %s, size: %d\n", *xattrname, err); - log_debug_dump(xattr_value, err); -- err = !HMAC_Update(&ctx, xattr_value, err); -+ err = !HMAC_Update(ctx, xattr_value, err); - if (err) { - log_err("HMAC_Update() failed\n"); - goto out_ctx_cleanup; -@@ -1025,17 +1050,27 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h - log_debug("hmac_misc (%d): ", hmac_size); - log_debug_dump(&hmac_misc, hmac_size); - -- err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); -+ err = !HMAC_Update(ctx, (const unsigned char *)&hmac_misc, hmac_size); - if (err) { - log_err("HMAC_Update() failed\n"); - goto out_ctx_cleanup; - } -- err = !HMAC_Final(&ctx, hash, &mdlen); -+ err = !HMAC_Final(ctx, hash, &mdlen); - if (err) - log_err("HMAC_Final() failed\n"); - out_ctx_cleanup: -- HMAC_CTX_cleanup(&ctx); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ HMAC_CTX_cleanup(ctx); -+#else -+ HMAC_CTX_reset(ctx); -+#endif - out: -+ if (ctx) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ free(ctx); -+#else -+ HMAC_CTX_free(ctx); -+#endif - free(key); - return err ?: mdlen; - } -diff --git a/src/libimaevm.c b/src/libimaevm.c -index eedffb4..3f23cac 100644 ---- a/src/libimaevm.c -+++ b/src/libimaevm.c -@@ -271,7 +271,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) - { - const EVP_MD *md; - struct stat st; -- EVP_MD_CTX ctx; -+ EVP_MD_CTX *ctx; - unsigned int mdlen; - int err; - -@@ -288,41 +288,50 @@ int ima_calc_hash(const char *file, uint8_t *hash) - return 1; - } - -- err = EVP_DigestInit(&ctx, md); -+ ctx = EVP_MD_CTX_create(); -+ if (!ctx) { -+ log_err("EVP_MD_CTX_create() failed\n"); -+ return 1; -+ } -+ -+ err = EVP_DigestInit(ctx, md); - if (!err) { - log_err("EVP_DigestInit() failed\n"); -- return 1; -+ err = 1; -+ goto out; - } - - switch (st.st_mode & S_IFMT) { - case S_IFREG: -- err = add_file_hash(file, &ctx); -+ err = add_file_hash(file, ctx); - break; - case S_IFDIR: -- err = add_dir_hash(file, &ctx); -+ err = add_dir_hash(file, ctx); - break; - case S_IFLNK: -- err = add_link_hash(file, &ctx); -+ err = add_link_hash(file, ctx); - break; - case S_IFIFO: case S_IFSOCK: - case S_IFCHR: case S_IFBLK: -- err = add_dev_hash(&st, &ctx); -+ err = add_dev_hash(&st, ctx); - break; - default: - log_errno("Unsupported file type"); -- return -1; -+ err = -1; - } - - if (err) -- return err; -+ goto out; - -- err = EVP_DigestFinal(&ctx, hash, &mdlen); -- if (!err) { -+ if (!EVP_DigestFinal(ctx, hash, &mdlen)) { - log_err("EVP_DigestFinal() failed\n"); -- return 1; -+ err = 1; - } - -- return mdlen; -+out: -+ EVP_MD_CTX_destroy(ctx); -+ -+ return err ?: mdlen; - } - - RSA *read_pub_key(const char *keyfile, int x509) -@@ -549,6 +558,7 @@ int key2bin(RSA *key, unsigned char *pub) - { - int len, b, offset = 0; - struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; -+ BIGNUM *n, *e; - - /* add key header */ - pkh->version = 1; -@@ -558,18 +568,24 @@ int key2bin(RSA *key, unsigned char *pub) - - offset += sizeof(*pkh); - -- len = BN_num_bytes(key->n); -- b = BN_num_bits(key->n); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ n = key->n; -+ e = key->e; -+#else -+ RSA_get0_key(key, (const BIGNUM **)&n, (const BIGNUM **)&e, NULL); -+#endif -+ len = BN_num_bytes(n); -+ b = BN_num_bits(n); - pub[offset++] = b >> 8; - pub[offset++] = b & 0xff; -- BN_bn2bin(key->n, &pub[offset]); -+ BN_bn2bin(n, &pub[offset]); - offset += len; - -- len = BN_num_bytes(key->e); -- b = BN_num_bits(key->e); -+ len = BN_num_bytes(e); -+ b = BN_num_bits(e); - pub[offset++] = b >> 8; - pub[offset++] = b & 0xff; -- BN_bn2bin(key->e, &pub[offset]); -+ BN_bn2bin(e, &pub[offset]); - offset += len; - - return offset; --- -2.7.5 - diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb index 0d0d703..bc98ce6 100644 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb @@ -3,16 +3,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "openssl attr keyutils" -PV = "1.0+git${SRCPV}" +PV = "1.2.1+git${SRCPV}" SRC_URI = "\ - git://git.code.sf.net/p/linux-ima/ima-evm-utils \ + git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y \ file://0001-Don-t-build-man-pages.patch \ file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ - file://Fix-the-build-failure-with-openssl-1.1.x.patch \ file://0001-ima-evm-utils-include-sys-types.h-in-header-to-fix-b.patch \ " -SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7" +SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf From 6d1bd0da1f8b6f28188fbdcc552df8c0dcf80a79 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Wed, 4 Sep 2019 11:43:48 +0300 Subject: ima-inspect: add patch to fix compilation with newer ima-evm-utils Signed-off-by: Dmitry Eremin-Solenikov --- .../ima-inspect/ima-inspect/fix-new-imaevm.patch | 13 +++++++++++++ .../recipes-support/ima-inspect/ima-inspect_0.11.bb | 5 ++++- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 meta-integrity/recipes-support/ima-inspect/ima-inspect/fix-new-imaevm.patch diff --git a/meta-integrity/recipes-support/ima-inspect/ima-inspect/fix-new-imaevm.patch b/meta-integrity/recipes-support/ima-inspect/ima-inspect/fix-new-imaevm.patch new file mode 100644 index 0000000..6ba0fcd --- /dev/null +++ b/meta-integrity/recipes-support/ima-inspect/ima-inspect/fix-new-imaevm.patch @@ -0,0 +1,13 @@ +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -9,7 +9,7 @@ AM_INIT_AUTOMAKE([foreign subdir-objects + AC_CONFIG_FILES([Makefile]) + + PKG_CHECK_MODULES([TCLAP], [tclap]) +-AC_SEARCH_LIBS([do_dump], [imaevm], [], [ ++AC_SEARCH_LIBS([imaevm_do_hexdump], [imaevm], [], [ + AC_MSG_ERROR([unable to find libimaevm, you need ima-evm-utils-devel or similar package]) + ]) + diff --git a/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb b/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb index 8a3b239..09cbe15 100644 --- a/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb +++ b/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb @@ -3,7 +3,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a23a74b3f4caf9616230789d94217acb" DEPENDS += "attr ima-evm-utils tclap" -SRC_URI = "git://github.com/mgerstner/ima-inspect.git" +SRC_URI = " \ + git://github.com/mgerstner/ima-inspect.git \ + file://fix-new-imaevm.patch \ +" SRCREV = "e912be2d2a9fdf30a9693a7fc5d6b2473990a71c" S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf