From a76a5c51283b9d361caf514dc5cdebd72b5b4ca1 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Thu, 6 Feb 2025 15:54:41 -0500
Subject: meta-integrity: Enable choice of creating IMA signatures or hashes

When IMA and EVM are used for file appraisal then EVM verifies the
signature stored in security.evm. This signature covers file metadata
(uid, gid, mode bits, etc.) as well as the security.ima xattr.
Therefore, it is sufficient that only files' hashes are stored in
security.ima. This also leads to slight performance improvements
since IMA appraisal will then only verify that a file's hash matches
the expected hash stored in security.ima. EVM will ensure that the
signature over all the file metadata and security.ima xattr is
correct. Therefore, give the user control over whether to store file
signatures (--imasig) in ima.security or hashes (--imahash) by
setting the option in IMA_EVM_IMA_XATTR_OPT.

Only test-verify an IMA signature if --imasig is used as the option.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-integrity/README.md                      |  1 +
 meta-integrity/classes/ima-evm-rootfs.bbclass | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 6845c21..79635a0 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -97,6 +97,7 @@ the image, enable image signing in the local.conf like this:
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
     IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
     IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
+    IMA_EVM_IMA_XATTR_OPT = "<whether to sign or hash for IMA>"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
     IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index d50a025..14639cf 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -15,6 +15,10 @@ IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
 # Password for the private key
 IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""
 
+# Whether to create IMA signatures (--imasig) or hashes (--imahash).
+# Hashes are sufficient for IMA when EVM uses signatures.
+IMA_EVM_IMA_XATTR_OPT ?= "--imasig"
+
 # Public part of certificates (used for both IMA and EVM).
 # The default is okay when using the example key directory.
 IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -78,11 +82,13 @@ ima_evm_sign_rootfs () {
     export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}
 
     bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
-    evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+    evmctl sign ${IMA_EVM_IMA_XATTR_OPT} ${evmctl_param} --portable -a sha256 \
         --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"
 
     # check signing key and signature verification key
-    evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    if [ "${IMA_EVM_IMA_XATTR_OPT}" = "--imasig" ]; then
+        evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    fi
     evmctl verify     ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
 
     # Optionally install custom policy for loading by systemd.
-- 
cgit v1.2.3-54-g00ecf