diff mbox series

[v2,ima-evm-utils,3/4] Add --hmackey option for evmctl

Message ID 20230605165554.1965238-4-roberto.sassu@huaweicloud.com (mailing list archive)
State New, archived
Headers show
Series Simple EVM HMAC calculation tests | expand

Commit Message

Roberto Sassu June 5, 2023, 4:55 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>

Add the --hmackey option, to specify an alternate path for the file
containing the HMAC key. By default evmctl looks in
/etc/keys/evm-key-plain.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 README       |  3 ++-
 src/evmctl.c | 12 ++++++++++--
 src/imaevm.h |  1 +
 3 files changed, 13 insertions(+), 3 deletions(-)

Comments

Casey Schaufler June 5, 2023, 6:14 p.m. UTC | #1
On 6/5/2023 9:55 AM, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Add the --hmackey option

At first glance I read this as "hackey", as in the option is a hack.
The name you have is the obvious choice, but it caught my attention
for the wrong reason. 

> , to specify an alternate path for the file
> containing the HMAC key. By default evmctl looks in
> /etc/keys/evm-key-plain.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  README       |  3 ++-
>  src/evmctl.c | 12 ++++++++++--
>  src/imaevm.h |  1 +
>  3 files changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/README b/README
> index 40a61f94315..7239dda257e 100644
> --- a/README
> +++ b/README
> @@ -40,7 +40,7 @@ COMMANDS
>   ima_fix [-t fdsxm] path
>   ima_clear [-t fdsxm] path
>   sign_hash [--veritysig] [--key key] [--pass=<password>]
> - hmac [--imahash | --imasig ] file
> + hmac [--imahash | --imasig] [--hmackey key] file
>  
>  
>  OPTIONS
> @@ -82,6 +82,7 @@ OPTIONS
>        --ignore-violations ignore ToMToU measurement violations
>        --verify-sig   verify the file signature based on the file hash, both
>                       stored in the template data.
> +      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
>    -v                 increase verbosity level
>    -h, --help         display this help and exit
>  
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 7a3ffd7c823..8caf9bd83fb 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -1417,7 +1417,8 @@ static int cmd_hmac_evm(struct command *cmd)
>  			return err;
>  	}
>  
> -	return hmac_evm(file, "/etc/keys/evm-key-plain");
> +	return hmac_evm(file, imaevm_params.hmackeyfile ? :
> +			"/etc/keys/evm-key-plain");
>  }
>  
>  static int ima_fix(const char *path)
> @@ -2873,6 +2874,9 @@ static void usage(void)
>  		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
>  #endif
>  		"      --ignore-violations ignore ToMToU measurement violations\n"
> +#ifdef DEBUG
> +		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
> +#endif
>  		"  -v                 increase verbosity level\n"
>  		"  -h, --help         display this help and exit\n"
>  		"\n"
> @@ -2902,7 +2906,7 @@ struct command cmds[] = {
>  	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
>  	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
>  #ifdef DEBUG
> -	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
> +	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
>  #endif
>  	{0, 0, 0, NULL}
>  };
> @@ -2944,6 +2948,7 @@ static struct option opts[] = {
>  	{"keyid-from-cert", 1, 0, 145},
>  	{"veritysig", 0, 0, 146},
>  	{"hwtpm", 0, 0, 147},
> +	{"hmackey", 1, 0, 148},
>  	{}
>  
>  };
> @@ -3189,6 +3194,9 @@ int main(int argc, char *argv[])
>  		case 147:
>  			hwtpm = 1;
>  			break;
> +		case 148:
> +			imaevm_params.hmackeyfile = optarg;
> +			break;
>  		case '?':
>  			exit(1);
>  			break;
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 78e7ed5e89d..18d7b0e447e 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -221,6 +221,7 @@ struct libimaevm_params {
>  	const char *keypass;
>  	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
>  	ENGINE *eng;
> +	const char *hmackeyfile;
>  };
>  
>  struct RSA_ASN1_template {
Mimi Zohar June 15, 2023, 12:11 a.m. UTC | #2
On Mon, 2023-06-05 at 18:55 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Add the --hmackey option, to specify an alternate path for the file
> containing the HMAC key. By default evmctl looks in
> /etc/keys/evm-key-plain.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

Please include the motivation for this feature.  Otherwise, it looks
good.
diff mbox series

Patch

diff --git a/README b/README
index 40a61f94315..7239dda257e 100644
--- a/README
+++ b/README
@@ -40,7 +40,7 @@  COMMANDS
  ima_fix [-t fdsxm] path
  ima_clear [-t fdsxm] path
  sign_hash [--veritysig] [--key key] [--pass=<password>]
- hmac [--imahash | --imasig ] file
+ hmac [--imahash | --imasig] [--hmackey key] file
 
 
 OPTIONS
@@ -82,6 +82,7 @@  OPTIONS
       --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
                      stored in the template data.
+      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 7a3ffd7c823..8caf9bd83fb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1417,7 +1417,8 @@  static int cmd_hmac_evm(struct command *cmd)
 			return err;
 	}
 
-	return hmac_evm(file, "/etc/keys/evm-key-plain");
+	return hmac_evm(file, imaevm_params.hmackeyfile ? :
+			"/etc/keys/evm-key-plain");
 }
 
 static int ima_fix(const char *path)
@@ -2873,6 +2874,9 @@  static void usage(void)
 		"      --engine e     preload OpenSSL engine e (such as: gost) is deprecated\n"
 #endif
 		"      --ignore-violations ignore ToMToU measurement violations\n"
+#ifdef DEBUG
+		"      --hmackey      path to symmetric key (default: /etc/keys/evm-key-plain)\n"
+#endif
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n"
@@ -2902,7 +2906,7 @@  struct command cmds[] = {
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
 	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
 #ifdef DEBUG
-	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
+	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig] [--hmackey key] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
 #endif
 	{0, 0, 0, NULL}
 };
@@ -2944,6 +2948,7 @@  static struct option opts[] = {
 	{"keyid-from-cert", 1, 0, 145},
 	{"veritysig", 0, 0, 146},
 	{"hwtpm", 0, 0, 147},
+	{"hmackey", 1, 0, 148},
 	{}
 
 };
@@ -3189,6 +3194,9 @@  int main(int argc, char *argv[])
 		case 147:
 			hwtpm = 1;
 			break;
+		case 148:
+			imaevm_params.hmackeyfile = optarg;
+			break;
 		case '?':
 			exit(1);
 			break;
diff --git a/src/imaevm.h b/src/imaevm.h
index 78e7ed5e89d..18d7b0e447e 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -221,6 +221,7 @@  struct libimaevm_params {
 	const char *keypass;
 	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
 	ENGINE *eng;
+	const char *hmackeyfile;
 };
 
 struct RSA_ASN1_template {