diff mbox series

[v2,1/8] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable

Message ID 20210810134557.2444863-2-stefanb@linux.vnet.ibm.com (mailing list archive)
State New, archived
Headers show
Series ima-evm-utils: Add support for signing with pkcs11 URIs | expand

Commit Message

Stefan Berger Aug. 10, 2021, 1:45 p.m. UTC 
From: Stefan Berger <stefanb@linux.ibm.com>

If the user did not use the --pass option to provide a key password,
get the key password from the EVMCTL_KEY_PASSWORD environment variable.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README       | 4 ++++
 src/evmctl.c | 6 ++++++
 2 files changed, 10 insertions(+)

Comments

Mimi Zohar Aug. 27, 2021, 9:37 p.m. UTC | #1 
[Cc: Vitaly]

On Tue, 2021-08-10 at 09:45 -0400, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> If the user did not use the --pass option to provide a key password,
> get the key password from the EVMCTL_KEY_PASSWORD environment variable.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks, Stefan.

Vitaly, I'm not sure that there's any benefit of using secure heap for
a password stored as an environment variable, but it needs to at least
be documented.

thanks,

Mimi
Vitaly Chikunov Sept. 4, 2021, 10:21 a.m. UTC | #2 
Mimi, Stefan,

On Fri, Aug 27, 2021 at 05:37:35PM -0400, Mimi Zohar wrote:
> [Cc: Vitaly]
> 
> On Tue, 2021-08-10 at 09:45 -0400, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@linux.ibm.com>
> > 
> > If the user did not use the --pass option to provide a key password,
> > get the key password from the EVMCTL_KEY_PASSWORD environment variable.
> > 
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> 
> Thanks, Stefan.
> 
> Vitaly, I'm not sure that there's any benefit of using secure heap for
> a password stored as an environment variable, but it needs to at least
> be documented.

I did not receive this patch nor it's in the git.

Thanks,

> 
> thanks,
> 
> Mimi
diff mbox series

Patch

diff --git a/README b/README
index 87cd3b5..1cc027f 100644
--- a/README
+++ b/README
@@ -70,6 +70,10 @@  OPTIONS
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
+Environment variables:
+
+EVMCTL_KEY_PASSWORD  : Private key password to use; do not use --pass option
+
 
 INTRODUCTION
 ------------
diff --git a/src/evmctl.c b/src/evmctl.c
index a8065bb..58f8e66 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2530,6 +2530,9 @@  static void usage(void)
 		"      --ignore-violations ignore ToMToU measurement violations\n"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
+		"\n"
+		"Environment variables:\n\n"
+		"EVMCTL_KEY_PASSWORD  : Private key password to use; do not use --pass option\n"
 		"\n");
 }
 
@@ -2813,6 +2816,9 @@  int main(int argc, char *argv[])
 		}
 	}
 
+	if (!imaevm_params.keypass)
+		imaevm_params.keypass = getenv("EVMCTL_KEY_PASSWORD");
+
 	if (argv[optind] == NULL)
 		usage();
 	else