| Message ID | 20230616192358.314906-2-roberto.sassu@huaweicloud.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Simple EVM HMAC calculation tests | expand |
On 6/16/23 15:23, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > Modify calc_evm_hmac() to include, similarly to calc_evm_hash(), the > filesystem UUID in the HMAC calculation. > > If the -u option is not specified in the evmctl command line, the UUID of > the filesystem the input file resides on is taken for the calculation. > > If a string is specified as a value for the -u option, that string is taken > as UUID (assuming that it is formatted correctly). > > If no value is specified for the -u option, the filesystem UUID is not > included in the HMAC calculation. > > Not including the filesystem UUID in the digest/HMAC calculation is needed > for the case where the kernel is compiled with CONFIG_EVM_ATTR_FSUUID=n, or > the digest/HMAC is not for an EVM portable signature. > > Fixes: 1d24a94bb556 ("added uuid support for EVM") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > src/evmctl.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/src/evmctl.c b/src/evmctl.c > index c35a28c58f4..c24261cf0e6 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1199,6 +1199,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s > int keylen; > unsigned char evmkey[MAX_KEY_SIZE]; > char list[1024]; > + char uuid[16]; > ssize_t list_size; > struct h_misc_64 hmac_misc; > int hmac_size; > @@ -1330,6 +1331,18 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s > log_err("EVP_DigestSignUpdate() failed\n"); > goto out_ctx_cleanup; > } > + if (!(hmac_flags & HMAC_FLAG_NO_UUID)) { > + err = get_uuid(&st, uuid); > + if (err) > + goto out_ctx_cleanup; > + > + err = EVP_DigestSignUpdate(pctx, (const unsigned char *)uuid, > + sizeof(uuid)); > + if (!err) { > + log_err("EVP_DigestSignUpdate() failed\n"); > + goto out_ctx_cleanup; > + } > + } > err = EVP_DigestSignFinal(pctx, sig, &siglen); > if (err != 1) > log_err("EVP_DigestSignFinal() failed\n"); Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/evmctl.c b/src/evmctl.c index c35a28c58f4..c24261cf0e6 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1199,6 +1199,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s int keylen; unsigned char evmkey[MAX_KEY_SIZE]; char list[1024]; + char uuid[16]; ssize_t list_size; struct h_misc_64 hmac_misc; int hmac_size; @@ -1330,6 +1331,18 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *s log_err("EVP_DigestSignUpdate() failed\n"); goto out_ctx_cleanup; } + if (!(hmac_flags & HMAC_FLAG_NO_UUID)) { + err = get_uuid(&st, uuid); + if (err) + goto out_ctx_cleanup; + + err = EVP_DigestSignUpdate(pctx, (const unsigned char *)uuid, + sizeof(uuid)); + if (!err) { + log_err("EVP_DigestSignUpdate() failed\n"); + goto out_ctx_cleanup; + } + } err = EVP_DigestSignFinal(pctx, sig, &siglen); if (err != 1) log_err("EVP_DigestSignFinal() failed\n");