| Message ID | 20231119165043.46960-8-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Address non concurrency-safe libimaevm global variables | expand |
On 11/19/23 11:50, Mimi Zohar wrote: > Replace calling init_public_keys() with the init_public_keys2() version. > Similarly replace ima_verify_signature() with the ima_verify_signature2() > version. > > Update the static ima_ng_show() function definition to include a > "public_keys" parameter. > > Free the local public keys list. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/evmctl.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index f796edfce5f1..ad4565b3ee52 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -1614,7 +1614,7 @@ static int lookup_template_name_entry(char *template_name) > return 0; > } > > -void ima_ng_show(struct template_entry *entry) > +static void ima_ng_show(void *public_keys, struct template_entry *entry) > { > uint8_t *fieldp = entry->template; > uint32_t field_len; > @@ -1740,10 +1740,12 @@ void ima_ng_show(struct template_entry *entry) > * the measurement list or calculate the hash. > */ > if (verify_list_sig) > - err = ima_verify_signature(path, sig, sig_len, > - digest, digest_len); > + err = ima_verify_signature2(public_keys, path, > + sig, sig_len, > + digest, digest_len); > else > - err = ima_verify_signature(path, sig, sig_len, NULL, 0); > + err = ima_verify_signature2(public_keys, path, > + sig, sig_len, NULL, 0); > > if (!err && imaevm_params.verbose > LOG_INFO) > log_info("%s: verification is OK\n", path); > @@ -2223,6 +2225,7 @@ static int ima_measurement(const char *file) > int first_record = 1; > unsigned int pseudo_padded_banks_mask, pseudo_banks_mask; > unsigned long entry_num = 0; > + void *public_keys = NULL; > int c; > > struct template_entry entry = { .template = NULL }; > @@ -2252,9 +2255,9 @@ static int ima_measurement(const char *file) > } > > if (imaevm_params.keyfile) /* Support multiple public keys */ > - init_public_keys(imaevm_params.keyfile); > + init_public_keys2(imaevm_params.keyfile, &public_keys); > else /* assume read pubkey from x509 cert */ > - init_public_keys("/etc/keys/x509_evm.der"); > + init_public_keys2("/etc/keys/x509_evm.der", &public_keys); > if (errno) Hm, a failing malloc() sets errno, so this would be ok. I would change this to check for return value != 0 from init_public_keys2(). > log_errno_reset(LOG_DEBUG, > "Failure in initializing public keys"); > @@ -2405,7 +2408,7 @@ static int ima_measurement(const char *file) > if (is_ima_template) > ima_show(&entry); > else > - ima_ng_show(&entry); > + ima_ng_show(public_keys, &entry); > > if (!tpmbanks) > continue; > @@ -2464,6 +2467,7 @@ out_free: > free(pseudo_banks); > free(pseudo_padded_banks); > free(entry.template); > + free_public_keys(public_keys); > > return err; > }
diff --git a/src/evmctl.c b/src/evmctl.c index f796edfce5f1..ad4565b3ee52 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -1614,7 +1614,7 @@ static int lookup_template_name_entry(char *template_name) return 0; } -void ima_ng_show(struct template_entry *entry) +static void ima_ng_show(void *public_keys, struct template_entry *entry) { uint8_t *fieldp = entry->template; uint32_t field_len; @@ -1740,10 +1740,12 @@ void ima_ng_show(struct template_entry *entry) * the measurement list or calculate the hash. */ if (verify_list_sig) - err = ima_verify_signature(path, sig, sig_len, - digest, digest_len); + err = ima_verify_signature2(public_keys, path, + sig, sig_len, + digest, digest_len); else - err = ima_verify_signature(path, sig, sig_len, NULL, 0); + err = ima_verify_signature2(public_keys, path, + sig, sig_len, NULL, 0); if (!err && imaevm_params.verbose > LOG_INFO) log_info("%s: verification is OK\n", path); @@ -2223,6 +2225,7 @@ static int ima_measurement(const char *file) int first_record = 1; unsigned int pseudo_padded_banks_mask, pseudo_banks_mask; unsigned long entry_num = 0; + void *public_keys = NULL; int c; struct template_entry entry = { .template = NULL }; @@ -2252,9 +2255,9 @@ static int ima_measurement(const char *file) } if (imaevm_params.keyfile) /* Support multiple public keys */ - init_public_keys(imaevm_params.keyfile); + init_public_keys2(imaevm_params.keyfile, &public_keys); else /* assume read pubkey from x509 cert */ - init_public_keys("/etc/keys/x509_evm.der"); + init_public_keys2("/etc/keys/x509_evm.der", &public_keys); if (errno) log_errno_reset(LOG_DEBUG, "Failure in initializing public keys"); @@ -2405,7 +2408,7 @@ static int ima_measurement(const char *file) if (is_ima_template) ima_show(&entry); else - ima_ng_show(&entry); + ima_ng_show(public_keys, &entry); if (!tpmbanks) continue; @@ -2464,6 +2467,7 @@ out_free: free(pseudo_banks); free(pseudo_padded_banks); free(entry.template); + free_public_keys(public_keys); return err; }
Replace calling init_public_keys() with the init_public_keys2() version. Similarly replace ima_verify_signature() with the ima_verify_signature2() version. Update the static ima_ng_show() function definition to include a "public_keys" parameter. Free the local public keys list. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/evmctl.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)