From patchwork Mon Aug 9 15:10:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12426783 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38973C4320A for ; Mon, 9 Aug 2021 15:10:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0EA3860F8F for ; Mon, 9 Aug 2021 15:10:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235293AbhHIPK6 (ORCPT ); Mon, 9 Aug 2021 11:10:58 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:5522 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S235200AbhHIPK5 (ORCPT ); Mon, 9 Aug 2021 11:10:57 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 179F4bVS083393 for ; Mon, 9 Aug 2021 11:10:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=3s/Cuvk8uFIzO4GGeYBnXau1uPAT/SpUS2j5rArZATo=; b=dXdnrKhRjjpLi8uy63V5bt7+y17VcCyDFtJy9DNrIxWy60iL6u49/4bEWwiqumW0E70y S1vaUnPyK/BsKNZp6oTnDeHcGAuW47T/AfOgr8fdwWy0VPYrC4fy/Bp/kHbmuei/bAOM WPkk4ECDXNHVyDoDOzqEkEMTEhKW0NBbiQfGZgWyGJKNa0En5YSPCvWub7kOoRhjgNM8 0cGzN8pxiXa0R23/PUZMou1djKd0kUXYRkuW6DzE5T47Zt6PI8UeWDJcL8j5RiEWKNxa mTYEbE4Bp6TuiJZY61HCiqHCLjkSjIrNc17NJDQmrmBC4EZ70/xMrP0OBh72suErc1nE hQ== Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0b-001b2d01.pphosted.com with ESMTP id 3aax4072cw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 11:10:34 -0400 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 179F3f6e029625 for ; Mon, 9 Aug 2021 15:10:30 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma03wdc.us.ibm.com with ESMTP id 3a9htauwsb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 15:10:30 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 179FATaQ9372104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Aug 2021 15:10:29 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5B3367E2EE; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4C7ED7E2ED; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from sbct-2.. (unknown [9.47.158.152]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH 1/4] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable Date: Mon, 9 Aug 2021 11:10:23 -0400 Message-Id: <20210809151026.195038-2-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> References: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: reqOZOtPpA2cJSyuwncaBFoe2SOijuL0 X-Proofpoint-GUID: reqOZOtPpA2cJSyuwncaBFoe2SOijuL0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-09_05:2021-08-06,2021-08-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501 spamscore=0 impostorscore=0 clxscore=1015 mlxlogscore=999 malwarescore=0 mlxscore=0 adultscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108090111 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Stefan Berger If the user did not use the --pass option to provide a key password, get the key password from the EVMCTL_KEY_PASSWORD environment variable. Signed-off-by: Stefan Berger --- README | 4 ++++ src/evmctl.c | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/README b/README index 87cd3b5..1cc027f 100644 --- a/README +++ b/README @@ -70,6 +70,10 @@ OPTIONS -v increase verbosity level -h, --help display this help and exit +Environment variables: + +EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass option + INTRODUCTION ------------ diff --git a/src/evmctl.c b/src/evmctl.c index a8065bb..58f8e66 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -2530,6 +2530,9 @@ static void usage(void) " --ignore-violations ignore ToMToU measurement violations\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" + "\n" + "Environment variables:\n\n" + "EVMCTL_KEY_PASSWORD : Private key password to use; do not use --pass option\n" "\n"); } @@ -2813,6 +2816,9 @@ int main(int argc, char *argv[]) } } + if (!imaevm_params.keypass) + imaevm_params.keypass = getenv("EVMCTL_KEY_PASSWORD"); + if (argv[optind] == NULL) usage(); else From patchwork Mon Aug 9 15:10:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12426789 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44D7CC4338F for ; Mon, 9 Aug 2021 15:11:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 288C860F11 for ; Mon, 9 Aug 2021 15:11:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235266AbhHIPLa (ORCPT ); Mon, 9 Aug 2021 11:11:30 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:42422 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235207AbhHIPL3 (ORCPT ); Mon, 9 Aug 2021 11:11:29 -0400 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 179F9B0V047274 for ; Mon, 9 Aug 2021 11:11:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=j++DwHVLBiWqes97vfA4qHfxgMDrtX3i+uTU7uTN02M=; b=azA9g3WYPgyyE91xhmqTZ8somlik0hkQks2R2N4G66FYvJlCF/TOHLZOrtvxvcu+gCyy Ny1Wqa2mINhM68A+IBMbu8JneB0Q/Qt/OzBXogeweRugzHcT7bpi0efhRUqCcNkPu9Lb WcLAr9uPquJEIxCXIa+ulrJkFtAG/jBytC5wrDnY7buE7HwRKWAZLr6MnGibxcroWQ2d N8Aeucp8zvmr1ARETIQbHXGbDpdAxPHNjsMtWQpPOj3JBnudjilwM0x+QYjXPLfGowhm AhK2JJanXcrnXsb0oLxbTYOxuOs8ZMS/gmB5qDm70iBx/ZBtBRF10G2PvKGgh04GwJNS wA== Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ab6rjg3gj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 11:11:04 -0400 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 179F3FAo014173 for ; Mon, 9 Aug 2021 15:10:30 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma04wdc.us.ibm.com with ESMTP id 3a9htauwxd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 15:10:30 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 179FATZI10421050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Aug 2021 15:10:29 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 789077E2C9; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 673127E2FB; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from sbct-2.. (unknown [9.47.158.152]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH 2/4] libimaevm: Add support for pkcs11 private keys for signing a v2 hash Date: Mon, 9 Aug 2021 11:10:24 -0400 Message-Id: <20210809151026.195038-3-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> References: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: bWaOG_RGV0nZtVFOiOLQTBH4QTJGBQ4U X-Proofpoint-ORIG-GUID: bWaOG_RGV0nZtVFOiOLQTBH4QTJGBQ4U X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-09_05:2021-08-06,2021-08-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 impostorscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 mlxscore=0 malwarescore=0 bulkscore=0 spamscore=0 suspectscore=0 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108090111 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Stefan Berger Add support for pkcs11 private keys for signing a v2 hash. Signed-off-by: Stefan Berger --- README | 1 + src/evmctl.c | 1 + src/libimaevm.c | 59 ++++++++++++++++++++++++++++++++++++++++--------- 3 files changed, 50 insertions(+), 11 deletions(-) diff --git a/README b/README index 1cc027f..2bb363c 100644 --- a/README +++ b/README @@ -48,6 +48,7 @@ OPTIONS --xattr-user store xattrs in user namespace (for testing purposes) --rsa use RSA key type and signing scheme v1 -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) + or a pkcs11 URI --keyid n overwrite signature keyid with a 32-bit value in hex (for signing) --keyid-from-cert file read keyid value from SKID of a x509 cert file diff --git a/src/evmctl.c b/src/evmctl.c index 58f8e66..2e85f8b 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -2503,6 +2503,7 @@ static void usage(void) " --xattr-user store xattrs in user namespace (for testing purposes)\n" " --rsa use RSA key type and signing scheme v1\n" " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n" + " or a pkcs11 URI\n" " --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n" " --keyid-from-cert file\n" " read keyid value from SKID of a x509 cert file\n" diff --git a/src/libimaevm.c b/src/libimaevm.c index 8e96157..b84e5b8 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -60,6 +60,7 @@ #include #include #include +#include #include "imaevm.h" #include "hash_info.h" @@ -803,21 +804,57 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass) { FILE *fp; EVP_PKEY *pkey; + ENGINE *e; - fp = fopen(keyfile, "r"); - if (!fp) { - log_err("Failed to open keyfile: %s\n", keyfile); - return NULL; - } - pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass); - if (!pkey) { - log_err("Failed to PEM_read_PrivateKey key file: %s\n", - keyfile); - output_openssl_errors(); + if (!strncmp(keyfile, "pkcs11:", 7)) { + if (!imaevm_params.keyid) { + log_err("When using a pkcs11 URI you must provide the keyid with an option\n"); + return NULL; + } + + ENGINE_load_builtin_engines(); + e = ENGINE_by_id("pkcs11"); + if (!e) { + log_err("Failed to load pkcs11 engine\n"); + goto err_pkcs11; + } + if (!ENGINE_init(e)) { + log_err("Failed to initialize the pkcs11 engine\n"); + goto err_pkcs11; + } + if (keypass) { + if (!ENGINE_ctrl_cmd_string(e, "PIN", keypass, 0)) { + log_err("Failed to set the PIN for the private key\n"); + goto err_pkcs11; + } + } + pkey = ENGINE_load_private_key(e, keyfile, NULL, NULL); + if (!pkey) { + log_err("Failed to load private key %s\n", keyfile); + goto err_pkcs11; + } + } else { + fp = fopen(keyfile, "r"); + if (!fp) { + log_err("Failed to open keyfile: %s\n", keyfile); + return NULL; + } + pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass); + if (!pkey) { + log_err("Failed to PEM_read_PrivateKey key file: %s\n", + keyfile); + output_openssl_errors(); + } + + fclose(fp); } - fclose(fp); return pkey; + +err_pkcs11: + ENGINE_free(e); + output_openssl_errors(); + return NULL; } static RSA *read_priv_key(const char *keyfile, const char *keypass) From patchwork Mon Aug 9 15:10:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12426781 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3DF5DC4338F for ; Mon, 9 Aug 2021 15:10:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1769260F8F for ; Mon, 9 Aug 2021 15:10:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235409AbhHIPK4 (ORCPT ); Mon, 9 Aug 2021 11:10:56 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54778 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S235293AbhHIPK4 (ORCPT ); Mon, 9 Aug 2021 11:10:56 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 179F4RaY184565 for ; Mon, 9 Aug 2021 11:10:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=L1jYtCE16MWtLK3+xEDqvbHw7OJJu+mtoxeMp+wc46c=; b=AEsn38+sO6l8uT1tcuF5Xkg8cGoKDNVZPH/dtj5vj3kNntXhj9tT3kdRMy/kfLE6DCCg 8hyqpHx8u77sbks/JleGPJibEtlLH72bABfhAtvUE1bA4Qx8UWWRhKvGWlVsJqLkKuqv Wbm0ybvVLrJZeUl6PS7dzIyNvDaWcOOQfMSwNQeVpYcLLHqEC3bct86JXpFUJKa31dMW I2HEvWSlZO4eMWcYzlxIxmVM4VVQw4gZzQl59fPsejFVqc3KwK7QB4xEty9/y8zHGz2q ajLbfny/x8sq6etc0b4/w018ecRzFMGkYEZ4tYtfQj3k61iFCvdKWny2YNkadaY6HSc9 EQ== Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0b-001b2d01.pphosted.com with ESMTP id 3aa7n0bctb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 11:10:33 -0400 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 179F1XEa030047 for ; Mon, 9 Aug 2021 15:10:30 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma01wdc.us.ibm.com with ESMTP id 3a9htav0e5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 15:10:30 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 179FAThr10617412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Aug 2021 15:10:29 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E3237E2E3; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 792EF7E301; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from sbct-2.. (unknown [9.47.158.152]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH 3/4] tests: Extend sign_verify test with pkcs11 specific test Date: Mon, 9 Aug 2021 11:10:25 -0400 Message-Id: <20210809151026.195038-4-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> References: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: oaT_Lr_xVGlrPk70ui0Q6iUSiFALsEIS X-Proofpoint-ORIG-GUID: oaT_Lr_xVGlrPk70ui0Q6iUSiFALsEIS X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-09_05:2021-08-06,2021-08-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 phishscore=0 clxscore=1015 lowpriorityscore=0 bulkscore=0 malwarescore=0 spamscore=0 mlxlogscore=873 suspectscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108090111 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Stefan Berger Signed-off-by: Stefan Berger --- tests/functions.sh | 26 ++++ tests/sign_verify.test | 50 +++++-- tests/softhsm_setup | 290 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 352 insertions(+), 14 deletions(-) create mode 100755 tests/softhsm_setup diff --git a/tests/functions.sh b/tests/functions.sh index 91cd5d9..cbb7ea4 100755 --- a/tests/functions.sh +++ b/tests/functions.sh @@ -272,3 +272,29 @@ _report_exit() { fi } +_at_exit() { + _report_exit + if [ -n "${WORKDIR}" ]; then + rm -f "${WORKDIR}" + fi +} + +_softhsm_setup() { + local workdir="$1" + + local msg + + export SOFTHSM_SETUP_CONFIGDIR="${workdir}" + export SOFTHSM2_CONF="${workdir}/softhsm2.conf" + + msg=$(./softhsm_setup setup 2>&1) + if [ $? -eq 0 ]; then + echo "softhsm_setup setup succeeded: $msg" + PKCS11_KEYURI=$(echo $msg | sed -n 's|^keyuri: \(.*\)|\1|p') + + export OPENSSL_ENGINE="-engine pkcs11" + export OPENSSL_KEYFORM="-keyform engine" + else + echo "softhsm_setup setup failed: ${msg}" + fi +} diff --git a/tests/sign_verify.test b/tests/sign_verify.test index 3b42eec..369765e 100755 --- a/tests/sign_verify.test +++ b/tests/sign_verify.test @@ -28,7 +28,8 @@ fi ./gen-keys.sh >/dev/null 2>&1 -trap _report_exit EXIT +trap _at_exit EXIT +WORKDIR=$(mktemp -d) set -f # disable globbing # Determine keyid from a cert @@ -132,11 +133,16 @@ check_sign() { # OPTS (additional options for evmctl), # FILE (working file to sign). local "$@" - local KEY=${KEY%.*}.key + local key verifykey local FILE=${FILE:-$ALG.txt} - # Normalize key filename - KEY=test-${KEY#test-} + # Normalize key filename if it's not a pkcs11 URI + if [ ${KEY:0:7} != pkcs11: ]; then + key=${KEY%.*}.key + key=test-${key#test-} + else + key=${KEY} + fi # Append suffix to files for negative tests, because we may # leave only good files for verify tests. @@ -152,33 +158,33 @@ check_sign() { if _test_expected_to_pass; then # Can openssl work with this digest? - cmd="openssl dgst $OPENSSL_ENGINE -$ALG $FILE" + cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG $FILE" echo - "$cmd" if ! $cmd >/dev/null; then - echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to digest)$NORM" + echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to digest)$NORM" return "$SKIP" fi - if [ ! -e "$KEY" ]; then - echo "${CYAN}$ALG ($KEY) test is skipped (key file not found)$NORM" + if [ "${key:0:7}" != pkcs11: ] && [ ! -e "$key" ]; then + echo "${CYAN}$ALG ($key) test is skipped (key file not found)$NORM" return "$SKIP" fi # Can openssl sign with this digest and key? - cmd="openssl dgst $OPENSSL_ENGINE -$ALG -sign $KEY -hex $FILE" + cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key -hex $FILE" echo - "$cmd" if ! $cmd >/dev/null; then - echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to sign)$NORM" + echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to sign)$NORM" return "$SKIP" fi fi # Insert keyid from cert into PREFIX in-place of marker `:K:' if [[ $PREFIX =~ :K: ]]; then - keyid=$(_keyid_from_cert "$KEY") + keyid=$(_keyid_from_cert "$key") if [ $? -ne 0 ]; then color_red - echo "Unable to determine keyid for $KEY" + echo "Unable to determine keyid for $key" color_restore return "$HARDFAIL" fi @@ -187,7 +193,7 @@ check_sign() { fi # Perform signing by evmctl - _evmctl_sign "$TYPE" "$KEY" "$ALG" "$FILE" "$OPTS" || return + _evmctl_sign "$TYPE" "$key" "$ALG" "$FILE" "$OPTS" || return # First simple pattern match the signature. ADD_TEXT_FOR=$ALG \ @@ -207,7 +213,13 @@ check_sign() { _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX" # Verify extracted signature with openssl - cmd="openssl dgst $OPENSSL_ENGINE -$ALG -verify ${KEY%.*}.pub \ + if [ "${key:0:7}" != pkcs11: ]; then + verifykey=${key%.*}.pub + else + verifykey=${key} + fi + + cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -verify ${verifykey} \ -signature $FILE.sig2 $FILE" echo - "$cmd" if ! $cmd; then @@ -413,3 +425,13 @@ expect_fail \ expect_fail \ check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS= +_softhsm_setup "${WORKDIR}" +if [ -n "${PKCS11_KEYURI}" ]; then + expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd + expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd +else + # skip these two tests + __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; } + expect_pass __skip + expect_pass __skip +fi diff --git a/tests/softhsm_setup b/tests/softhsm_setup new file mode 100755 index 0000000..f89a2e6 --- /dev/null +++ b/tests/softhsm_setup @@ -0,0 +1,290 @@ +#!/usr/bin/env bash + +# This program originates from 'swtpm' project (https://github.com/stefanberger/swtpm/) +# and is provided to ima-evm-utils under a dual license: +# - BSD 3-clause +# - GPL-2.0 + +# This script may not work with softhsm2 2.0.0 but with >= 2.2.0 + +if [ -z "$(type -P p11tool)" ]; then + echo "Need p11tool from gnutls" + exit 77 +fi + +if [ -z "$(type -P softhsm2-util)" ]; then + echo "Need softhsm2-util from softhsm2 package" + exit 77 +fi + +NAME=swtpm-test +PIN=${PIN:-1234} +SO_PIN=${SO_PIN:-1234} +SOFTHSM_SETUP_CONFIGDIR=${SOFTHSM_SETUP_CONFIGDIR:-~/.config/softhsm2} +export SOFTHSM2_CONF=${SOFTHSM_SETUP_CONFIGDIR}/softhsm2.conf + +UNAME_S="$(uname -s)" + +case "${UNAME_S}" in +Darwin) + msg=$(sudo -v -n) + if [ $? -ne 0 ]; then + echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf" + exit 1 + fi + ;; +esac + +teardown_softhsm() { + local configdir=${SOFTHSM_SETUP_CONFIGDIR} + local configfile=${SOFTHSM2_CONF} + local bakconfigfile=${configfile}.bak + local tokendir=${configdir}/tokens + + softhsm2-util --token "${NAME}" --delete-token &>/dev/null + + case "${UNAME_S}" in + Darwin*) + if [ -f /etc/gnutls/pkcs11.conf.bak ]; then + sudo rm -f /etc/gnutls/pkcs11.conf + sudo mv /etc/gnutls/pkcs11.conf.bak \ + /etc/gnutls/pkcs11.conf &>/dev/null + fi + ;; + esac + + if [ -f "$bakconfigfile" ]; then + mv "$bakconfigfile" "$configfile" + else + rm -f "$configfile" + fi + if [ -d "$tokendir" ]; then + rm -rf "${tokendir}" + fi + return 0 +} + +setup_softhsm() { + local msg tokenuri keyuri + local configdir=${SOFTHSM_SETUP_CONFIGDIR} + local configfile=${SOFTHSM2_CONF} + local bakconfigfile=${configfile}.bak + local tokendir=${configdir}/tokens + local rc + + case "${UNAME_S}" in + Darwin*) + if [ -f /etc/gnutls/pkcs11.conf.bak ]; then + echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first" + return 1 + fi + sudo mv /etc/gnutls/pkcs11.conf \ + /etc/gnutls/pkcs11.conf.bak &>/dev/null + if [ $(id -u) -eq 0 ]; then + SONAME="$(sudo -u nobody brew ls --verbose softhsm | \ + grep -E "\.so$")" + else + SONAME="$(brew ls --verbose softhsm | \ + grep -E "\.so$")" + fi + sudo mkdir -p /etc/gnutls &>/dev/null + sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf" + ;; + esac + + if ! [ -d $configdir ]; then + mkdir -p $configdir + fi + mkdir -p ${tokendir} + + if [ -f $configfile ]; then + mv "$configfile" "$bakconfigfile" + fi + + if ! [ -f $configfile ]; then + cat <<_EOF_ > $configfile +directories.tokendir = ${tokendir} +objectstore.backend = file +log.level = DEBUG +slots.removable = false +_EOF_ + fi + + msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1) + if [ $? -ne 0 ]; then + echo "Could not list existing tokens" + echo "$msg" + fi + tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') + + if [ -z "$tokenuri" ]; then + msg=$(softhsm2-util \ + --init-token --pin ${PIN} --so-pin ${SO_PIN} \ + --free --label ${NAME} 2>&1) + if [ $? -ne 0 ]; then + echo "Could not initialize token" + echo "$msg" + return 2 + fi + + slot=$(echo "$msg" | \ + sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p') + if [ -z "$slot" ]; then + slot=$(softhsm2-util --show-slots | \ + grep -E "^Slot " | head -n1 | + sed -n 's/Slot \([0-9]*\)/\1/p') + if [ -z "$slot" ]; then + echo "Could not parse slot number from output." + echo "$msg" + return 3 + fi + fi + + msg=$(p11tool --list-tokens 2>&1 | \ + grep "token=${NAME}" | tail -n1) + if [ $? -ne 0 ]; then + echo "Could not list existing tokens" + echo "$msg" + fi + tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') + if [ -z "${tokenuri}" ]; then + echo "Could not get tokenuri!" + return 4 + fi + + # more recent versions of p11tool have --generate-privkey ... + msg=$(GNUTLS_PIN=$PIN p11tool \ + --generate-privkey=rsa --bits 2048 --label mykey --login \ + "${tokenuri}" 2>&1) + if [ $? -ne 0 ]; then + # ... older versions have --generate-rsa + msg=$(GNUTLS_PIN=$PIN p11tool \ + --generate-rsa --bits 2048 --label mykey --login \ + "${tokenuri}" 2>&1) + if [ $? -ne 0 ]; then + echo "Could not create RSA key!" + echo "$msg" + return 5 + fi + fi + fi + + getkeyuri_softhsm $slot + rc=$? + if [ $rc -ne 0 ]; then + teardown_softhsm + fi + + return $rc +} + +_getkeyuri_softhsm() { + local msg tokenuri keyuri + + msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}") + if [ $? -ne 0 ]; then + echo "Could not list existing tokens" + echo "$msg" + return 5 + fi + tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') + if [ -z "$tokenuri" ]; then + echo "Could not get token URL" + echo "$msg" + return 6 + fi + msg=$(p11tool --list-all ${tokenuri} 2>&1) + if [ $? -ne 0 ]; then + echo "Could not list object under token $tokenuri" + echo "$msg" + softhsm2-util --show-slots + return 7 + fi + + keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') + if [ -z "$keyuri" ]; then + echo "Could not get key URL" + echo "$msg" + return 8 + fi + echo "$keyuri" + return 0 +} + +getkeyuri_softhsm() { + local keyuri rc + + keyuri=$(_getkeyuri_softhsm) + rc=$? + if [ $rc -ne 0 ]; then + return $rc + fi + echo "keyuri: $keyuri?pin-value=${PIN}" #&module-name=softhsm2" + return 0 +} + +getpubkey_softhsm() { + local keyuri rc + + keyuri=$(_getkeyuri_softhsm) + rc=$? + if [ $rc -ne 0 ]; then + return $rc + fi + GNUTLS_PIN=${PIN} p11tool --export-pubkey "${keyuri}" --login 2>/dev/null + return $? +} + +usage() { + cat <<_EOF_ +Usage: $0 [command] + +Supported commands are: + +setup : Setup the user's account for softhsm and create a + token and key with a test configuration + +getkeyuri : Get the key's URI; may only be called after setup + +getpubkey : Get the public key in PEM format; may only be called after setup + +teardown : Remove the temporary softhsm test configuration + +_EOF_ +} + +main() { + local ret + + if [ $# -lt 1 ]; then + usage $0 + echo -e "Missing command.\n\n" + return 1 + fi + case "$1" in + setup) + setup_softhsm + ret=$? + ;; + getkeyuri) + getkeyuri_softhsm + ret=$? + ;; + getpubkey) + getpubkey_softhsm + ret=$? + ;; + teardown) + teardown_softhsm + ret=$? + ;; + *) + echo -e "Unsupported command: $1\n\n" + usage $0 + ret=1 + esac + return $ret +} + +main "$@" +exit $? From patchwork Mon Aug 9 15:10:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12426787 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F715C4338F for ; Mon, 9 Aug 2021 15:10:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 260C960F11 for ; Mon, 9 Aug 2021 15:10:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235334AbhHIPLC (ORCPT ); Mon, 9 Aug 2021 11:11:02 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50254 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235284AbhHIPLB (ORCPT ); Mon, 9 Aug 2021 11:11:01 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 179F2tTP168625 for ; Mon, 9 Aug 2021 11:10:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=G/U2VTUWRFdYulfF4SiTJa9/LeDOd+/xQxwVs//3lu4=; b=W/50qeCvcLkBiX98FIyqKosSBmFerGnuw4QHt1LX6Usgy3tIEHJ5q3GArWbX6EG4Dp7i 2N5J2XdYyNT0Ip3TGdZtQfjE8CgLcUmhPXsypab3Doy8SQRH7iU0YSHKkNIQf9STbsGg 5Izc3fqRu7wl3fn+9xHzdlieoLpT1TAzVDwxi3tA9nzVkjv1rltVVE5qixKDYje3DF2n YQk5ZxNK9toYhRPm7y0UUenbtdT5ion/LegEy4k40RbbeSjdF6k374XgSUkBNg/gXki/ 5+OcYzNK0O9gVtY9W9eFyndge0MiDVQk/a/9crvdhbODIfSMyGmrSptjXYlvuI1RbXAE Hw== Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ab5k3jpec-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 11:10:38 -0400 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 179F2iAT029086 for ; Mon, 9 Aug 2021 15:10:36 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma02dal.us.ibm.com with ESMTP id 3a9htbtjjb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 09 Aug 2021 15:10:34 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 179FATVH11403692 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Aug 2021 15:10:29 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A44E27E2E8; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 957EE7E305; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) Received: from sbct-2.. (unknown [9.47.158.152]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 9 Aug 2021 15:10:29 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH 4/4] tests: Get the packages for pkcs11 testing on the CI/CD system Date: Mon, 9 Aug 2021 11:10:26 -0400 Message-Id: <20210809151026.195038-5-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> References: <20210809151026.195038-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: TZEgtwkS0DxpNV7sHQg1j_sa6IleL2Yn X-Proofpoint-GUID: TZEgtwkS0DxpNV7sHQg1j_sa6IleL2Yn X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-09_05:2021-08-06,2021-08-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 priorityscore=1501 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108090111 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Stefan Berger Get the packages for pkcs11 testing on the CI/CD system. This is the status on various distros: - Alpine: could not find package with pkcs11 engine - Alt Linux: works - Debian: debian:stable: evmctl is not able to find the pkcs11 module but preceeding openssl command line tests with the pkcs11 URI succeeded; cannot recreate the issue locally in the debian:stable container --> disabled on Ubuntu and Debian - CentOS7: tests with pkcs11 URI fail on openssl command line level - CentOS: works - Fedora: works - OpenSuSE Leap: package not available in main repo - OpenSuSE Tumbleweed: works Signed-off-by: Stefan Berger --- ci/alt.sh | 3 +++ ci/fedora.sh | 8 ++++++++ ci/tumbleweed.sh | 3 +++ 3 files changed, 14 insertions(+) diff --git a/ci/alt.sh b/ci/alt.sh index 884c995..65389be 100755 --- a/ci/alt.sh +++ b/ci/alt.sh @@ -12,12 +12,15 @@ apt-get install -y \ asciidoc \ attr \ docbook-style-xsl \ + gnutls-utils \ libattr-devel \ libkeyutils-devel \ + libp11 \ libssl-devel \ openssl \ openssl-gost-engine \ rpm-build \ + softhsm \ wget \ xsltproc \ xxd \ diff --git a/ci/fedora.sh b/ci/fedora.sh index 2d80915..0993607 100755 --- a/ci/fedora.sh +++ b/ci/fedora.sh @@ -25,6 +25,7 @@ yum -y install \ automake \ diffutils \ docbook-xsl \ + gnutls-utils \ gzip \ keyutils-libs-devel \ libattr-devel \ @@ -33,6 +34,7 @@ yum -y install \ make \ openssl \ openssl-devel \ + openssl-pkcs11 \ pkg-config \ procps \ sudo \ @@ -42,3 +44,9 @@ yum -y install \ yum -y install docbook5-style-xsl || true yum -y install swtpm || true + +# SoftHSM is available via EPEL on CentOS +if [ -f /etc/centos-release ]; then + yum -y install epel-release +fi +yum -y install softhsm || true \ No newline at end of file diff --git a/ci/tumbleweed.sh b/ci/tumbleweed.sh index dfc478b..4e3da0c 100755 --- a/ci/tumbleweed.sh +++ b/ci/tumbleweed.sh @@ -42,6 +42,9 @@ zypper --non-interactive install --force-resolution --no-recommends \ which \ xsltproc +zypper --non-interactive install --force-resolution --no-recommends \ + gnutls openssl-engine-libp11 softhsm || true + if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin fi