Re: [Linux-ima-user] [PATCH] evmctl verify: immutable EVM sign verification support, ignore -i flag.

[Mimi Z. <zo...@li...>]

On Tue, 2016-12-20 at 01:58 +0300, Mikhail Kurinnoi wrote:
> This patch add verification support for immutable EVM sign, ignore -i
> flag during EVM sign verification.
> 
>  - verify_hash function (/src/libimaevm.c) parse DIGSIG_VERSION_3 in
> same way as DIGSIG_VERSION_2, since version 3 on this stage should use
> same code as version 2.
> 
>  - verify_evm function (/src/evmctl.c) care about "evm_immutable"
> internal flag to be sure, that "-i" flag is ignored and hash will be
> generated accordingly to the file EVM sign version. Please note, I
> don't use in this source file DIGSIG_VERSION_3 from "enum
> digsig_version", since Dmitry Kasatkin used "3" for some reason in his
> patch (see
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/92033dc4042668aaec2df45aa864edc705bd607b/).
> 
>  - this patch fix issue in EVM sign verification, when flag "-i" is
> provided by mistake during EVM sign version 1 or version 2
> verification (in this case hash will be generated for version 3
> accordingly to provided flags, but not to the file EVM sign version as
> it should be, so, verification will be failed for sure).

Dmitry started working on a portable EVM signature version, that could
be included in archives.  Kernel support for the "new" format has not
been upstreamed.

Mimi
> 
> Signed-off-by: Mikhail Kurinnoi <vie...@vi...>
> 
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -730,24 +730,29 @@ static int verify_evm(const char *file)
>  {
>  	unsigned char hash[20];
>  	unsigned char sig[1024];
> -	int len;
> -
> -	len = calc_evm_hash(file, hash);
> -	if (len <= 1)
> -		return len;
> -
> -	len = lgetxattr(file, "security.evm", sig, sizeof(sig));
> -	if (len < 0) {
> +	int sig_len, hash_len;
> +
> +	sig_len = lgetxattr(file, "security.evm", sig, sizeof(sig));
> +	if (sig_len < 0) {
>  		log_err("getxattr failed: %s\n", file);
> -		return len;
> +		return sig_len;
>  	}
> 
>  	if (sig[0] != 0x03) {
>  		log_err("security.evm has no signature\n");
>  		return -1;
>  	}
> -
> -	return verify_hash(hash, sizeof(hash), sig + 1, len - 1);
> +	
> +	if (sig[1] == 3)
> +		evm_immutable = true;
> +	else
> +		evm_immutable = false;
> +	
> +	hash_len = calc_evm_hash(file, hash);
> +	if (hash_len <= 1)
> +		return hash_len;
> +
> +	return verify_hash(hash, sizeof(hash), sig + 1, sig_len - 1);
>  }
> 
>  static int cmd_verify_evm(struct command *cmd)
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -127,7 +127,8 @@
> 
>  enum digsig_version {
>  	DIGSIG_VERSION_1 = 1,
> -	DIGSIG_VERSION_2
> +	DIGSIG_VERSION_2,
> +	DIGSIG_VERSION_3
>  };
> 
>  struct pubkey_hdr {
> 
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -502,7 +502,7 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen)
>  		verify_hash = verify_hash_v1;
>  		/* Read pubkey from RSA key */
>  		x509 = 0;
> -	} else if (sig[0] == DIGSIG_VERSION_2) {
> +	} else if ((sig[0] == DIGSIG_VERSION_2) || (sig[0] == DIGSIG_VERSION_3)) {
>  		verify_hash = verify_hash_v2;
>  		/* Read pubkey from x509 cert */
>  		x509 = 1;
> 
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/intel
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>