* [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support
@ 2024-02-26 18:20 Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 1/7] tests: Skip pkcs11 test if no engine support in evmctl Stefan Berger
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:20 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
This series deprecates the sign_hash function and introduces
imaevm_signhash that requires the necessary parameters to be passed rather
than relying on the global imaevm_params variable. This way we can remove
the usage of imaevm_params for the OpenSSL engine and the keyid.
Add support for an OpenSSL provider. The choice of engine versus provider
is implemented using a struct imaevm_ossl_access that wraps the engine or
provider parameters. It also provides a type field where the user can
choose one or the other. imaevm_signhash takes this structure as an optional
parameter to support engines and providers.
Also extend existing test cases with tests with a pkcs11 provider.
Regards,
Stefan
v3:
- Added patch checking for engine support in evmctl before trying to run
pkcs11 test (1/7)
- Updated README with new --provider option (5/7)
- Added 2 more skip's to pkcs11 test in case neither engine nor provider
are supported (6/7)
v2:
- Fixed some minor issues
Stefan Berger (7):
tests: Skip pkcs11 test if no engine support in evmctl
headers: Remove usage of CONFIG_IMA_EVM_ENGINE from public header
Pass ENGINE and keyid through to function using them
evmctl: Replace deprecated sign_hash with imaevm_signhash
Add support for OpenSSL provider to the library and evmctl
tests: Add pkcs11 test using provider
ci: Install pkcs11-provider where available
README | 5 +-
ci/alt.sh | 2 +
ci/debian.sh | 1 +
ci/fedora.sh | 1 +
ci/tumbleweed.sh | 2 +
configure.ac | 6 ++
src/Makefile.am | 21 +++-
src/evmctl.c | 124 +++++++++++++++++------
src/imaevm.h | 39 +++++++-
src/libimaevm.c | 217 ++++++++++++++++++++++++++++++++++-------
tests/functions.sh | 1 -
tests/sign_verify.test | 30 +++++-
12 files changed, 368 insertions(+), 81 deletions(-)
--
2.43.2
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 1/7] tests: Skip pkcs11 test if no engine support in evmctl
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
@ 2024-02-26 18:20 ` Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 2/7] headers: Remove usage of CONFIG_IMA_EVM_ENGINE from public header Stefan Berger
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:20 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
Check the evmctl help screen for engine support and skip the pkcs11
test if no engine support is compiled into evmctl.
Fixes: c1635add22af ("Disable use of OpenSSL "engine" support")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/sign_verify.test | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 1b6cf2a..16c7ada 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -439,8 +439,14 @@ expect_fail \
# Test signing with key described by pkcs11 URI
_softhsm_setup "${WORKDIR}"
if [ -n "${PKCS11_KEYURI}" ]; then
- expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd
- expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd
+ if evmctl --help 2>/dev/null | grep -q engine; then
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --engine pkcs11"
+ else
+ __skip() { echo "pkcs11 test with engine is skipped since there is no engine support"; return "$SKIP"; }
+ expect_pass __skip
+ expect_pass __skip
+ fi
else
# to have a constant number of tests, skip these two tests
__skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 2/7] headers: Remove usage of CONFIG_IMA_EVM_ENGINE from public header
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 1/7] tests: Skip pkcs11 test if no engine support in evmctl Stefan Berger
@ 2024-02-26 18:20 ` Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 3/7] Pass ENGINE and keyid through to function using them Stefan Berger
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:20 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
An application including the public header imaevm.h won't know whether
CONFIG_IMA_EVM_ENGINE was set during compilation of the library, so
remove the usage of CONFIG_IMA_EVM_ENGINE from it.
An application wanting to use the engine will have to find out whether
engine support is compiled-in by invoking library functions and possibly
dealing with errors if there's no engine support .
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/imaevm.h | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/imaevm.h b/src/imaevm.h
index 8e24f08..6a52afb 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -48,12 +48,10 @@
#include <errno.h>
#include <sys/types.h>
#include <openssl/rsa.h>
-#ifdef CONFIG_IMA_EVM_ENGINE
-#include <openssl/engine.h>
-#endif
+#include <openssl/opensslconf.h>
-#if defined(OPENSSL_NO_ENGINE) || defined(OPENSSL_NO_DYNAMIC_ENGINE)
-#undef CONFIG_IMA_EVM_ENGINE
+#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+#include <openssl/engine.h>
#endif
#ifdef USE_FPRINTF
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 3/7] Pass ENGINE and keyid through to function using them
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 1/7] tests: Skip pkcs11 test if no engine support in evmctl Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 2/7] headers: Remove usage of CONFIG_IMA_EVM_ENGINE from public header Stefan Berger
@ 2024-02-26 18:20 ` Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 4/7] evmctl: Replace deprecated sign_hash with imaevm_signhash Stefan Berger
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:20 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
Instead of relying on imaevm_params.engine and imaevm_params.keyid global
variables, which are not concurrency-safe, define a new library function
imaevm_signhash() function with the engine and keyid as parameters.
Pass the ENGINE and keyid all the way through to the function that is
using them and deprecate sign_hash since it needs to pass these parameters
from the global imaevm_params.
In preparation of support for OpenSSL providers, wrap the ENGINE in a
union inside a struct imaevm_ossl_access and add a type for the selection
of the ENGINE or provider later on.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/imaevm.h | 26 ++++++++-
src/libimaevm.c | 144 ++++++++++++++++++++++++++++++++++++------------
2 files changed, 134 insertions(+), 36 deletions(-)
diff --git a/src/imaevm.h b/src/imaevm.h
index 6a52afb..6764604 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -51,7 +51,10 @@
#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
-#include <openssl/engine.h>
+# include <openssl/engine.h>
+#else
+struct engine_st;
+typedef struct engine_st ENGINE; /* unused when no engine support */
#endif
#ifdef USE_FPRINTF
@@ -250,7 +253,9 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey);
int key2bin(RSA *key, unsigned char *pub);
uint32_t imaevm_read_keyid(const char *certfile);
-int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
+IMAEVM_DEPRECATED int sign_hash(const char *algo, const unsigned char *hash,
+ int size, const char *keyfile, const char *keypass,
+ unsigned char *sig);
IMAEVM_DEPRECATED int ima_calc_hash(const char *file, uint8_t *hash);
IMAEVM_DEPRECATED int verify_hash(const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen);
@@ -259,7 +264,24 @@ IMAEVM_DEPRECATED int ima_verify_signature(const char *file, unsigned char *sig,
int digestlen);
IMAEVM_DEPRECATED void init_public_keys(const char *keyfiles);
+struct imaevm_ossl_access {
+ int type;
+#define IMAEVM_OSSL_ACCESS_TYPE_NONE 0
+#define IMAEVM_OSSL_ACCESS_TYPE_ENGINE 1 /* also: engine field exists */
+ union {
+ ENGINE *engine;
+ } u;
+};
+
+#define IMAEVM_SIGFLAG_SIGNATURE_V1 (1 << 0) /* v1 signature; deprecated */
+#define IMAEVM_SIGFLAGS_SUPPORT (1 << 0) /* mask of all supported flags */
+
int ima_calc_hash2(const char *file, const char *hash_algo, uint8_t *hash);
+int imaevm_signhash(const char *hashalgo, const unsigned char *hash, int size,
+ const char *keyfile, const char *keypass,
+ unsigned char *sig, long sigflags,
+ const struct imaevm_ossl_access *access_info,
+ uint32_t keyid);
int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file,
const char *hash_algo, const unsigned char *hash,
int size, unsigned char *sig, int siglen);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index ce4f6f7..91af613 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -1031,33 +1031,53 @@ uint32_t imaevm_read_keyid(const char *certfile)
return ntohl(keyid_be);
}
-static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
+static EVP_PKEY *read_priv_pkey_engine(ENGINE *e, const char *keyfile,
+ const char *keypass, uint32_t keyid)
{
- FILE *fp;
- EVP_PKEY *pkey = NULL;
-
- if (!strncmp(keyfile, "pkcs11:", 7)) {
#ifdef CONFIG_IMA_EVM_ENGINE
- if (!imaevm_params.keyid) {
- log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
- return NULL;
- }
+ EVP_PKEY *pkey;
- if (keypass) {
- if (!ENGINE_ctrl_cmd_string(imaevm_params.eng, "PIN", keypass, 0)) {
- log_err("Failed to set the PIN for the private key\n");
- goto err_engine;
- }
- }
- pkey = ENGINE_load_private_key(imaevm_params.eng, keyfile, NULL, NULL);
- if (!pkey) {
- log_err("Failed to load private key %s\n", keyfile);
+ if (!keyid) {
+ log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
+ return NULL;
+ }
+
+ if (keypass) {
+ if (!ENGINE_ctrl_cmd_string(e, "PIN", keypass, 0)) {
+ log_err("Failed to set the PIN for the private key\n");
goto err_engine;
}
-#else
- log_err("OpenSSL \"engine\" support is disabled\n");
+ }
+ pkey = ENGINE_load_private_key(e, keyfile, NULL, NULL);
+ if (!pkey) {
+ log_err("Failed to load private key %s\n", keyfile);
goto err_engine;
+ }
+ return pkey;
+
+err_engine:
+ output_openssl_errors();
+ return NULL;
+#else
+ log_err("OpenSSL \"engine\" support is disabled\n");
+ return NULL;
#endif
+}
+
+static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass,
+ const struct imaevm_ossl_access *access_info,
+ uint32_t keyid)
+{
+ FILE *fp;
+ EVP_PKEY *pkey = NULL;
+
+ if (!strncmp(keyfile, "pkcs11:", 7)) {
+ switch (access_info->type) {
+ case IMAEVM_OSSL_ACCESS_TYPE_ENGINE:
+ pkey = read_priv_pkey_engine(access_info->u.engine,
+ keyfile, keypass, keyid);
+ break;
+ }
} else {
fp = fopen(keyfile, "r");
if (!fp) {
@@ -1076,18 +1096,17 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
return pkey;
-err_engine:
- output_openssl_errors();
- return NULL;
}
#if CONFIG_SIGV1
-static RSA *read_priv_key(const char *keyfile, const char *keypass)
+static RSA *read_priv_key(const char *keyfile, const char *keypass,
+ const struct imaevm_ossl_access *access_info,
+ uint32_t keyid)
{
EVP_PKEY *pkey;
RSA *key;
- pkey = read_priv_pkey(keyfile, keypass);
+ pkey = read_priv_pkey(keyfile, keypass, access_info, keyid);
if (!pkey)
return NULL;
key = EVP_PKEY_get1_RSA(pkey);
@@ -1113,7 +1132,9 @@ static int get_hash_algo_v1(const char *algo)
static int sign_hash_v1(const char *hashalgo, const unsigned char *hash,
int size, const char *keyfile, const char *keypass,
- unsigned char *sig)
+ unsigned char *sig,
+ const struct imaevm_ossl_access *access_info,
+ uint32_t keyid)
{
int len = -1, hashalgo_idx;
SHA_CTX ctx;
@@ -1147,7 +1168,7 @@ static int sign_hash_v1(const char *hashalgo, const unsigned char *hash,
log_info("hash(%s): ", hashalgo);
log_dump(hash, size);
- key = read_priv_key(keyfile, keypass);
+ key = read_priv_key(keyfile, keypass, access_info, keyid);
if (!key)
return -1;
@@ -1201,7 +1222,9 @@ out:
*/
static int sign_hash_v2(const char *algo, const unsigned char *hash,
int size, const char *keyfile, const char *keypass,
- unsigned char *sig)
+ unsigned char *sig,
+ const struct imaevm_ossl_access *access_info,
+ uint32_t keyid)
{
struct signature_v2_hdr *hdr;
int len = -1;
@@ -1211,7 +1234,6 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
const EVP_MD *md;
size_t sigsize;
const char *st;
- uint32_t keyid;
if (!hash) {
log_err("sign_hash_v2: hash is null\n");
@@ -1236,7 +1258,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
log_info("hash(%s): ", algo);
log_dump(hash, size);
- pkey = read_priv_pkey(keyfile, keypass);
+ pkey = read_priv_pkey(keyfile, keypass, access_info, keyid);
if (!pkey)
return -1;
@@ -1259,8 +1281,8 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
}
#endif
- if (imaevm_params.keyid)
- keyid = htonl(imaevm_params.keyid);
+ if (keyid)
+ keyid = htonl(keyid);
else {
int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false);
@@ -1303,17 +1325,71 @@ err:
return len;
}
+static int check_ossl_access(const struct imaevm_ossl_access *access_info)
+{
+ switch (access_info->type) {
+ case IMAEVM_OSSL_ACCESS_TYPE_NONE:
+#ifdef CONFIG_IMA_EVM_ENGINE
+ case IMAEVM_OSSL_ACCESS_TYPE_ENGINE:
+#endif
+ return 0;
+
+ default:
+ errno = EINVAL;
+ return -1;
+ }
+}
+
+int imaevm_signhash(const char *hashalgo, const unsigned char *hash, int size,
+ const char *keyfile, const char *keypass,
+ unsigned char *sig, long sigflags,
+ const struct imaevm_ossl_access *access_info,
+ uint32_t keyid)
+{
+ int rc;
+
+ if (access_info) {
+ rc = check_ossl_access(access_info);
+ if (rc)
+ return rc;
+ }
+ if (sigflags & ~IMAEVM_SIGFLAGS_SUPPORT) {
+ /* unsupported flag */
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (sigflags & IMAEVM_SIGFLAG_SIGNATURE_V1) {
+#if CONFIG_SIGV1
+ return sign_hash_v1(hashalgo, hash, size, keyfile, keypass, sig,
+ access_info, keyid);
+#else
+ log_info("Signature version 1 deprecated.");
+ return -1;
+#endif
+ }
+
+ return sign_hash_v2(hashalgo, hash, size, keyfile, keypass, sig,
+ access_info, keyid);
+}
+
int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
{
+ const struct imaevm_ossl_access access_info = {
+ .type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE,
+ .u.engine = imaevm_params.eng,
+ };
if (!keypass) /* Avoid breaking existing libimaevm usage */
keypass = imaevm_params.keypass;
if (imaevm_params.x509)
- return sign_hash_v2(hashalgo, hash, size, keyfile, keypass, sig);
+ return sign_hash_v2(hashalgo, hash, size, keyfile, keypass, sig,
+ &access_info, imaevm_params.keyid);
#if CONFIG_SIGV1
else
- return sign_hash_v1(hashalgo, hash, size, keyfile, keypass, sig);
+ return sign_hash_v1(hashalgo, hash, size, keyfile, keypass, sig,
+ &access_info, imaevm_params.keyid);
#endif
log_info("Signature version 1 deprecated.");
return -1;
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 4/7] evmctl: Replace deprecated sign_hash with imaevm_signhash
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
` (2 preceding siblings ...)
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 3/7] Pass ENGINE and keyid through to function using them Stefan Berger
@ 2024-02-26 18:20 ` Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 5/7] Add support for OpenSSL provider to the library and evmctl Stefan Berger
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:20 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
Replace the deprecated sign_hash with imaevm_signhash. Define local
variables to pass the choice of signature version, key id, and whether
to use an OpenSSL engine to imaevm_signhash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/evmctl.c | 75 +++++++++++++++++++++++++++++++---------------------
1 file changed, 45 insertions(+), 30 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index d050b5e..20f34dd 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -147,6 +147,14 @@ static char *g_keypass;
#define HMAC_FLAG_CAPS_SET 0x0002
static unsigned long hmac_flags;
+static uint32_t imaevm_keyid;
+static struct imaevm_ossl_access access_info;
+static long sigflags;
+
+static inline bool use_x509(long sigflags)
+{
+ return (sigflags & IMAEVM_SIGFLAG_SIGNATURE_V1) == 0;
+}
typedef int (*find_cb_t)(const char *path);
static int find(const char *path, int dts, find_cb_t func);
@@ -577,7 +585,8 @@ static int sign_evm(const char *file, char *hash_algo, const char *key)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1);
+ len = imaevm_signhash(hash_algo, hash, len, key, g_keypass,
+ sig + 1, sigflags, &access_info, imaevm_keyid);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -663,7 +672,8 @@ static int sign_ima(const char *file, char *hash_algo, const char *key)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1);
+ len = imaevm_signhash(hash_algo, hash, len, key, g_keypass,
+ sig + 1, sigflags, &access_info, imaevm_keyid);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -844,8 +854,9 @@ static int cmd_sign_hash(struct command *cmd)
continue;
}
- siglen = sign_hash(algo, sigv3_hash, hashlen / 2,
- key, g_keypass, sig + 1);
+ siglen = imaevm_signhash(algo, sigv3_hash, hashlen / 2,
+ key, g_keypass, sig + 1, sigflags,
+ &access_info, imaevm_keyid);
sig[0] = IMA_VERITY_DIGSIG;
sig[1] = DIGSIG_VERSION_3; /* sigv3 */
@@ -856,8 +867,10 @@ static int cmd_sign_hash(struct command *cmd)
assert(hashlen / 2 <= sizeof(hash));
hex2bin(hash, line, hashlen / 2);
- siglen = sign_hash(g_hash_algo, hash,
- hashlen / 2, key, g_keypass, sig + 1);
+ siglen = imaevm_signhash(g_hash_algo, hash,
+ hashlen / 2, key, g_keypass,
+ sig + 1, sigflags,
+ &access_info, imaevm_keyid);
sig[0] = EVM_IMA_XATTR_DIGSIG;
}
@@ -963,7 +976,7 @@ static int cmd_verify_evm(struct command *cmd)
return -1;
}
- if (imaevm_params.x509) {
+ if (use_x509(sigflags)) {
if (imaevm_params.keyfile) /* Support multiple public keys */
err = imaevm_init_public_keys(imaevm_params.keyfile,
&public_keys);
@@ -1026,7 +1039,7 @@ static int cmd_verify_ima(struct command *cmd)
return -1;
}
- if (imaevm_params.x509) {
+ if (use_x509(sigflags)) {
if (imaevm_params.keyfile) /* Support multiple public keys */
err = imaevm_init_public_keys(imaevm_params.keyfile,
&public_keys);
@@ -1061,15 +1074,12 @@ static int cmd_convert(struct command *cmd)
uint8_t keyid[8];
RSA *key;
- imaevm_params.x509 = 0;
-
inkey = g_argv[optind++];
if (!inkey) {
- inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
- "/etc/keys/pubkey_evm.pem";
+ inkey = "/etc/keys/pubkey_evm.pem";
}
- key = read_pub_key(inkey, imaevm_params.x509);
+ key = read_pub_key(inkey, 0);
if (!key)
return 1;
@@ -1094,7 +1104,7 @@ static int cmd_import(struct command *cmd)
inkey = g_argv[optind++];
if (!inkey) {
- inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
+ inkey = use_x509(sigflags) ? "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
} else
ring = g_argv[optind++];
@@ -1124,8 +1134,8 @@ static int cmd_import(struct command *cmd)
}
}
- if (imaevm_params.x509) {
- EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509);
+ if (use_x509(sigflags)) {
+ EVP_PKEY *pkey = read_pub_pkey(inkey, 1);
if (!pkey)
return 1;
@@ -1138,7 +1148,7 @@ static int cmd_import(struct command *cmd)
EVP_PKEY_free(pkey);
} else {
#if CONFIG_SIGV1
- RSA *key = read_pub_key(inkey, imaevm_params.x509);
+ RSA *key = read_pub_key(inkey, 0);
if (!key)
return 1;
@@ -1153,8 +1163,8 @@ static int cmd_import(struct command *cmd)
log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
- id = add_key(imaevm_params.x509 ? "asymmetric" : "user",
- imaevm_params.x509 ? NULL : name, pub, len, id);
+ id = add_key(use_x509(sigflags) ? "asymmetric" : "user",
+ use_x509(sigflags) ? NULL : name, pub, len, id);
if (id < 0) {
log_err("add_key failed\n");
err = id;
@@ -3106,7 +3116,7 @@ int main(int argc, char *argv[])
hmac_flags |= HMAC_FLAG_NO_UUID;
break;
case '1':
- imaevm_params.x509 = 0;
+ sigflags |= IMAEVM_SIGFLAG_SIGNATURE_V1;
break;
case 'k':
imaevm_params.keyfile = optarg;
@@ -3172,11 +3182,12 @@ int main(int argc, char *argv[])
break;
#if CONFIG_IMA_EVM_ENGINE
case 139: /* --engine e */
- imaevm_params.eng = setup_engine(optarg);
- if (!imaevm_params.eng) {
+ access_info.u.engine = setup_engine(optarg);
+ if (!access_info.u.engine) {
log_info("setup_engine failed\n");
goto error;
}
+ access_info.type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE;
break;
#endif
case 140: /* --xattr-user */
@@ -3210,7 +3221,7 @@ int main(int argc, char *argv[])
log_err("Invalid keyid value.\n");
exit(1);
}
- imaevm_params.keyid = keyid;
+ imaevm_keyid = keyid;
break;
case 145:
keyid = imaevm_read_keyid(optarg);
@@ -3218,7 +3229,7 @@ int main(int argc, char *argv[])
log_err("Error reading keyid.\n");
exit(1);
}
- imaevm_params.keyid = keyid;
+ imaevm_keyid = keyid;
break;
case 146:
veritysig = 1;
@@ -3241,12 +3252,16 @@ int main(int argc, char *argv[])
g_keypass = getenv("EVMCTL_KEY_PASSWORD");
if (imaevm_params.keyfile != NULL &&
- imaevm_params.eng == NULL &&
+ access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE &&
!strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
#if CONFIG_IMA_EVM_ENGINE
- imaevm_params.eng = setup_engine("pkcs11");
+ if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE) {
+ access_info.u.engine = setup_engine("pkcs11");
+ if (access_info.u.engine)
+ access_info.type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE;
+ }
#endif
- if (!imaevm_params.eng)
+ if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE)
goto error;
}
@@ -3272,9 +3287,9 @@ int main(int argc, char *argv[])
error:
#if CONFIG_IMA_EVM_ENGINE
- if (imaevm_params.eng) {
- ENGINE_finish(imaevm_params.eng);
- ENGINE_free(imaevm_params.eng);
+ if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_ENGINE) {
+ ENGINE_finish(access_info.u.engine);
+ ENGINE_free(access_info.u.engine);
#if OPENSSL_API_COMPAT < 0x10100000L
ENGINE_cleanup();
#endif
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 5/7] Add support for OpenSSL provider to the library and evmctl
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
` (3 preceding siblings ...)
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 4/7] evmctl: Replace deprecated sign_hash with imaevm_signhash Stefan Berger
@ 2024-02-26 18:20 ` Stefan Berger
2024-02-26 18:21 ` [PATCH v3 ima-evm-utils 6/7] tests: Add pkcs11 test using provider Stefan Berger
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:20 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
Also implement the --provider option that is useful for testing with
provider. It also helps a user to select whether to use an engine or a
provider.
Update the README with the new option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
README | 5 ++--
configure.ac | 6 ++++
src/Makefile.am | 21 +++++++++++---
src/evmctl.c | 49 +++++++++++++++++++++++++++++++++
src/imaevm.h | 9 ++++++
src/libimaevm.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 157 insertions(+), 6 deletions(-)
diff --git a/README b/README
index 54746ef..815b555 100644
--- a/README
+++ b/README
@@ -69,7 +69,6 @@ OPTIONS
--smack use extra SMACK xattrs for EVM
--m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system
- --engine e preload OpenSSL engine e (such as: gost) is deprecated
--ino use custom inode for EVM
--uid use custom UID for EVM
--gid use custom GID for EVM
@@ -79,9 +78,11 @@ OPTIONS
--selinux use custom Selinux label for EVM
--caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
- --ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both
stored in the template data.
+ --engine e preload OpenSSL engine e (such as: gost) is deprecated
+ --provider p preload OpenSSL provider (such as: pkcs11)
+ --ignore-violations ignore ToMToU measurement violations
--hmackey path to symmetric key (default: /etc/keys/evm-key-plain)
-v increase verbosity level
-h, --help display this help and exit
diff --git a/configure.ac b/configure.ac
index 365aacf..d0d2e21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -61,6 +61,11 @@ AC_ARG_ENABLE(engine,
AC_CHECK_LIB([crypto], [ENGINE_init],, [enable_engine=no])
AM_CONDITIONAL([CONFIG_IMA_EVM_ENGINE], [test "x$enable_engine" = "xyes"])
+AC_ARG_ENABLE(provider,
+ [AS_HELP_STRING([--disable-provider], [build ima-evm-utils without OpenSSL providre support])],,[enable_provider=yes])
+ AC_CHECK_LIB([crypto], [OSSL_PROVIDER_load],, [enable_provider=no])
+ AM_CONDITIONAL([CONFIG_IMA_EVM_PROVIDER], [test "x$enable_provider" = "xyes"])
+
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
@@ -99,6 +104,7 @@ echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
echo " ibmtss: $ac_cv_header_ibmtss_tss_h"
echo " sigv1: $enable_sigv1"
echo " engine: $enable_engine"
+echo " provider: $enable_provider"
echo " doc: $have_doc"
echo " pandoc: $have_pandoc"
echo
diff --git a/src/Makefile.am b/src/Makefile.am
index 3bf742f..7c3f5fd 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -7,12 +7,18 @@ libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
libimaevm_la_LDFLAGS = -version-info 4:0:0
libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS)
+libimaevm_la_CFLAGS =
+
if CONFIG_SIGV1
-libimaevm_la_CFLAGS = -DCONFIG_SIGV1
+libimaevm_la_CFLAGS += -DCONFIG_SIGV1
endif
if CONFIG_IMA_EVM_ENGINE
-libimaevm_la_CFLAGS = -DCONFIG_IMA_EVM_ENGINE
+libimaevm_la_CFLAGS += -DCONFIG_IMA_EVM_ENGINE
+endif
+
+if CONFIG_IMA_EVM_PROVIDER
+libimaevm_la_CFLAGS += -DCONFIG_IMA_EVM_PROVIDER
endif
include_HEADERS = imaevm.h
@@ -30,14 +36,21 @@ evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
evmctl_LDFLAGS = $(LDFLAGS_READLINE)
evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+evmctl_CFLAGS =
+
# Enable IMA signature version 1
if CONFIG_SIGV1
-evmctl_CFLAGS = -DCONFIG_SIGV1
+evmctl_CFLAGS += -DCONFIG_SIGV1
endif
# Enable "--engine" support
if CONFIG_IMA_EVM_ENGINE
-evmctl_CFLAGS = -DCONFIG_IMA_EVM_ENGINE
+evmctl_CFLAGS += -DCONFIG_IMA_EVM_ENGINE
+endif
+
+# Enable "--provider" support
+if CONFIG_IMA_EVM_PROVIDER
+evmctl_CFLAGS += -DCONFIG_IMA_EVM_PROVIDER
endif
# USE_PCRTSS uses the Intel TSS
diff --git a/src/evmctl.c b/src/evmctl.c
index 20f34dd..ffe2fc9 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -68,6 +68,9 @@
#if CONFIG_IMA_EVM_ENGINE
#include <openssl/engine.h>
#endif
+#if CONFIG_IMA_EVM_PROVIDER
+#include <openssl/provider.h>
+#endif
#include <openssl/x509v3.h>
#include "hash_info.h"
#include "pcr.h"
@@ -2914,6 +2917,9 @@ static void usage(void)
" --verify-sig verify measurement list signatures\n"
#if CONFIG_IMA_EVM_ENGINE
" --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
+#endif
+#if CONFIG_IMA_EVM_PROVIDER
+ " --provider p preload OpenSSL provider (such as: pkcs11)\n"
#endif
" --ignore-violations ignore ToMToU measurement violations\n"
#ifdef DEBUG
@@ -2991,6 +2997,9 @@ static struct option opts[] = {
{"veritysig", 0, 0, 146},
{"hwtpm", 0, 0, 147},
{"hmackey", 1, 0, 148},
+#if CONFIG_IMA_EVM_PROVIDER
+ {"provider", 1, 0, 149},
+#endif
{}
};
@@ -3036,6 +3045,25 @@ static char *get_password(void)
return password;
}
+
+#if CONFIG_IMA_EVM_PROVIDER
+static OSSL_PROVIDER *setup_provider(const char *name)
+{
+ OSSL_PROVIDER *p = OSSL_PROVIDER_load(NULL, name);
+
+ if (!p) {
+ log_err("provider %s isn't available\n", optarg);
+ ERR_print_errors_fp(stderr);
+ } else if (!OSSL_PROVIDER_self_test(p)) {
+ log_err("provider %s self test failed\n", optarg);
+ ERR_print_errors_fp(stderr);
+ OSSL_PROVIDER_unload(p);
+ p = NULL;
+ }
+ return p;
+}
+#endif
+
#if CONFIG_IMA_EVM_ENGINE
static ENGINE *setup_engine(const char *engine_id)
{
@@ -3240,6 +3268,16 @@ int main(int argc, char *argv[])
case 148:
imaevm_params.hmackeyfile = optarg;
break;
+#if CONFIG_IMA_EVM_PROVIDER
+ case 149: /* --provider p */
+ access_info.u.provider = setup_provider(optarg);
+ if (!access_info.u.provider) {
+ log_info("setup_provider failed\n");
+ goto error;
+ }
+ access_info.type = IMAEVM_OSSL_ACCESS_TYPE_PROVIDER;
+ break;
+#endif
case '?':
exit(1);
break;
@@ -3254,6 +3292,13 @@ int main(int argc, char *argv[])
if (imaevm_params.keyfile != NULL &&
access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE &&
!strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
+#if CONFIG_IMA_EVM_PROVIDER
+ if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE) {
+ access_info.u.provider = setup_provider("pkcs11");
+ if (access_info.u.provider)
+ access_info.type = IMAEVM_OSSL_ACCESS_TYPE_PROVIDER;
+ }
+#endif
#if CONFIG_IMA_EVM_ENGINE
if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE) {
access_info.u.engine = setup_engine("pkcs11");
@@ -3294,6 +3339,10 @@ error:
ENGINE_cleanup();
#endif
}
+#endif
+#if CONFIG_IMA_EVM_PROVIDER
+ if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_PROVIDER)
+ OSSL_PROVIDER_unload(access_info.u.provider);
#endif
ERR_free_strings();
EVP_cleanup();
diff --git a/src/imaevm.h b/src/imaevm.h
index 6764604..281a748 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -57,6 +57,13 @@ struct engine_st;
typedef struct engine_st ENGINE; /* unused when no engine support */
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+# include <openssl/provider.h>
+#else
+struct ossl_provider_st;
+typedef struct ossl_provider_st OSSL_PROVIDER;
+#endif
+
#ifdef USE_FPRINTF
#define do_log(level, fmt, args...) \
({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
@@ -268,8 +275,10 @@ struct imaevm_ossl_access {
int type;
#define IMAEVM_OSSL_ACCESS_TYPE_NONE 0
#define IMAEVM_OSSL_ACCESS_TYPE_ENGINE 1 /* also: engine field exists */
+#define IMAEVM_OSSL_ACCESS_TYPE_PROVIDER 2 /* also: provider field exists */
union {
ENGINE *engine;
+ OSSL_PROVIDER *provider;
} u;
};
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 91af613..64ddd96 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -62,6 +62,12 @@
#include <openssl/err.h>
#include <openssl/engine.h>
+#if CONFIG_IMA_EVM_PROVIDER
+#include <openssl/provider.h>
+#include <openssl/ui.h>
+#include <openssl/store.h>
+#endif
+
#include "imaevm.h"
#include "hash_info.h"
@@ -1064,6 +1070,64 @@ err_engine:
#endif
}
+#ifdef CONFIG_IMA_EVM_PROVIDER
+static int ui_get_pin(UI *ui, UI_STRING *uis)
+{
+ return UI_set_result(ui, uis, UI_get0_user_data(ui));
+}
+
+static EVP_PKEY *read_priv_pkey_provider(OSSL_PROVIDER *p, const char *keyfile,
+ const char *keypass, uint32_t keyid)
+{
+ UI_METHOD *ui_method = NULL;
+ OSSL_STORE_INFO *info;
+ OSSL_STORE_CTX *store;
+ EVP_PKEY *pkey = NULL;
+ int typ;
+
+ if (!keyid) {
+ log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
+ return NULL;
+ }
+
+ if (keypass) {
+ ui_method = UI_create_method("PIN reader");
+ if (!ui_method)
+ return NULL;
+ UI_method_set_reader(ui_method, ui_get_pin);
+ }
+ store = OSSL_STORE_open_ex(keyfile, NULL, "provider=pkcs11", ui_method,
+ (void *)keypass, NULL, NULL, NULL);
+ if (!store) {
+ log_err("Failed to open store for provider=pkcs11\n");
+ goto err_provider;
+ }
+ for (info = OSSL_STORE_load(store);
+ info != NULL && pkey == NULL;
+ info = OSSL_STORE_load(store)) {
+ typ = OSSL_STORE_INFO_get_type(info);
+
+ switch (typ) {
+ case OSSL_STORE_INFO_PKEY:
+ pkey = OSSL_STORE_INFO_get1_PKEY(info);
+ break;
+ }
+ OSSL_STORE_INFO_free(info);
+ }
+ OSSL_STORE_close(store);
+
+ if (!pkey) {
+ log_err("Failed to load private key %s\n", keyfile);
+ goto err_provider;
+ }
+ return pkey;
+
+err_provider:
+ output_openssl_errors();
+ return NULL;
+}
+#endif
+
static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass,
const struct imaevm_ossl_access *access_info,
uint32_t keyid)
@@ -1077,6 +1141,12 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass,
pkey = read_priv_pkey_engine(access_info->u.engine,
keyfile, keypass, keyid);
break;
+#ifdef CONFIG_IMA_EVM_PROVIDER
+ case IMAEVM_OSSL_ACCESS_TYPE_PROVIDER:
+ pkey = read_priv_pkey_provider(access_info->u.provider,
+ keyfile, keypass, keyid);
+ break;
+#endif
}
} else {
fp = fopen(keyfile, "r");
@@ -1331,6 +1401,9 @@ static int check_ossl_access(const struct imaevm_ossl_access *access_info)
case IMAEVM_OSSL_ACCESS_TYPE_NONE:
#ifdef CONFIG_IMA_EVM_ENGINE
case IMAEVM_OSSL_ACCESS_TYPE_ENGINE:
+#endif
+#ifdef CONFIG_IMA_EVM_PROVIDER
+ case IMAEVM_OSSL_ACCESS_TYPE_PROVIDER:
#endif
return 0;
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 6/7] tests: Add pkcs11 test using provider
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
` (4 preceding siblings ...)
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 5/7] Add support for OpenSSL provider to the library and evmctl Stefan Berger
@ 2024-02-26 18:21 ` Stefan Berger
2024-02-26 18:21 ` [PATCH v3 ima-evm-utils 7/7] ci: Install pkcs11-provider where available Stefan Berger
2024-02-26 18:28 ` [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:21 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
Adjust the existing pkcs11 engine test cases to pass --engine pkcs11 via
an option (OPTS) to evmctl rather than using a global variable. Then
duplicate the pkcs11 engine tests and pass --provider pkcs11 to run the
same tests using OpenSSL provider. Also check whether evmctl was compiled
with provider support and if the pkcs11 provider is installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/functions.sh | 1 -
tests/sign_verify.test | 20 +++++++++++++++++---
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/tests/functions.sh b/tests/functions.sh
index c39b894..962a436 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -373,7 +373,6 @@ _softhsm_setup() {
PKCS11_KEYURI=$(echo "$msg" | sed -n 's|^keyuri: \(.*\)|\1|p')
export PKCS11_KEYURI
- export EVMCTL_ENGINE="--engine pkcs11"
export OPENSSL_ENGINE="-engine pkcs11"
export OPENSSL_KEYFORM="-keyform engine"
else
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 16c7ada..f9522e0 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -447,10 +447,24 @@ if [ -n "${PKCS11_KEYURI}" ]; then
expect_pass __skip
expect_pass __skip
fi
+
+ # provider may not be supported or pkcs11 provider not installed
+ if evmctl --help 2>/dev/null | grep -q provider && \
+ openssl list -providers -provider pkcs11 2>/dev/null; then
+ PKCS11_PRIVKEYURI=${PKCS11_KEYURI//type=public/type=private}
+
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+ expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha1 PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd --provider pkcs11"
+ else
+ __skip() { echo "pkcs11 test with provider is skipped since no provider support or pkcs11 not installed"; return "$SKIP"; }
+ expect_pass __skip
+ expect_pass __skip
+ fi
else
# to have a constant number of tests, skip these two tests
- __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
- expect_pass __skip
- expect_pass __skip
+ __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return "$SKIP"; }
+ for i in $(seq 0 3); do
+ expect_pass __skip
+ done
fi
_softhsm_teardown "${WORKDIR}"
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v3 ima-evm-utils 7/7] ci: Install pkcs11-provider where available
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
` (5 preceding siblings ...)
2024-02-26 18:21 ` [PATCH v3 ima-evm-utils 6/7] tests: Add pkcs11 test using provider Stefan Berger
@ 2024-02-26 18:21 ` Stefan Berger
2024-02-26 18:28 ` [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:21 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt, Stefan Berger
Install the pkcs11-provider package. For it to be useful softhsm and gnutls
are also needed, so in some cases install them together so that if one of
the packages cannot be installed then none of them are installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
ci/alt.sh | 2 ++
ci/debian.sh | 1 +
ci/fedora.sh | 1 +
ci/tumbleweed.sh | 2 ++
4 files changed, 6 insertions(+)
diff --git a/ci/alt.sh b/ci/alt.sh
index 36ff657..f86dcec 100755
--- a/ci/alt.sh
+++ b/ci/alt.sh
@@ -27,3 +27,5 @@ apt-get install -y \
xsltproc \
xxd \
&& control openssl-gost enabled
+
+apt-get install -y pkcs11-provider || true
diff --git a/ci/debian.sh b/ci/debian.sh
index 7676191..740eb9e 100755
--- a/ci/debian.sh
+++ b/ci/debian.sh
@@ -59,3 +59,4 @@ $apt \
$apt xxd || $apt vim-common
$apt libengine-gost-openssl1.1$ARCH || true
$apt softhsm gnutls-bin libengine-pkcs11-openssl1.1$ARCH || true
+$apt softhsm gnutls-bin pkcs11-provider || true
diff --git a/ci/fedora.sh b/ci/fedora.sh
index 1d17c6b..44fd956 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -60,6 +60,7 @@ if [ -f /etc/centos-release ]; then
yum -y install epel-release
fi
yum -y install softhsm || true
+yum -y install softhsm pkcs11-provider || true
# haveged is available via EPEL on CentOS stream8.
yum -y install haveged || true
diff --git a/ci/tumbleweed.sh b/ci/tumbleweed.sh
index bc111fe..a58c296 100755
--- a/ci/tumbleweed.sh
+++ b/ci/tumbleweed.sh
@@ -48,6 +48,8 @@ zypper --non-interactive install --force-resolution --no-recommends \
zypper --non-interactive install --force-resolution --no-recommends \
gnutls openssl-engine-libp11 softhsm || true
+zypper --non-interactive install --force-resolution --no-recommends \
+ gnutls pkcs11-provider softhsm || true
if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then
ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin
--
2.43.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
` (6 preceding siblings ...)
2024-02-26 18:21 ` [PATCH v3 ima-evm-utils 7/7] ci: Install pkcs11-provider where available Stefan Berger
@ 2024-02-26 18:28 ` Stefan Berger
7 siblings, 0 replies; 9+ messages in thread
From: Stefan Berger @ 2024-02-26 18:28 UTC (permalink / raw
To: linux-integrity; +Cc: zohar, roberto.sassu, vt
On 2/26/24 13:20, Stefan Berger wrote:
> This series deprecates the sign_hash function and introduces
> imaevm_signhash that requires the necessary parameters to be passed rather
> than relying on the global imaevm_params variable. This way we can remove
> the usage of imaevm_params for the OpenSSL engine and the keyid.
>
> Add support for an OpenSSL provider. The choice of engine versus provider
> is implemented using a struct imaevm_ossl_access that wraps the engine or
> provider parameters. It also provides a type field where the user can
> choose one or the other. imaevm_signhash takes this structure as an optional
> parameter to support engines and providers.
>
> Also extend existing test cases with tests with a pkcs11 provider.
>
> Regards,
> Stefan
>
> v3:
> - Added patch checking for engine support in evmctl before trying to run
> pkcs11 test (1/7)
> - Updated README with new --provider option (5/7)
> - Added 2 more skip's to pkcs11 test in case neither engine nor provider
> are supported (6/7)
Correction:
- Added 2 more skip's to pkcs11 test in case softhsm is not installed
(6/7)
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-02-26 18:28 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-26 18:20 [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 1/7] tests: Skip pkcs11 test if no engine support in evmctl Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 2/7] headers: Remove usage of CONFIG_IMA_EVM_ENGINE from public header Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 3/7] Pass ENGINE and keyid through to function using them Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 4/7] evmctl: Replace deprecated sign_hash with imaevm_signhash Stefan Berger
2024-02-26 18:20 ` [PATCH v3 ima-evm-utils 5/7] Add support for OpenSSL provider to the library and evmctl Stefan Berger
2024-02-26 18:21 ` [PATCH v3 ima-evm-utils 6/7] tests: Add pkcs11 test using provider Stefan Berger
2024-02-26 18:21 ` [PATCH v3 ima-evm-utils 7/7] ci: Install pkcs11-provider where available Stefan Berger
2024-02-26 18:28 ` [PATCH v3 ima-evm-utils 0/7] Deprecate sign_hash and add provider support Stefan Berger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).