--- /dev/null
+Installation Instructions
+*************************
+
+Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005,
+2006, 2007, 2008, 2009 Free Software Foundation, Inc.
+
+ Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved. This file is offered as-is,
+without warranty of any kind.
+
+Basic Installation
+==================
+
+ Briefly, the shell commands `./configure; make; make install' should
+configure, build, and install this package. The following
+more-detailed instructions are generic; see the `README' file for
+instructions specific to this package. Some packages provide this
+`INSTALL' file but do not implement all of the features documented
+below. The lack of an optional feature in a given package is not
+necessarily a bug. More recommendations for GNU packages can be found
+in *note Makefile Conventions: (standards)Makefile Conventions.
+
+ The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation. It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions. Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, and a
+file `config.log' containing compiler output (useful mainly for
+debugging `configure').
+
+ It can also use an optional file (typically called `config.cache'
+and enabled with `--cache-file=config.cache' or simply `-C') that saves
+the results of its tests to speed up reconfiguring. Caching is
+disabled by default to prevent problems with accidental use of stale
+cache files.
+
+ If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release. If you are using the cache, and at
+some point `config.cache' contains results you don't want to keep, you
+may remove or edit it.
+
+ The file `configure.ac' (or `configure.in') is used to create
+`configure' by a program called `autoconf'. You need `configure.ac' if
+you want to change it or regenerate `configure' using a newer version
+of `autoconf'.
+
+ The simplest way to compile this package is:
+
+ 1. `cd' to the directory containing the package's source code and type
+ `./configure' to configure the package for your system.
+
+ Running `configure' might take a while. While running, it prints
+ some messages telling which features it is checking for.
+
+ 2. Type `make' to compile the package.
+
+ 3. Optionally, type `make check' to run any self-tests that come with
+ the package, generally using the just-built uninstalled binaries.
+
+ 4. Type `make install' to install the programs and any data files and
+ documentation. When installing into a prefix owned by root, it is
+ recommended that the package be configured and built as a regular
+ user, and only the `make install' phase executed with root
+ privileges.
+
+ 5. Optionally, type `make installcheck' to repeat any self-tests, but
+ this time using the binaries in their final installed location.
+ This target does not install anything. Running this target as a
+ regular user, particularly if the prior `make install' required
+ root privileges, verifies that the installation completed
+ correctly.
+
+ 6. You can remove the program binaries and object files from the
+ source code directory by typing `make clean'. To also remove the
+ files that `configure' created (so you can compile the package for
+ a different kind of computer), type `make distclean'. There is
+ also a `make maintainer-clean' target, but that is intended mainly
+ for the package's developers. If you use it, you may have to get
+ all sorts of other programs in order to regenerate files that came
+ with the distribution.
+
+ 7. Often, you can also type `make uninstall' to remove the installed
+ files again. In practice, not all packages have tested that
+ uninstallation works correctly, even though it is required by the
+ GNU Coding Standards.
+
+ 8. Some packages, particularly those that use Automake, provide `make
+ distcheck', which can by used by developers to test that all other
+ targets like `make install' and `make uninstall' work correctly.
+ This target is generally not run by end users.
+
+Compilers and Options
+=====================
+
+ Some systems require unusual options for compilation or linking that
+the `configure' script does not know about. Run `./configure --help'
+for details on some of the pertinent environment variables.
+
+ You can give `configure' initial values for configuration parameters
+by setting variables in the command line or in the environment. Here
+is an example:
+
+ ./configure CC=c99 CFLAGS=-g LIBS=-lposix
+
+ *Note Defining Variables::, for more details.
+
+Compiling For Multiple Architectures
+====================================
+
+ You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory. To do this, you can use GNU `make'. `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script. `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'. This
+is known as a "VPATH" build.
+
+ With a non-GNU `make', it is safer to compile the package for one
+architecture at a time in the source code directory. After you have
+installed the package for one architecture, use `make distclean' before
+reconfiguring for another architecture.
+
+ On MacOS X 10.5 and later systems, you can create libraries and
+executables that work on multiple system types--known as "fat" or
+"universal" binaries--by specifying multiple `-arch' options to the
+compiler but only a single `-arch' option to the preprocessor. Like
+this:
+
+ ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
+ CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
+ CPP="gcc -E" CXXCPP="g++ -E"
+
+ This is not guaranteed to produce working output in all cases, you
+may have to build one architecture at a time and combine the results
+using the `lipo' tool if you have problems.
+
+Installation Names
+==================
+
+ By default, `make install' installs the package's commands under
+`/usr/local/bin', include files under `/usr/local/include', etc. You
+can specify an installation prefix other than `/usr/local' by giving
+`configure' the option `--prefix=PREFIX', where PREFIX must be an
+absolute file name.
+
+ You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files. If you
+pass the option `--exec-prefix=PREFIX' to `configure', the package uses
+PREFIX as the prefix for installing programs and libraries.
+Documentation and other data files still use the regular prefix.
+
+ In addition, if you use an unusual directory layout you can give
+options like `--bindir=DIR' to specify different values for particular
+kinds of files. Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them. In general, the
+default for these options is expressed in terms of `${prefix}', so that
+specifying just `--prefix' will affect all of the other directory
+specifications that were not explicitly provided.
+
+ The most portable way to affect installation locations is to pass the
+correct locations to `configure'; however, many packages provide one or
+both of the following shortcuts of passing variable assignments to the
+`make install' command line to change installation locations without
+having to reconfigure or recompile.
+
+ The first method involves providing an override variable for each
+affected directory. For example, `make install
+prefix=/alternate/directory' will choose an alternate location for all
+directory configuration variables that were expressed in terms of
+`${prefix}'. Any directories that were specified during `configure',
+but not in terms of `${prefix}', must each be overridden at install
+time for the entire installation to be relocated. The approach of
+makefile variable overrides for each directory variable is required by
+the GNU Coding Standards, and ideally causes no recompilation.
+However, some platforms have known limitations with the semantics of
+shared libraries that end up requiring recompilation when using this
+method, particularly noticeable in packages that use GNU Libtool.
+
+ The second method involves providing the `DESTDIR' variable. For
+example, `make install DESTDIR=/alternate/directory' will prepend
+`/alternate/directory' before all installation names. The approach of
+`DESTDIR' overrides is not required by the GNU Coding Standards, and
+does not work on platforms that have drive letters. On the other hand,
+it does better at avoiding recompilation issues, and works well even
+when some directory options were not specified in terms of `${prefix}'
+at `configure' time.
+
+Optional Features
+=================
+
+ If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+ Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System). The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+ For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+ Some packages offer the ability to configure how verbose the
+execution of `make' will be. For these packages, running `./configure
+--enable-silent-rules' sets the default to minimal output, which can be
+overridden with `make V=1'; while running `./configure
+--disable-silent-rules' sets the default to verbose, which can be
+overridden with `make V=0'.
+
+Particular systems
+==================
+
+ On HP-UX, the default C compiler is not ANSI C compatible. If GNU
+CC is not installed, it is recommended to use the following options in
+order to use an ANSI C compiler:
+
+ ./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
+
+and if that doesn't work, install pre-built binaries of GCC for HP-UX.
+
+ On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
+parse its `<wchar.h>' header file. The option `-nodtk' can be used as
+a workaround. If GNU CC is not installed, it is therefore recommended
+to try
+
+ ./configure CC="cc"
+
+and if that doesn't work, try
+
+ ./configure CC="cc -nodtk"
+
+ On Solaris, don't put `/usr/ucb' early in your `PATH'. This
+directory contains several dysfunctional programs; working variants of
+these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
+in your `PATH', put it _after_ `/usr/bin'.
+
+ On Haiku, software installed for all users goes in `/boot/common',
+not `/usr/local'. It is recommended to use the following options:
+
+ ./configure --prefix=/boot/common
+
+Specifying the System Type
+==========================
+
+ There may be some features `configure' cannot figure out
+automatically, but needs to determine by the type of machine the package
+will run on. Usually, assuming the package is built to be run on the
+_same_ architectures, `configure' can figure that out, but if it prints
+a message saying it cannot guess the machine type, give it the
+`--build=TYPE' option. TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name which has the form:
+
+ CPU-COMPANY-SYSTEM
+
+where SYSTEM can have one of these forms:
+
+ OS
+ KERNEL-OS
+
+ See the file `config.sub' for the possible values of each field. If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the machine type.
+
+ If you are _building_ compiler tools for cross-compiling, you should
+use the option `--target=TYPE' to select the type of system they will
+produce code for.
+
+ If you want to _use_ a cross compiler, that generates code for a
+platform different from the build platform, you should specify the
+"host" platform (i.e., that on which the generated programs will
+eventually be run) with `--host=TYPE'.
+
+Sharing Defaults
+================
+
+ If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists. Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Defining Variables
+==================
+
+ Variables not defined in a site shell script can be set in the
+environment passed to `configure'. However, some packages may run
+configure again during the build, and the customized values of these
+variables may be lost. In order to avoid this problem, you should set
+them in the `configure' command line, using `VAR=value'. For example:
+
+ ./configure CC=/usr/local2/bin/gcc
+
+causes the specified `gcc' to be used as the C compiler (unless it is
+overridden in the site shell script).
+
+Unfortunately, this technique does not work for `CONFIG_SHELL' due to
+an Autoconf bug. Until the bug is fixed you can use this workaround:
+
+ CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
+
+`configure' Invocation
+======================
+
+ `configure' recognizes the following options to control how it
+operates.
+
+`--help'
+`-h'
+ Print a summary of all of the options to `configure', and exit.
+
+`--help=short'
+`--help=recursive'
+ Print a summary of the options unique to this package's
+ `configure', and exit. The `short' variant lists options used
+ only in the top level, while the `recursive' variant lists options
+ also present in any nested packages.
+
+`--version'
+`-V'
+ Print the version of Autoconf used to generate the `configure'
+ script, and exit.
+
+`--cache-file=FILE'
+ Enable the cache: use and save the results of the tests in FILE,
+ traditionally `config.cache'. FILE defaults to `/dev/null' to
+ disable caching.
+
+`--config-cache'
+`-C'
+ Alias for `--cache-file=config.cache'.
+
+`--quiet'
+`--silent'
+`-q'
+ Do not print messages saying which checks are being made. To
+ suppress all normal output, redirect it to `/dev/null' (any error
+ messages will still be shown).
+
+`--srcdir=DIR'
+ Look for the package's source code in directory DIR. Usually
+ `configure' can determine that directory automatically.
+
+`--prefix=DIR'
+ Use DIR as the installation prefix. *note Installation Names::
+ for more details, including other options available for fine-tuning
+ the installation locations.
+
+`--no-create'
+`-n'
+ Run the configure checks, but stop before creating any output
+ files.
+
+`configure' also accepts some other, not widely useful, options. Run
+`configure --help' for more details.
+
--- /dev/null
+/*
+ * evm-utils - IMA/EVM support utilities
+ *
+ * Copyright (C) 2011 Nokia Corporation
+ * Copyright (C) 2011 Intel Corporation
+ *
+ * Authors:
+ * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
+ * <dmitry.kasatkin@intel.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * version 2.1 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA
+ *
+ * File: evmctl.c
+ * IMA/EVM control program
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <sys/param.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <attr/xattr.h>
+#include <getopt.h>
+#include <signal.h>
+#include <keyutils.h>
+#include <asm/byteorder.h>
+#include <syslog.h>
+#include <attr/xattr.h>
+
+#include <openssl/sha.h>
+#include <openssl/sha.h>
+#include <openssl/rsa.h>
+#include <openssl/pem.h>
+
+#define USE_FPRINTF
+
+#ifdef USE_FPRINTF
+#define do_log(level, fmt, args...) if (level <= verbose) fprintf(stderr, fmt, ##args)
+#define do_log_dump(level, p, len) if (level <= verbose) do_dump(stderr, p, len)
+#else
+#define do_log(level, fmt, args...) syslog(level, fmt, ##args)
+#define do_log_dump(p, len)
+#endif
+
+#ifdef DEBUG
+#define log_debug(fmt, args...) do_log(LOG_DEBUG, "%s:%d " fmt, __func__ , __LINE__ , ##args)
+#define log_debug_dump(p, len) do_log_dump(LOG_DEBUG, p, len)
+#else
+#define log_debug(fmt, args...)
+#define log_debug_dump(p, len)
+#endif
+
+#define log_dump(p, len) do_log_dump(LOG_INFO, p, len)
+#define log_info(fmt, args...) do_log(LOG_INFO, fmt, ##args)
+#define log_err(fmt, args...) do_log(LOG_ERR, fmt, ##args)
+#define log_errno(fmt, args...) do_log(LOG_ERR, fmt ": %s (%d)\n", ##args, strerror(errno), errno)
+
+#define DATA_SIZE 4096
+#define SHA1_HASH_LEN 20
+
+#define EXT2_IOC_GETVERSION _IOR('v', 1, long)
+#define EXT34_IOC_GETVERSION _IOR('f', 3, long)
+
+#define FS_IOC_GETFLAGS _IOR('f', 1, long)
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
+#define FS_IOC32_GETFLAGS _IOR('f', 1, int)
+#define FS_IOC32_SETFLAGS _IOW('f', 2, int)
+
+struct h_misc {
+ unsigned long ino;
+ uint32_t generation;
+ uid_t uid;
+ gid_t gid;
+ unsigned short mode;
+} hmac_misc;
+
+enum pubkey_algo {
+ PUBKEY_ALGO_RSA,
+ PUBKEY_ALGO_MAX,
+};
+
+enum digest_algo {
+ DIGEST_ALGO_SHA1,
+ DIGEST_ALGO_SHA256,
+ DIGEST_ALGO_MAX
+};
+
+struct pubkey_hdr {
+ uint8_t version; /* key format version */
+ time_t timestamp; /* key made, always 0 for now */
+ uint8_t algo;
+ uint8_t nmpi;
+ char mpi[0];
+} __attribute__ ((packed));
+
+
+struct signature_hdr {
+ uint8_t version; /* signature format version */
+ time_t timestamp; /* signature made */
+ uint8_t algo;
+ uint8_t hash;
+ uint8_t keyid[8];
+ uint8_t nmpi;
+ char mpi[0];
+} __attribute__ ((packed));
+
+
+static char *evm_config_xattrnames[] = {
+ "security.selinux",
+ "security.SMACK64",
+ "security.ima",
+ "security.capability",
+ NULL
+};
+
+struct command {
+ char *name;
+ int (*func)(struct command *cmd);
+ int cmd;
+ char *arg;
+ char *msg; /* extra info message */
+};
+
+static int verbose = LOG_INFO - 1;
+static int g_argc;
+static char **g_argv;
+static int set_xattr = 1;
+static int digest = 0;
+static int digsig = 0;
+static char *hash_algo = "sha1";
+static int binkey = 0;
+
+extern struct command cmds[];
+static void print_usage(struct command *cmd);
+
+static void do_dump(FILE *fp, const void *ptr, int len)
+{
+ int i;
+ uint8_t *data = (uint8_t *)ptr;
+
+ for (i = 0; i < len; i++) {
+ fprintf(fp, "%02x", data[i]);
+ }
+ fprintf(fp, "\n");
+}
+
+static void dump(const void *ptr, int len)
+{
+ do_dump(stdout, ptr, len);
+}
+
+static inline int get_filesize(const char *filename)
+{
+ struct stat stats;
+ /* Need to know the file length */
+ stat(filename, &stats);
+ return (int) stats.st_size;
+}
+
+static inline int get_fdsize(int fd)
+{
+ struct stat stats;
+ /* Need to know the file length */
+ fstat(fd, &stats);
+ return (int) stats.st_size;
+}
+
+static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
+{
+ FILE *fp;
+ char name[strlen(file) + (ext ? strlen(ext) : 0) + 2];
+ int err;
+
+ if (ext)
+ sprintf(name, "%s.%s", file, ext);
+ else
+ sprintf(name, "%s", file);
+
+ log_info("Writing to %s\n", name);
+
+ fp = fopen(name, "w");
+ if (!fp) {
+ log_errno("Unable to open %s for writing", name);
+ return -1;
+ }
+ err = fwrite(data, len, 1, fp);
+ fclose(fp);
+ return err;
+}
+
+static char *file2bin(const char *file, int *size)
+{
+ FILE *fp;
+ int len;
+ char *data;
+
+ len = get_filesize(file);
+ fp = fopen(file, "r");
+ if (!fp) {
+ log_errno("Unable to open %s", file);
+ return NULL;
+ }
+ data = malloc(len);
+ if (!fread(data, len, 1, fp))
+ len = 0;
+ fclose(fp);
+
+ *size = len;
+ return data;
+}
+
+/*
+ * Create binary key representation suitable for kernel
+ */
+static int key2bin(RSA *key, unsigned char *pub)
+{
+ int len, b, offset = 0;
+ struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
+
+ /* add key header */
+ pkh->version = 1;
+ pkh->timestamp = 0; /* PEM has no timestamp?? */
+ pkh->algo = PUBKEY_ALGO_RSA;
+ pkh->nmpi = 2;
+
+ offset += sizeof(*pkh);
+
+ // MPIs
+ len = BN_num_bytes(key->n);
+ b = BN_num_bits(key->n);
+ pub[offset++] = b >> 8;
+ pub[offset++] = b & 0xff;
+ BN_bn2bin(key->n, &pub[offset]);
+ offset += len;
+
+ len = BN_num_bytes(key->e);
+ b = BN_num_bits(key->e);
+ pub[offset++] = b >> 8;
+ pub[offset++] = b & 0xff;
+ BN_bn2bin(key->e, &pub[offset]);
+ offset += len;
+
+ return offset;
+}
+
+static int read_key(const char *inkey, unsigned char *pub)
+{
+ FILE *fp;
+ RSA *key = NULL, *key1;
+ int len;
+
+ fp = fopen(inkey, "r");
+ if (!fp) {
+ log_errno("read key failed from file %s", inkey);
+ return -1;
+ }
+
+ key1 = PEM_read_RSA_PUBKEY(fp, &key, NULL, NULL);
+ fclose(fp);
+ if (!key1) {
+ log_errno("PEM_read_RSA_PUBKEY() failed");
+ return -1;
+ }
+
+ len = key2bin(key, pub);
+
+ RSA_free(key);
+
+ return len;
+}
+
+
+static void calc_keyid(uint8_t *keyid, char *str, const unsigned char *pkey, int len)
+{
+ uint8_t sha1[SHA_DIGEST_LENGTH];
+ uint64_t id;
+
+ log_debug("pkey:\n");
+ log_debug_dump(pkey, len);
+ SHA1(pkey, len, sha1);
+
+ //sha1[12 - 19] is exactly keyid from gpg file
+ memcpy(keyid, sha1 + 12, 8);
+ log_debug("keyid:\n");
+ log_debug_dump(keyid, 8);
+
+ id = __be64_to_cpup((__be64 *)keyid);
+ sprintf(str, "%llX", (unsigned long long)id);
+ log_info("keyid: %s\n", str);
+}
+
+static int sign_hash(const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
+{
+ int err, len;
+ SHA_CTX ctx;
+ unsigned char pub[1024];
+ RSA *key = NULL, *key1;
+ FILE *fp;
+ char name[20];
+ unsigned char sighash[20];
+ struct signature_hdr *hdr = (struct signature_hdr *)sig;
+ uint16_t *blen;
+
+ log_info("hash: ");
+ log_dump(hash, size);
+
+ fp = fopen(keyfile, "r");
+ if (!fp) {
+ log_errno("Unable to open keyfile %s", keyfile);
+ return -1;
+ }
+ key1 = PEM_read_RSAPrivateKey(fp, &key, NULL, NULL);
+ fclose(fp);
+ if (!key1) {
+ log_errno("RSAPrivateKey() failed");
+ return -1;
+ }
+
+ /* now create a new hash */
+ hdr->version = 1;
+ time(&hdr->timestamp);
+ hdr->algo = PUBKEY_ALGO_RSA;
+ hdr->hash = DIGEST_ALGO_SHA1;
+
+ len = key2bin(key, pub);
+ calc_keyid(hdr->keyid, name, pub, len);
+
+ hdr->nmpi = 1;
+
+ SHA1_Init(&ctx);
+ SHA1_Update(&ctx, hash, size);
+ SHA1_Update(&ctx, hdr, sizeof(*hdr));
+ SHA1_Final(sighash, &ctx);
+ log_info("sighash: ");
+ log_dump(sighash, sizeof(sighash));
+
+ err = RSA_private_encrypt(sizeof(sighash), sighash, sig + sizeof(*hdr) + 2, key, RSA_PKCS1_PADDING);
+ RSA_free(key);
+ if (err < 0) {
+ log_errno("RSA_private_encrypt() failed: %d", err);
+ return -1;
+ }
+
+ len = err;
+
+ /* we add bit length of the signature to make it gnupg compatible */
+ blen = (uint16_t *)(sig + sizeof(*hdr));
+ *blen = __cpu_to_be16(len << 3);
+ len += sizeof(*hdr) + 2;
+ log_info("evm/ima signature: %d bytes\n", len);
+ if (!set_xattr || verbose >= LOG_INFO)
+ dump(sig, len);
+
+ return len;
+}
+
+static int calc_evm_hash(const char *file, const char *keyfile, unsigned char *hash)
+{
+ struct stat st;
+ int fd, err;
+ uint32_t generation;
+ SHA_CTX ctx;
+ char **xattrname;
+ char xattr_value[1024];
+
+ fd = open(file, 0);
+ if (fd < 0) {
+ log_errno("Unable to open %s", file);
+ return -1;
+ }
+
+ if (fstat(fd, &st)) {
+ log_errno("fstat() failed");
+ return -1;
+ }
+
+ if (ioctl(fd, EXT34_IOC_GETVERSION, &generation)) {
+ log_errno("ioctl() failed");
+ return -1;
+ }
+
+ close(fd);
+
+ log_info("generation: %u\n", generation);
+
+ SHA1_Init(&ctx);
+
+ for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
+ err = getxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
+ if (err < 0) {
+ log_info("no attr: %s\n", *xattrname);
+ continue;
+ }
+ //log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);
+ log_info("name: %s, size: %d\n", *xattrname, err);
+ log_debug_dump(xattr_value, err);
+ SHA1_Update(&ctx, xattr_value, err);
+ }
+
+ memset(&hmac_misc, 0, sizeof(hmac_misc));
+ hmac_misc.ino = st.st_ino;
+ hmac_misc.generation = generation;
+ hmac_misc.uid = st.st_uid;
+ hmac_misc.gid = st.st_gid;
+ hmac_misc.mode = st.st_mode;
+
+ SHA1_Update(&ctx, (const unsigned char*)&hmac_misc, sizeof(hmac_misc));
+ SHA1_Final(hash, &ctx);
+
+ return 0;
+}
+
+static int sign_evm(const char *file, const char *key)
+{
+ unsigned char hash[20];
+ unsigned char sig[1024] = "\x03";
+ int err;
+
+ calc_evm_hash(file, key, hash);
+
+ err = sign_hash(hash, sizeof(hash), key, sig + 1);
+ if (err < 0)
+ return err;
+
+ if (set_xattr) {
+ err = setxattr(file, "security.evm", sig, err + 1, 0);
+ if (err < 0) {
+ log_errno("setxattr failed: %s", file);
+ return err;
+ }
+ }
+
+ return 0;
+}
+
+static int calc_file_hash(const char *file, uint8_t *hash)
+{
+ EVP_MD_CTX ctx;
+ const EVP_MD *md;
+ uint8_t *data;
+ int err, size, bs = DATA_SIZE;
+ size_t len;
+ unsigned int mdlen;
+ FILE *fp;
+
+ data = malloc(bs);
+ if (!data) {
+ log_errno("malloc failed");
+ return -1;
+ }
+
+ fp = fopen(file, "r");
+ if (!fp) {
+ log_errno("Unable to open %s", file);
+ return -1;
+ }
+
+ OpenSSL_add_all_digests();
+
+ md = EVP_get_digestbyname(hash_algo);
+ if (!md) {
+ log_errno("EVP_get_digestbyname() failed");
+ return -1;
+ }
+
+ err = EVP_DigestInit(&ctx, md);
+ if (!err) {
+ log_errno("EVP_DigestInit() failed");
+ return -1;
+ }
+
+ for (size = get_fdsize(fileno(fp)); size; size -= len) {
+ len = MIN(size, bs);
+ err = fread(data, len, 1, fp);
+ if (!err) {
+ if (ferror(fp)) {
+ log_errno("fread() error\n");
+ return -1;
+ }
+ break;
+ }
+ err = EVP_DigestUpdate(&ctx, data, len);
+ if (!err) {
+ log_errno("EVP_DigestUpdate() failed");
+ return -1;
+ }
+ }
+
+ err = EVP_DigestFinal(&ctx, hash, &mdlen);
+ if (!err) {
+ log_errno("EVP_DigestFinal() failed");
+ return -1;
+ }
+
+ fclose(fp);
+
+ free(data);
+
+ return mdlen;
+}
+
+static int hash_ima(const char *file)
+{
+ unsigned char hash[65] = "\x01";// MAX hash size + 1
+ int err;
+
+ err = calc_file_hash(file, hash + 1);
+ if (err < 0)
+ return err;
+
+ if (!set_xattr || verbose >= LOG_INFO)
+ dump(hash, err + 1);
+
+ if (set_xattr) {
+ err = setxattr(file, "security.ima", hash, err + 1, 0);
+ if (err < 0) {
+ log_errno("setxattr failed: %s", file);
+ return err;
+ }
+ }
+
+ return 0;
+}
+
+static int cmd_hash_ima(struct command *cmd)
+{
+ char *file = g_argv[optind++];
+
+ if (!file) {
+ log_err("Parameters missing\n");
+ print_usage(cmd);
+ return 1;
+ }
+
+ return hash_ima(file);
+}
+
+static int sign_ima(const char *file, const char *key)
+{
+ unsigned char hash[64];
+ unsigned char sig[1024] = "\x03";
+ int err;
+
+ err = calc_file_hash(file, hash);
+ if (err < 0)
+ return err;
+
+ err = sign_hash(hash, err, key, sig + 1);
+ if (err < 0)
+ return err;
+
+ if (set_xattr) {
+ err = setxattr(file, "security.ima", sig, err + 1, 0);
+ if (err < 0) {
+ log_errno("setxattr failed: %s", file);
+ return err;
+ }
+ }
+
+ return 0;
+}
+
+static int cmd_sign_ima(struct command *cmd)
+{
+ char *key, *file = g_argv[optind++];
+
+ if (!file) {
+ log_err("Parameters missing\n");
+ print_usage(cmd);
+ return 1;
+ }
+
+ key = g_argv[optind++];
+ if (!key)
+ key = "/etc/keys/privkey_evm.pem";
+
+ return sign_ima(file, key);
+
+}
+
+static int cmd_sign_evm(struct command *cmd)
+{
+ char *key, *file = g_argv[optind++];
+ int err;
+
+ if (!file) {
+ log_err("Parameters missing\n");
+ print_usage(cmd);
+ return 1;
+ }
+
+ key = g_argv[optind++];
+ if (!key)
+ key = "/etc/keys/privkey_evm.pem";
+
+ if (digsig) {
+ err = sign_ima(file, key);
+ if (err)
+ return err;
+ }
+
+ if (digest) {
+ err = hash_ima(file);
+ if (err)
+ return err;
+ }
+
+ return sign_evm(file, key);
+}
+
+static int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile)
+{
+ int err, len;
+ SHA_CTX ctx;
+ unsigned char out[1024];
+ RSA *key = NULL, *key1;
+ FILE *fp;
+ unsigned char sighash[20];
+ struct signature_hdr *hdr = (struct signature_hdr *)sig;
+
+ log_info("hash: ");
+ log_dump(hash, size);
+
+ fp = fopen(keyfile, "r");
+ if (!fp) {
+ log_errno("Unable to open keyfile %s", keyfile);
+ return -1;
+ }
+ key1 = PEM_read_RSA_PUBKEY(fp, &key, NULL, NULL);
+ fclose(fp);
+ if (!key1) {
+ log_errno("PEM_read_RSA_PUBKEY() failed");
+ return -1;
+ }
+
+ SHA1_Init(&ctx);
+ SHA1_Update(&ctx, hash, size);
+ SHA1_Update(&ctx, hdr, sizeof(*hdr));
+ SHA1_Final(sighash, &ctx);
+ log_info("sighash: ");
+ log_dump(sighash, sizeof(sighash));
+
+ err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
+ RSA_free(key);
+ if (err < 0) {
+ log_errno("RSA_public_decrypt() failed: %d", err);
+ return -1;
+ }
+
+ len = err;
+
+ if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
+ log_errno("Verification failed: %d", err);
+ return -1;
+ } else {
+ //log_info("Verification is OK\n");
+ printf("Verification is OK\n");
+ }
+
+ return 0;
+}
+
+static int verify_evm(const char *file, const char *key)
+{
+ unsigned char hash[20];
+ unsigned char sig[1024];
+ int err;
+
+ calc_evm_hash(file, key, hash);
+
+ err = getxattr(file, "security.evm", sig, sizeof(sig));
+ if (err < 0) {
+ log_errno("getxattr failed");
+ return err;
+ }
+
+ if (sig[0] != 0x03) {
+ log_errno("security.evm has not signature");
+ return err;
+ }
+
+ return verify_hash(hash, sizeof(hash), sig + 1, err - 1, key);
+}
+
+static int cmd_verify_evm(struct command *cmd)
+{
+ char *key, *file = g_argv[optind++];
+
+ if (!file) {
+ log_err("Parameters missing\n");
+ print_usage(cmd);
+ return 1;
+ }
+
+ key = g_argv[optind++];
+ if (!key)
+ key = "/etc/keys/pubkey_evm.pem";
+
+ return verify_evm(file, key);
+}
+
+static int cmd_convert(struct command *cmd)
+{
+ char *inkey, *outkey = NULL;
+ unsigned char pub[1024];
+ char name[20];
+ int len;
+ uint8_t keyid[8];
+
+ inkey = g_argv[optind++];
+ if (!inkey)
+ inkey = "/etc/keys/pubkey_evm.pem";
+ else
+ outkey = g_argv[optind++];
+
+ if (!outkey)
+ outkey = "pubkey_evm.bin";
+
+ log_info("Convert public key %s to %s\n", inkey, outkey);
+
+ len = read_key(inkey, pub);
+ if (len < 0)
+ return -1;
+
+ calc_keyid(keyid, name, pub, len);
+
+ bin2file(outkey, name, pub, len);
+
+ return 0;
+}
+
+static int cmd_import_bin(struct command *cmd)
+{
+ int len;
+ char *inkey, *ring = NULL;
+ char *key, name[20];
+ key_serial_t id;
+ uint8_t keyid[8];
+
+ inkey = g_argv[optind++];
+ if (!inkey)
+ inkey = "/etc/keys/pubkey_evm.bin";
+ else
+ ring = g_argv[optind++];
+
+ if (!ring)
+ id = KEY_SPEC_USER_KEYRING;
+ else
+ id = atoi(ring);
+
+ key = file2bin(inkey, &len);
+ if (!key)
+ return -1;
+
+ calc_keyid(keyid, name, (unsigned char *)key, len);
+
+ log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
+
+ id = add_key("user", name, key, len, id);
+ if (id < 0) {
+ log_errno("add_key failed");
+ return -1;
+ }
+
+ log_info("keyid: %d\n", id);
+ printf("%d\n", id);
+
+ free(key);
+
+ return 0;
+}
+
+static int cmd_import(struct command *cmd)
+{
+ char *inkey, *ring = NULL;
+ unsigned char key[1024];
+ int id, len;
+ char name[20];
+ uint8_t keyid[8];
+
+ if (binkey)
+ return cmd_import_bin(cmd);
+
+ inkey = g_argv[optind++];
+ if (!inkey)
+ inkey = "/etc/keys/pubkey_evm.pem";
+ else
+ ring = g_argv[optind++];
+
+ if (!ring)
+ id = KEY_SPEC_USER_KEYRING;
+ else
+ id = atoi(ring);
+
+ len = read_key(inkey, key);
+ if (len < 0)
+ return -1;
+
+ calc_keyid(keyid, name, key, len);
+
+ log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
+
+ id = add_key("user", name, key, len, id);
+ if (id < 0) {
+ log_errno("add_key failed");
+ return -1;
+ }
+
+ log_info("keyid: %d\n", id);
+ printf("%d\n", id);
+
+ return 0;
+}
+
+static void print_usage(struct command *cmd)
+{
+ printf("usage: %s %s\n", cmd->name, cmd->arg ? cmd->arg : "");
+}
+
+static void print_full_usage(struct command *cmd)
+{
+ if (cmd->name)
+ printf("usage: %s %s\n", cmd->name, cmd->arg ? cmd->arg : "");
+ if (cmd->msg)
+ printf("description:\n%s", cmd->msg);
+
+}
+
+static int print_command_usage(struct command *cmds, char *command)
+{
+ struct command *cmd;
+
+ for (cmd = cmds; cmd->name; cmd++) {
+ if (strcmp(cmd->name, command) == 0) {
+ print_full_usage(cmd);
+ return 0;
+ }
+ }
+ printf("invalid command: %s\n", command);
+ return 1;
+}
+
+static void print_all_usage(struct command *cmds)
+{
+ struct command *cmd;
+
+ for (cmd = cmds; cmd->name; cmd++) {
+ if (cmd->arg)
+ printf("%s %s\n", cmd->name, cmd->arg);
+ else if (cmd->msg)
+ printf("%s", cmd->msg);
+ }
+}
+
+static int call_command(struct command *cmds, char *command)
+{
+ struct command *cmd;
+
+ for (cmd = cmds; cmd->name; cmd++) {
+ if (strcasecmp(cmd->name, command) == 0)
+ return cmd->func(cmd);
+ }
+ printf("Invalid command: %s\n", command);
+ return -1;
+}
+
+static int cmd_help(struct command *cmd)
+{
+ if (!g_argv[optind]) {
+ print_usage(cmd);
+ return 0;
+ } else
+ return print_command_usage(cmds, g_argv[optind]);
+}
+
+static void usage(void)
+{
+ printf("Usage: evmctl <command> [parameters..]\n");
+
+ print_all_usage(cmds);
+}
+
+struct command cmds[] = {
+ {"help", cmd_help, 0, "<command>"},
+ {"import", cmd_import, 0, "[--bin] inkey keyring", "Import public key (PEM/bin) into the keyring.\n" },
+ {"convert", cmd_convert, 0, "inkey outkey", "Convert PEM public key into IMA/EVM kernel friendly format.\n" },
+ {"sign", cmd_sign_evm, 0, "[--imahash | --imasig ] file [key]", "Sign file metadata.\n" },
+ {"verify", cmd_verify_evm, 0, "file", "Verify EVM.\n" },
+ {"ima_sign", cmd_sign_ima, 0, "file [key]", "Sign file content.\n" },
+ {"ima_hash", cmd_hash_ima, 0, "file", "Hash file content.\n" },
+ {0, 0, 0, NULL}
+};
+
+static struct option opts[] = {
+ {"help", 0, 0, 'h'},
+ {"inkey", 1, 0, 'k'},
+ {"imasig", 0, 0, 's'},
+ {"imahash", 0, 0, 'd'},
+ {"hashalgo", 1, 0, 'a'},
+ {"bin", 0, 0, 'b'},
+ {}
+
+};
+
+int main(int argc, char *argv[])
+{
+ int err = 0, c, lind;
+
+ g_argv = argv;
+ g_argc = argc;
+
+ while (1) {
+ c = getopt_long(argc, argv, "hk:vnsda:b", opts, &lind);
+ if (c == -1)
+ break;
+
+ switch (c) {
+ case 'h':
+ usage();
+ exit(0);
+ break;
+ case 'k':
+ printf("inkey: %s\n", optarg);
+ break;
+ case 'v':
+ verbose++;
+ break;
+ case 'd':
+ digest = 1;
+ break;
+ case 's':
+ digsig = 1;
+ break;
+ case 'n':
+ set_xattr = 0; // do not set Extended Attributes... just print signature
+ break;
+ case 'a':
+ hash_algo = optarg;
+ break;
+ case 'b':
+ binkey = 1;
+ break;
+ case '?':
+ exit(1);
+ break;
+ default:
+ log_err("getopt() returned: %d (%c)\n", c, c);
+ }
+ }
+
+ if (argv[optind] == NULL)
+ usage();
+ else
+ err = call_command(cmds, argv[optind++]);
+
+ return err;
+}