Save full security.ima attribute to a file

Right now if -f option is passed in, we only save the actual signature to
a file and not the full security.ima attribute.

I think it makes more sense to save full security.ima attribute so that
it can act as detached signatures and one can install signature later.
That is signing can take place on build server and detached signatures
can be generated and these signatures can be installed later on target.

One can use following steps.

evmctl ima_sign -f -x -a sha256 /tmp/data.txt

hexdump -v -e '1/1 "%02x"' /tmp/data.txt.sig > /tmp/data.txt.sig.hex
printf "# file: /tmp/data.txt\nsecurity.ima=0x" | cat - /tmp/data.txt.sig.hex | setfattr --restore -

evmctl ima_verify /tmp/data.txt

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

diff --git a/src/evmctl.c b/src/evmctl.c
index 9a36def..5879e5d 100644 (file)
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1044,7 +1044,7 @@ static int sign_ima(const char *file, const char *key)
        }
 
        if (sigfile)
-               bin2file(file, "sig", sig + 1, len - 1);
+               bin2file(file, "sig", sig, len);
 
        if (xattr) {
                err = setxattr(file, "security.ima", sig, len, 0);
@@ -1281,8 +1281,7 @@ static int verify_ima(const char *file)
        if (sigfile) {
                void *tmp;
                tmp = file2bin(file, "sig", &len);
-               sig[0] = 0x03;
-               memcpy(sig+1, tmp, len++);
+               memcpy(sig, tmp, len);
                free(tmp);
        }