diff options
author | Marc Kleine-Budde <mkl@pengutronix.de> | 2015-11-13 11:16:28 +0100 |
---|---|---|
committer | Marc Kleine-Budde <mkl@pengutronix.de> | 2015-11-19 11:40:07 +0100 |
commit | 13990299f9f1914f128f8ecaba05ad85c0afc5d9 (patch) | |
tree | 77735e4aa78c303c432d769cd663ed268c5edff7 /patches/ima-evm-utils-1.0 | |
parent | 784e047d4ca009890cfdda6badcff5e416096911 (diff) | |
download | ptxdist-13990299f9f1914f128f8ecaba05ad85c0afc5d9.tar.gz ptxdist-13990299f9f1914f128f8ecaba05ad85c0afc5d9.tar.xz |
ima-evm-utils: version bump to 1.0
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Diffstat (limited to 'patches/ima-evm-utils-1.0')
9 files changed, 825 insertions, 0 deletions
diff --git a/patches/ima-evm-utils-1.0/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch b/patches/ima-evm-utils-1.0/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch new file mode 100644 index 000000000..c035197d9 --- /dev/null +++ b/patches/ima-evm-utils-1.0/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch @@ -0,0 +1,389 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Wed, 18 Nov 2015 15:15:15 +0100 +Subject: [PATCH] INSTALL: remove file, at it's autogenerated by autotools + +This patch remove the file "INSTALL" which is autogenerated during +./autogen.sh. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + INSTALL | 370 ---------------------------------------------------------------- + 1 file changed, 370 deletions(-) + delete mode 100644 INSTALL + +diff --git a/INSTALL b/INSTALL +deleted file mode 100644 +index 007e9396d0a2..000000000000 +--- a/INSTALL ++++ /dev/null +@@ -1,370 +0,0 @@ +-Installation Instructions +-************************* +- +-Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, +-Inc. +- +- Copying and distribution of this file, with or without modification, +-are permitted in any medium without royalty provided the copyright +-notice and this notice are preserved. This file is offered as-is, +-without warranty of any kind. +- +-Basic Installation +-================== +- +- Briefly, the shell commands `./configure; make; make install' should +-configure, build, and install this package. The following +-more-detailed instructions are generic; see the `README' file for +-instructions specific to this package. Some packages provide this +-`INSTALL' file but do not implement all of the features documented +-below. The lack of an optional feature in a given package is not +-necessarily a bug. More recommendations for GNU packages can be found +-in *note Makefile Conventions: (standards)Makefile Conventions. +- +- The `configure' shell script attempts to guess correct values for +-various system-dependent variables used during compilation. It uses +-those values to create a `Makefile' in each directory of the package. +-It may also create one or more `.h' files containing system-dependent +-definitions. Finally, it creates a shell script `config.status' that +-you can run in the future to recreate the current configuration, and a +-file `config.log' containing compiler output (useful mainly for +-debugging `configure'). +- +- It can also use an optional file (typically called `config.cache' +-and enabled with `--cache-file=config.cache' or simply `-C') that saves +-the results of its tests to speed up reconfiguring. Caching is +-disabled by default to prevent problems with accidental use of stale +-cache files. +- +- If you need to do unusual things to compile the package, please try +-to figure out how `configure' could check whether to do them, and mail +-diffs or instructions to the address given in the `README' so they can +-be considered for the next release. If you are using the cache, and at +-some point `config.cache' contains results you don't want to keep, you +-may remove or edit it. +- +- The file `configure.ac' (or `configure.in') is used to create +-`configure' by a program called `autoconf'. You need `configure.ac' if +-you want to change it or regenerate `configure' using a newer version +-of `autoconf'. +- +- The simplest way to compile this package is: +- +- 1. `cd' to the directory containing the package's source code and type +- `./configure' to configure the package for your system. +- +- Running `configure' might take a while. While running, it prints +- some messages telling which features it is checking for. +- +- 2. Type `make' to compile the package. +- +- 3. Optionally, type `make check' to run any self-tests that come with +- the package, generally using the just-built uninstalled binaries. +- +- 4. Type `make install' to install the programs and any data files and +- documentation. When installing into a prefix owned by root, it is +- recommended that the package be configured and built as a regular +- user, and only the `make install' phase executed with root +- privileges. +- +- 5. Optionally, type `make installcheck' to repeat any self-tests, but +- this time using the binaries in their final installed location. +- This target does not install anything. Running this target as a +- regular user, particularly if the prior `make install' required +- root privileges, verifies that the installation completed +- correctly. +- +- 6. You can remove the program binaries and object files from the +- source code directory by typing `make clean'. To also remove the +- files that `configure' created (so you can compile the package for +- a different kind of computer), type `make distclean'. There is +- also a `make maintainer-clean' target, but that is intended mainly +- for the package's developers. If you use it, you may have to get +- all sorts of other programs in order to regenerate files that came +- with the distribution. +- +- 7. Often, you can also type `make uninstall' to remove the installed +- files again. In practice, not all packages have tested that +- uninstallation works correctly, even though it is required by the +- GNU Coding Standards. +- +- 8. Some packages, particularly those that use Automake, provide `make +- distcheck', which can by used by developers to test that all other +- targets like `make install' and `make uninstall' work correctly. +- This target is generally not run by end users. +- +-Compilers and Options +-===================== +- +- Some systems require unusual options for compilation or linking that +-the `configure' script does not know about. Run `./configure --help' +-for details on some of the pertinent environment variables. +- +- You can give `configure' initial values for configuration parameters +-by setting variables in the command line or in the environment. Here +-is an example: +- +- ./configure CC=c99 CFLAGS=-g LIBS=-lposix +- +- *Note Defining Variables::, for more details. +- +-Compiling For Multiple Architectures +-==================================== +- +- You can compile the package for more than one kind of computer at the +-same time, by placing the object files for each architecture in their +-own directory. To do this, you can use GNU `make'. `cd' to the +-directory where you want the object files and executables to go and run +-the `configure' script. `configure' automatically checks for the +-source code in the directory that `configure' is in and in `..'. This +-is known as a "VPATH" build. +- +- With a non-GNU `make', it is safer to compile the package for one +-architecture at a time in the source code directory. After you have +-installed the package for one architecture, use `make distclean' before +-reconfiguring for another architecture. +- +- On MacOS X 10.5 and later systems, you can create libraries and +-executables that work on multiple system types--known as "fat" or +-"universal" binaries--by specifying multiple `-arch' options to the +-compiler but only a single `-arch' option to the preprocessor. Like +-this: +- +- ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ +- CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ +- CPP="gcc -E" CXXCPP="g++ -E" +- +- This is not guaranteed to produce working output in all cases, you +-may have to build one architecture at a time and combine the results +-using the `lipo' tool if you have problems. +- +-Installation Names +-================== +- +- By default, `make install' installs the package's commands under +-`/usr/local/bin', include files under `/usr/local/include', etc. You +-can specify an installation prefix other than `/usr/local' by giving +-`configure' the option `--prefix=PREFIX', where PREFIX must be an +-absolute file name. +- +- You can specify separate installation prefixes for +-architecture-specific files and architecture-independent files. If you +-pass the option `--exec-prefix=PREFIX' to `configure', the package uses +-PREFIX as the prefix for installing programs and libraries. +-Documentation and other data files still use the regular prefix. +- +- In addition, if you use an unusual directory layout you can give +-options like `--bindir=DIR' to specify different values for particular +-kinds of files. Run `configure --help' for a list of the directories +-you can set and what kinds of files go in them. In general, the +-default for these options is expressed in terms of `${prefix}', so that +-specifying just `--prefix' will affect all of the other directory +-specifications that were not explicitly provided. +- +- The most portable way to affect installation locations is to pass the +-correct locations to `configure'; however, many packages provide one or +-both of the following shortcuts of passing variable assignments to the +-`make install' command line to change installation locations without +-having to reconfigure or recompile. +- +- The first method involves providing an override variable for each +-affected directory. For example, `make install +-prefix=/alternate/directory' will choose an alternate location for all +-directory configuration variables that were expressed in terms of +-`${prefix}'. Any directories that were specified during `configure', +-but not in terms of `${prefix}', must each be overridden at install +-time for the entire installation to be relocated. The approach of +-makefile variable overrides for each directory variable is required by +-the GNU Coding Standards, and ideally causes no recompilation. +-However, some platforms have known limitations with the semantics of +-shared libraries that end up requiring recompilation when using this +-method, particularly noticeable in packages that use GNU Libtool. +- +- The second method involves providing the `DESTDIR' variable. For +-example, `make install DESTDIR=/alternate/directory' will prepend +-`/alternate/directory' before all installation names. The approach of +-`DESTDIR' overrides is not required by the GNU Coding Standards, and +-does not work on platforms that have drive letters. On the other hand, +-it does better at avoiding recompilation issues, and works well even +-when some directory options were not specified in terms of `${prefix}' +-at `configure' time. +- +-Optional Features +-================= +- +- If the package supports it, you can cause programs to be installed +-with an extra prefix or suffix on their names by giving `configure' the +-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. +- +- Some packages pay attention to `--enable-FEATURE' options to +-`configure', where FEATURE indicates an optional part of the package. +-They may also pay attention to `--with-PACKAGE' options, where PACKAGE +-is something like `gnu-as' or `x' (for the X Window System). The +-`README' should mention any `--enable-' and `--with-' options that the +-package recognizes. +- +- For packages that use the X Window System, `configure' can usually +-find the X include and library files automatically, but if it doesn't, +-you can use the `configure' options `--x-includes=DIR' and +-`--x-libraries=DIR' to specify their locations. +- +- Some packages offer the ability to configure how verbose the +-execution of `make' will be. For these packages, running `./configure +---enable-silent-rules' sets the default to minimal output, which can be +-overridden with `make V=1'; while running `./configure +---disable-silent-rules' sets the default to verbose, which can be +-overridden with `make V=0'. +- +-Particular systems +-================== +- +- On HP-UX, the default C compiler is not ANSI C compatible. If GNU +-CC is not installed, it is recommended to use the following options in +-order to use an ANSI C compiler: +- +- ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" +- +-and if that doesn't work, install pre-built binaries of GCC for HP-UX. +- +- HP-UX `make' updates targets which have the same time stamps as +-their prerequisites, which makes it generally unusable when shipped +-generated files such as `configure' are involved. Use GNU `make' +-instead. +- +- On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot +-parse its `<wchar.h>' header file. The option `-nodtk' can be used as +-a workaround. If GNU CC is not installed, it is therefore recommended +-to try +- +- ./configure CC="cc" +- +-and if that doesn't work, try +- +- ./configure CC="cc -nodtk" +- +- On Solaris, don't put `/usr/ucb' early in your `PATH'. This +-directory contains several dysfunctional programs; working variants of +-these programs are available in `/usr/bin'. So, if you need `/usr/ucb' +-in your `PATH', put it _after_ `/usr/bin'. +- +- On Haiku, software installed for all users goes in `/boot/common', +-not `/usr/local'. It is recommended to use the following options: +- +- ./configure --prefix=/boot/common +- +-Specifying the System Type +-========================== +- +- There may be some features `configure' cannot figure out +-automatically, but needs to determine by the type of machine the package +-will run on. Usually, assuming the package is built to be run on the +-_same_ architectures, `configure' can figure that out, but if it prints +-a message saying it cannot guess the machine type, give it the +-`--build=TYPE' option. TYPE can either be a short name for the system +-type, such as `sun4', or a canonical name which has the form: +- +- CPU-COMPANY-SYSTEM +- +-where SYSTEM can have one of these forms: +- +- OS +- KERNEL-OS +- +- See the file `config.sub' for the possible values of each field. If +-`config.sub' isn't included in this package, then this package doesn't +-need to know the machine type. +- +- If you are _building_ compiler tools for cross-compiling, you should +-use the option `--target=TYPE' to select the type of system they will +-produce code for. +- +- If you want to _use_ a cross compiler, that generates code for a +-platform different from the build platform, you should specify the +-"host" platform (i.e., that on which the generated programs will +-eventually be run) with `--host=TYPE'. +- +-Sharing Defaults +-================ +- +- If you want to set default values for `configure' scripts to share, +-you can create a site shell script called `config.site' that gives +-default values for variables like `CC', `cache_file', and `prefix'. +-`configure' looks for `PREFIX/share/config.site' if it exists, then +-`PREFIX/etc/config.site' if it exists. Or, you can set the +-`CONFIG_SITE' environment variable to the location of the site script. +-A warning: not all `configure' scripts look for a site script. +- +-Defining Variables +-================== +- +- Variables not defined in a site shell script can be set in the +-environment passed to `configure'. However, some packages may run +-configure again during the build, and the customized values of these +-variables may be lost. In order to avoid this problem, you should set +-them in the `configure' command line, using `VAR=value'. For example: +- +- ./configure CC=/usr/local2/bin/gcc +- +-causes the specified `gcc' to be used as the C compiler (unless it is +-overridden in the site shell script). +- +-Unfortunately, this technique does not work for `CONFIG_SHELL' due to +-an Autoconf limitation. Until the limitation is lifted, you can use +-this workaround: +- +- CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash +- +-`configure' Invocation +-====================== +- +- `configure' recognizes the following options to control how it +-operates. +- +-`--help' +-`-h' +- Print a summary of all of the options to `configure', and exit. +- +-`--help=short' +-`--help=recursive' +- Print a summary of the options unique to this package's +- `configure', and exit. The `short' variant lists options used +- only in the top level, while the `recursive' variant lists options +- also present in any nested packages. +- +-`--version' +-`-V' +- Print the version of Autoconf used to generate the `configure' +- script, and exit. +- +-`--cache-file=FILE' +- Enable the cache: use and save the results of the tests in FILE, +- traditionally `config.cache'. FILE defaults to `/dev/null' to +- disable caching. +- +-`--config-cache' +-`-C' +- Alias for `--cache-file=config.cache'. +- +-`--quiet' +-`--silent' +-`-q' +- Do not print messages saying which checks are being made. To +- suppress all normal output, redirect it to `/dev/null' (any error +- messages will still be shown). +- +-`--srcdir=DIR' +- Look for the package's source code in directory DIR. Usually +- `configure' can determine that directory automatically. +- +-`--prefix=DIR' +- Use DIR as the installation prefix. *note Installation Names:: +- for more details, including other options available for fine-tuning +- the installation locations. +- +-`--no-create' +-`-n' +- Run the configure checks, but stop before creating any output +- files. +- +-`configure' also accepts some other, not widely useful, options. Run +-`configure --help' for more details. diff --git a/patches/ima-evm-utils-1.0/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch b/patches/ima-evm-utils-1.0/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch new file mode 100644 index 000000000..cb09b8d78 --- /dev/null +++ b/patches/ima-evm-utils-1.0/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch @@ -0,0 +1,40 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Wed, 27 May 2015 10:41:27 +0200 +Subject: [PATCH] Makefile.am: rename INCLUDES -> AM_CPPFLAGS + +This patch fixes the following warning during autoreconf: + +| src/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS') + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index deb18fb09dc7..9f547283d535 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,7 +1,7 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +@@ -12,11 +12,11 @@ include_HEADERS = imaevm.h + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) + evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la + +-INCLUDES = -I$(top_srcdir) -include config.h ++AM_CPPFLAGS = -I$(top_srcdir) -include config.h + + DISTCLEANFILES = @DISTCLEANFILES@ + diff --git a/patches/ima-evm-utils-1.0/0003-evmctl-find-add-missing-closedir-dir-on-error.patch b/patches/ima-evm-utils-1.0/0003-evmctl-find-add-missing-closedir-dir-on-error.patch new file mode 100644 index 000000000..77e9f5fc6 --- /dev/null +++ b/patches/ima-evm-utils-1.0/0003-evmctl-find-add-missing-closedir-dir-on-error.patch @@ -0,0 +1,31 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Fri, 13 Nov 2015 14:02:42 +0100 +Subject: [PATCH] evmctl: find(): add missing closedir(dir) on error + +If a failure in find() happens the directory stream is not closed. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c20cbfe80ab6..19f5f3bc87b0 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -1092,6 +1092,7 @@ static int find(const char *path, int dts, find_cb_t func) + + if (fchdir(dirfd(dir))) { + log_err("Failed to chdir %s\n", path); ++ closedir(dir); + return -1; + } + +@@ -1107,6 +1108,7 @@ static int find(const char *path, int dts, find_cb_t func) + + if (chdir("..")) { + log_err("Failed to chdir: %s\n", path); ++ closedir(dir); + return -1; + } + diff --git a/patches/ima-evm-utils-1.0/0004-evmctl-find-add-missing-error-handling-and-propagate.patch b/patches/ima-evm-utils-1.0/0004-evmctl-find-add-missing-error-handling-and-propagate.patch new file mode 100644 index 000000000..1eee4f1bf --- /dev/null +++ b/patches/ima-evm-utils-1.0/0004-evmctl-find-add-missing-error-handling-and-propagate.patch @@ -0,0 +1,40 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Fri, 13 Nov 2015 14:04:37 +0100 +Subject: [PATCH] evmctl: find(): add missing error handling and propagate + error + +This patch adds the missing error handling to the while() loop in the find() +function, so that evmctl properly fails on errors. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 19f5f3bc87b0..6606e4958080 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -1097,13 +1097,20 @@ static int find(const char *path, int dts, find_cb_t func) + } + + while ((de = readdir(dir))) { ++ int err; ++ + if (!strcmp(de->d_name, "..") || !strcmp(de->d_name, ".")) + continue; + log_debug("path: %s, type: %u\n", de->d_name, de->d_type); + if (de->d_type == DT_DIR) +- find(de->d_name, dts, func); ++ err = find(de->d_name, dts, func); + else if (dts & (1 << de->d_type)) +- func(de->d_name); ++ err = func(de->d_name); ++ ++ if (err) { ++ closedir(dir); ++ return -1; ++ } + } + + if (chdir("..")) { diff --git a/patches/ima-evm-utils-1.0/0005-evmctl-add-support-for-offline-image-preparation.patch b/patches/ima-evm-utils-1.0/0005-evmctl-add-support-for-offline-image-preparation.patch new file mode 100644 index 000000000..b31e750ff --- /dev/null +++ b/patches/ima-evm-utils-1.0/0005-evmctl-add-support-for-offline-image-preparation.patch @@ -0,0 +1,265 @@ +From: Sascha Hauer <s.hauer@pengutronix.de> +Date: Mon, 1 Dec 2014 15:23:21 +0100 +Subject: [PATCH] evmctl: add support for offline image preparation + +With this patch it's possible to sign a directory hierarchy, so that a +filesystem image (e.g. an ubifs) can be generated. + +Creating the ima and evm signatues for an images with evmctl has to problems: +1) The inode-numbers of the files are different in the to be created image and + in the current filesystem. +2) The inode generation can be different, too. + +These problems are solved in a 4-step process: + +1) evmctl generates signatures and writes them to the extended attributed + (the usual process so far). +2) The image, for example an ubifs image, is generted. mkfs.ubifs generates + the image (including extended attributes) and stores the used inode number + in an extended attribute "user.image-inode-number". +3) evmct is started again to generate the signatures, this time with the + additional paramter "--image". Instead of using an ioctl to get the inode + number and generation, the inode is read from the extended attribute + "user.image-inode-number", the generation is set to "0". +4) The image (omitting the exteneded attribute "user.image-inode-number") is + generated. + +This patch adds the command line parameter "--image" to read the inode number +from the extended attribute "user.image-inode-number" instead of using an +ioctl(). The inode generation is set to 0, too. + +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++-------- + src/imaevm.h | 1 + + src/libimaevm.c | 25 ++++++++++++++++++++++++- + 3 files changed, 74 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 6606e4958080..d66e6b06ad23 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -314,6 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + char uuid[16]; + struct h_misc_64 hmac_misc; + int hmac_size; ++ ino_t ino; + + if (lstat(file, &st)) { + log_err("Failed to stat: %s\n", file); +@@ -336,9 +337,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + } + close(fd); + } +- log_info("generation: %u\n", generation); + } + ++ if (params.image_mode) { ++ char buf[128] = { }; ++ ++ err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1); ++ if (err < 0) { ++ log_err("image mode: xattr 'user.image-inode-number' not found.\n"); ++ return -1; ++ } ++ ino = strtoull(buf, NULL, 10); ++ generation = 0; ++ } else { ++ ino = st.st_ino; ++ } ++ ++ log_info("inode-number: %llu\n", (unsigned long long)ino); ++ log_info("generation: %u\n", generation); ++ + list_size = llistxattr(file, list, sizeof(list)); + if (list_size < 0) { + log_err("llistxattr() failed\n"); +@@ -384,7 +401,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + struct h_misc *hmac = (struct h_misc *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -393,7 +410,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -402,7 +419,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -855,6 +872,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + ssize_t list_size; + struct h_misc_64 hmac_misc; + int hmac_size; ++ ino_t ino; + + key = file2bin(keyfile, NULL, &keylen); + if (!key) { +@@ -892,10 +910,26 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + close(fd); + } + ++ if (params.image_mode) { ++ char buf[128] = { }; ++ ++ err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1); ++ if (err < 0) { ++ log_err("image mode: xattr 'user.image-inode-number' not found.\n"); ++ goto out; ++ } ++ ino = strtoull(buf, NULL, 10); ++ generation = 0; ++ } else { ++ ino = st.st_ino; ++ } ++ ++ log_info("inode-number: %llu\n", (unsigned long long)ino); + log_info("generation: %u\n", generation); + + list_size = llistxattr(file, list, sizeof(list)); + if (list_size <= 0) { ++ err = -1; + log_err("llistxattr() failed: %s\n", file); + goto out; + } +@@ -932,7 +966,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct h_misc *hmac = (struct h_misc *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -941,7 +975,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -950,7 +984,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -1469,6 +1503,9 @@ static void usage(void) + " --smack use extra SMACK xattrs for EVM\n" + " --m32 force EVM hmac/signature for 32 bit target system\n" + " --m64 force EVM hmac/signature for 64 bit target system\n" ++ " -m, --image image generation mode:\n" ++ " Read inode number from xattr 'user.image-inode-number',\n" ++ " and force inode generation to 0.\n" + " -v increase verbosity level\n" + " -h, --help display this help and exit\n" + "\n"); +@@ -1507,6 +1544,7 @@ static struct option opts[] = { + {"recursive", 0, 0, 'r'}, + {"m32", 0, 0, '3'}, + {"m64", 0, 0, '6'}, ++ {"image", 0, 0, 'm'}, + {"smack", 0, 0, 256}, + {"version", 0, 0, 257}, + {} +@@ -1555,7 +1593,7 @@ int main(int argc, char *argv[]) + g_argc = argc; + + while (1) { +- c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:ri", opts, &lind); ++ c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:rim", opts, &lind); + if (c == -1) + break; + +@@ -1619,6 +1657,9 @@ int main(int argc, char *argv[]) + case '6': + msize = 64; + break; ++ case 'm': ++ params.image_mode = true; ++ break; + case 256: + evm_config_xattrnames = evm_extra_smack_xattrs; + break; +diff --git a/src/imaevm.h b/src/imaevm.h +index 711596c3f3fa..84632a487074 100644 +--- a/src/imaevm.h ++++ b/src/imaevm.h +@@ -180,6 +180,7 @@ struct libevm_params { + const char *hash_algo; + const char *keyfile; + const char *keypass; ++ bool image_mode; + }; + + struct RSA_ASN1_template { +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 575f0535fe07..6b81e7e2d7aa 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -40,6 +40,7 @@ + + /* should we use logger instead for library? */ + #define USE_FPRINTF ++#define _GNU_SOURCE + + #include <sys/types.h> + #include <sys/param.h> +@@ -49,6 +50,7 @@ + #include <dirent.h> + #include <string.h> + #include <stdio.h> ++#include <attr/xattr.h> + + #include <openssl/pem.h> + #include <openssl/evp.h> +@@ -222,7 +224,28 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx) + } + + while ((de = readdir(dir))) { +- ino = de->d_ino; ++ if (params.image_mode) { ++ char *name; ++ char buf[128] = { }; ++ ++ err = asprintf(&name, "%s/%s", file, de->d_name); ++ if (err == -1) { ++ log_err("failed to allocate mem\n"); ++ return err; ++ } ++ ++ err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1); ++ if (err < 0) { ++ log_err("image mode: xattr 'user.image-inode-number' not found.\n"); ++ return -1; ++ } ++ ino = strtoull(buf, NULL, 10); ++ ++ free(name); ++ } else { ++ ino = de->d_ino; ++ } ++ + off = de->d_off; + type = de->d_type; + log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n", diff --git a/patches/ima-evm-utils-1.0/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch b/patches/ima-evm-utils-1.0/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch new file mode 100644 index 000000000..734994a31 --- /dev/null +++ b/patches/ima-evm-utils-1.0/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch @@ -0,0 +1,30 @@ +From: Sascha Hauer <s.hauer@pengutronix.de> +Date: Mon, 1 Dec 2014 15:22:19 +0100 +Subject: [PATCH] evmctl: Do not account '.' and '..' for directory hash + generation + +The '.' and '..' directories are in different order depending on the +filesystem, so the calculated hash for the directories differ aswell. +This means an image generated from an ext4 host filesystem won't be +usable on the target if it uses another order for the special directories. +Ignore the entries since they do not add to the security anyway. + +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +--- + src/libimaevm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 6b81e7e2d7aa..4eb37e2bf167 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -224,6 +224,9 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx) + } + + while ((de = readdir(dir))) { ++ if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) ++ continue; ++ + if (params.image_mode) { + char *name; + char buf[128] = { }; diff --git a/patches/ima-evm-utils-1.0/0007-HACK-don-t-generate-man-page.patch b/patches/ima-evm-utils-1.0/0007-HACK-don-t-generate-man-page.patch new file mode 100644 index 000000000..bb44e8d6c --- /dev/null +++ b/patches/ima-evm-utils-1.0/0007-HACK-don-t-generate-man-page.patch @@ -0,0 +1,19 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 3 Jun 2015 16:08:51 +0200 +Subject: [PATCH] HACK: don't generate man page + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59ea4aa..e527f34f1faa 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,4 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) diff --git a/patches/ima-evm-utils-1.0/autogen.sh b/patches/ima-evm-utils-1.0/autogen.sh new file mode 120000 index 000000000..9f8a4cb7d --- /dev/null +++ b/patches/ima-evm-utils-1.0/autogen.sh @@ -0,0 +1 @@ +../autogen.sh
\ No newline at end of file diff --git a/patches/ima-evm-utils-1.0/series b/patches/ima-evm-utils-1.0/series new file mode 100644 index 000000000..d979204ae --- /dev/null +++ b/patches/ima-evm-utils-1.0/series @@ -0,0 +1,10 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch +0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch +0003-evmctl-find-add-missing-closedir-dir-on-error.patch +0004-evmctl-find-add-missing-error-handling-and-propagate.patch +0005-evmctl-add-support-for-offline-image-preparation.patch +0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch +0007-HACK-don-t-generate-man-page.patch +# dd0364c455ca5a28b5a5de995af71285 - git-ptx-patches magic |