diff options
author | Juergen Borleis <jbe@pengutronix.de> | 2019-02-22 09:29:10 +0100 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2019-02-26 09:13:26 +0100 |
commit | ab9180a08effff54b79a579b679026e5c259dd8b (patch) | |
tree | e9171e646e5be0628091870b9192f7edad02b3f5 /patches/ima-evm-utils-1.1 | |
parent | 991a672e9c8247ab7ebe581d5dda4706e8cae5b8 (diff) | |
download | ptxdist-ab9180a08effff54b79a579b679026e5c259dd8b.tar.gz ptxdist-ab9180a08effff54b79a579b679026e5c259dd8b.tar.xz |
ima-evm-utils: version bump to 1.1
This version bump also adds support for openssl-1.1.x.
Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches/ima-evm-utils-1.1')
14 files changed, 1138 insertions, 0 deletions
diff --git a/patches/ima-evm-utils-1.1/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch b/patches/ima-evm-utils-1.1/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch new file mode 100644 index 000000000..c035197d9 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch @@ -0,0 +1,389 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Wed, 18 Nov 2015 15:15:15 +0100 +Subject: [PATCH] INSTALL: remove file, at it's autogenerated by autotools + +This patch remove the file "INSTALL" which is autogenerated during +./autogen.sh. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + INSTALL | 370 ---------------------------------------------------------------- + 1 file changed, 370 deletions(-) + delete mode 100644 INSTALL + +diff --git a/INSTALL b/INSTALL +deleted file mode 100644 +index 007e9396d0a2..000000000000 +--- a/INSTALL ++++ /dev/null +@@ -1,370 +0,0 @@ +-Installation Instructions +-************************* +- +-Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, +-Inc. +- +- Copying and distribution of this file, with or without modification, +-are permitted in any medium without royalty provided the copyright +-notice and this notice are preserved. This file is offered as-is, +-without warranty of any kind. +- +-Basic Installation +-================== +- +- Briefly, the shell commands `./configure; make; make install' should +-configure, build, and install this package. The following +-more-detailed instructions are generic; see the `README' file for +-instructions specific to this package. Some packages provide this +-`INSTALL' file but do not implement all of the features documented +-below. The lack of an optional feature in a given package is not +-necessarily a bug. More recommendations for GNU packages can be found +-in *note Makefile Conventions: (standards)Makefile Conventions. +- +- The `configure' shell script attempts to guess correct values for +-various system-dependent variables used during compilation. It uses +-those values to create a `Makefile' in each directory of the package. +-It may also create one or more `.h' files containing system-dependent +-definitions. Finally, it creates a shell script `config.status' that +-you can run in the future to recreate the current configuration, and a +-file `config.log' containing compiler output (useful mainly for +-debugging `configure'). +- +- It can also use an optional file (typically called `config.cache' +-and enabled with `--cache-file=config.cache' or simply `-C') that saves +-the results of its tests to speed up reconfiguring. Caching is +-disabled by default to prevent problems with accidental use of stale +-cache files. +- +- If you need to do unusual things to compile the package, please try +-to figure out how `configure' could check whether to do them, and mail +-diffs or instructions to the address given in the `README' so they can +-be considered for the next release. If you are using the cache, and at +-some point `config.cache' contains results you don't want to keep, you +-may remove or edit it. +- +- The file `configure.ac' (or `configure.in') is used to create +-`configure' by a program called `autoconf'. You need `configure.ac' if +-you want to change it or regenerate `configure' using a newer version +-of `autoconf'. +- +- The simplest way to compile this package is: +- +- 1. `cd' to the directory containing the package's source code and type +- `./configure' to configure the package for your system. +- +- Running `configure' might take a while. While running, it prints +- some messages telling which features it is checking for. +- +- 2. Type `make' to compile the package. +- +- 3. Optionally, type `make check' to run any self-tests that come with +- the package, generally using the just-built uninstalled binaries. +- +- 4. Type `make install' to install the programs and any data files and +- documentation. When installing into a prefix owned by root, it is +- recommended that the package be configured and built as a regular +- user, and only the `make install' phase executed with root +- privileges. +- +- 5. Optionally, type `make installcheck' to repeat any self-tests, but +- this time using the binaries in their final installed location. +- This target does not install anything. Running this target as a +- regular user, particularly if the prior `make install' required +- root privileges, verifies that the installation completed +- correctly. +- +- 6. You can remove the program binaries and object files from the +- source code directory by typing `make clean'. To also remove the +- files that `configure' created (so you can compile the package for +- a different kind of computer), type `make distclean'. There is +- also a `make maintainer-clean' target, but that is intended mainly +- for the package's developers. If you use it, you may have to get +- all sorts of other programs in order to regenerate files that came +- with the distribution. +- +- 7. Often, you can also type `make uninstall' to remove the installed +- files again. In practice, not all packages have tested that +- uninstallation works correctly, even though it is required by the +- GNU Coding Standards. +- +- 8. Some packages, particularly those that use Automake, provide `make +- distcheck', which can by used by developers to test that all other +- targets like `make install' and `make uninstall' work correctly. +- This target is generally not run by end users. +- +-Compilers and Options +-===================== +- +- Some systems require unusual options for compilation or linking that +-the `configure' script does not know about. Run `./configure --help' +-for details on some of the pertinent environment variables. +- +- You can give `configure' initial values for configuration parameters +-by setting variables in the command line or in the environment. Here +-is an example: +- +- ./configure CC=c99 CFLAGS=-g LIBS=-lposix +- +- *Note Defining Variables::, for more details. +- +-Compiling For Multiple Architectures +-==================================== +- +- You can compile the package for more than one kind of computer at the +-same time, by placing the object files for each architecture in their +-own directory. To do this, you can use GNU `make'. `cd' to the +-directory where you want the object files and executables to go and run +-the `configure' script. `configure' automatically checks for the +-source code in the directory that `configure' is in and in `..'. This +-is known as a "VPATH" build. +- +- With a non-GNU `make', it is safer to compile the package for one +-architecture at a time in the source code directory. After you have +-installed the package for one architecture, use `make distclean' before +-reconfiguring for another architecture. +- +- On MacOS X 10.5 and later systems, you can create libraries and +-executables that work on multiple system types--known as "fat" or +-"universal" binaries--by specifying multiple `-arch' options to the +-compiler but only a single `-arch' option to the preprocessor. Like +-this: +- +- ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ +- CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ +- CPP="gcc -E" CXXCPP="g++ -E" +- +- This is not guaranteed to produce working output in all cases, you +-may have to build one architecture at a time and combine the results +-using the `lipo' tool if you have problems. +- +-Installation Names +-================== +- +- By default, `make install' installs the package's commands under +-`/usr/local/bin', include files under `/usr/local/include', etc. You +-can specify an installation prefix other than `/usr/local' by giving +-`configure' the option `--prefix=PREFIX', where PREFIX must be an +-absolute file name. +- +- You can specify separate installation prefixes for +-architecture-specific files and architecture-independent files. If you +-pass the option `--exec-prefix=PREFIX' to `configure', the package uses +-PREFIX as the prefix for installing programs and libraries. +-Documentation and other data files still use the regular prefix. +- +- In addition, if you use an unusual directory layout you can give +-options like `--bindir=DIR' to specify different values for particular +-kinds of files. Run `configure --help' for a list of the directories +-you can set and what kinds of files go in them. In general, the +-default for these options is expressed in terms of `${prefix}', so that +-specifying just `--prefix' will affect all of the other directory +-specifications that were not explicitly provided. +- +- The most portable way to affect installation locations is to pass the +-correct locations to `configure'; however, many packages provide one or +-both of the following shortcuts of passing variable assignments to the +-`make install' command line to change installation locations without +-having to reconfigure or recompile. +- +- The first method involves providing an override variable for each +-affected directory. For example, `make install +-prefix=/alternate/directory' will choose an alternate location for all +-directory configuration variables that were expressed in terms of +-`${prefix}'. Any directories that were specified during `configure', +-but not in terms of `${prefix}', must each be overridden at install +-time for the entire installation to be relocated. The approach of +-makefile variable overrides for each directory variable is required by +-the GNU Coding Standards, and ideally causes no recompilation. +-However, some platforms have known limitations with the semantics of +-shared libraries that end up requiring recompilation when using this +-method, particularly noticeable in packages that use GNU Libtool. +- +- The second method involves providing the `DESTDIR' variable. For +-example, `make install DESTDIR=/alternate/directory' will prepend +-`/alternate/directory' before all installation names. The approach of +-`DESTDIR' overrides is not required by the GNU Coding Standards, and +-does not work on platforms that have drive letters. On the other hand, +-it does better at avoiding recompilation issues, and works well even +-when some directory options were not specified in terms of `${prefix}' +-at `configure' time. +- +-Optional Features +-================= +- +- If the package supports it, you can cause programs to be installed +-with an extra prefix or suffix on their names by giving `configure' the +-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. +- +- Some packages pay attention to `--enable-FEATURE' options to +-`configure', where FEATURE indicates an optional part of the package. +-They may also pay attention to `--with-PACKAGE' options, where PACKAGE +-is something like `gnu-as' or `x' (for the X Window System). The +-`README' should mention any `--enable-' and `--with-' options that the +-package recognizes. +- +- For packages that use the X Window System, `configure' can usually +-find the X include and library files automatically, but if it doesn't, +-you can use the `configure' options `--x-includes=DIR' and +-`--x-libraries=DIR' to specify their locations. +- +- Some packages offer the ability to configure how verbose the +-execution of `make' will be. For these packages, running `./configure +---enable-silent-rules' sets the default to minimal output, which can be +-overridden with `make V=1'; while running `./configure +---disable-silent-rules' sets the default to verbose, which can be +-overridden with `make V=0'. +- +-Particular systems +-================== +- +- On HP-UX, the default C compiler is not ANSI C compatible. If GNU +-CC is not installed, it is recommended to use the following options in +-order to use an ANSI C compiler: +- +- ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" +- +-and if that doesn't work, install pre-built binaries of GCC for HP-UX. +- +- HP-UX `make' updates targets which have the same time stamps as +-their prerequisites, which makes it generally unusable when shipped +-generated files such as `configure' are involved. Use GNU `make' +-instead. +- +- On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot +-parse its `<wchar.h>' header file. The option `-nodtk' can be used as +-a workaround. If GNU CC is not installed, it is therefore recommended +-to try +- +- ./configure CC="cc" +- +-and if that doesn't work, try +- +- ./configure CC="cc -nodtk" +- +- On Solaris, don't put `/usr/ucb' early in your `PATH'. This +-directory contains several dysfunctional programs; working variants of +-these programs are available in `/usr/bin'. So, if you need `/usr/ucb' +-in your `PATH', put it _after_ `/usr/bin'. +- +- On Haiku, software installed for all users goes in `/boot/common', +-not `/usr/local'. It is recommended to use the following options: +- +- ./configure --prefix=/boot/common +- +-Specifying the System Type +-========================== +- +- There may be some features `configure' cannot figure out +-automatically, but needs to determine by the type of machine the package +-will run on. Usually, assuming the package is built to be run on the +-_same_ architectures, `configure' can figure that out, but if it prints +-a message saying it cannot guess the machine type, give it the +-`--build=TYPE' option. TYPE can either be a short name for the system +-type, such as `sun4', or a canonical name which has the form: +- +- CPU-COMPANY-SYSTEM +- +-where SYSTEM can have one of these forms: +- +- OS +- KERNEL-OS +- +- See the file `config.sub' for the possible values of each field. If +-`config.sub' isn't included in this package, then this package doesn't +-need to know the machine type. +- +- If you are _building_ compiler tools for cross-compiling, you should +-use the option `--target=TYPE' to select the type of system they will +-produce code for. +- +- If you want to _use_ a cross compiler, that generates code for a +-platform different from the build platform, you should specify the +-"host" platform (i.e., that on which the generated programs will +-eventually be run) with `--host=TYPE'. +- +-Sharing Defaults +-================ +- +- If you want to set default values for `configure' scripts to share, +-you can create a site shell script called `config.site' that gives +-default values for variables like `CC', `cache_file', and `prefix'. +-`configure' looks for `PREFIX/share/config.site' if it exists, then +-`PREFIX/etc/config.site' if it exists. Or, you can set the +-`CONFIG_SITE' environment variable to the location of the site script. +-A warning: not all `configure' scripts look for a site script. +- +-Defining Variables +-================== +- +- Variables not defined in a site shell script can be set in the +-environment passed to `configure'. However, some packages may run +-configure again during the build, and the customized values of these +-variables may be lost. In order to avoid this problem, you should set +-them in the `configure' command line, using `VAR=value'. For example: +- +- ./configure CC=/usr/local2/bin/gcc +- +-causes the specified `gcc' to be used as the C compiler (unless it is +-overridden in the site shell script). +- +-Unfortunately, this technique does not work for `CONFIG_SHELL' due to +-an Autoconf limitation. Until the limitation is lifted, you can use +-this workaround: +- +- CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash +- +-`configure' Invocation +-====================== +- +- `configure' recognizes the following options to control how it +-operates. +- +-`--help' +-`-h' +- Print a summary of all of the options to `configure', and exit. +- +-`--help=short' +-`--help=recursive' +- Print a summary of the options unique to this package's +- `configure', and exit. The `short' variant lists options used +- only in the top level, while the `recursive' variant lists options +- also present in any nested packages. +- +-`--version' +-`-V' +- Print the version of Autoconf used to generate the `configure' +- script, and exit. +- +-`--cache-file=FILE' +- Enable the cache: use and save the results of the tests in FILE, +- traditionally `config.cache'. FILE defaults to `/dev/null' to +- disable caching. +- +-`--config-cache' +-`-C' +- Alias for `--cache-file=config.cache'. +- +-`--quiet' +-`--silent' +-`-q' +- Do not print messages saying which checks are being made. To +- suppress all normal output, redirect it to `/dev/null' (any error +- messages will still be shown). +- +-`--srcdir=DIR' +- Look for the package's source code in directory DIR. Usually +- `configure' can determine that directory automatically. +- +-`--prefix=DIR' +- Use DIR as the installation prefix. *note Installation Names:: +- for more details, including other options available for fine-tuning +- the installation locations. +- +-`--no-create' +-`-n' +- Run the configure checks, but stop before creating any output +- files. +- +-`configure' also accepts some other, not widely useful, options. Run +-`configure --help' for more details. diff --git a/patches/ima-evm-utils-1.1/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch b/patches/ima-evm-utils-1.1/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch new file mode 100644 index 000000000..cb09b8d78 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch @@ -0,0 +1,40 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Wed, 27 May 2015 10:41:27 +0200 +Subject: [PATCH] Makefile.am: rename INCLUDES -> AM_CPPFLAGS + +This patch fixes the following warning during autoreconf: + +| src/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS') + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index deb18fb09dc7..9f547283d535 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,7 +1,7 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +@@ -12,11 +12,11 @@ include_HEADERS = imaevm.h + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) + evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la + +-INCLUDES = -I$(top_srcdir) -include config.h ++AM_CPPFLAGS = -I$(top_srcdir) -include config.h + + DISTCLEANFILES = @DISTCLEANFILES@ + diff --git a/patches/ima-evm-utils-1.1/0003-evmctl-find-add-missing-closedir-dir-on-error.patch b/patches/ima-evm-utils-1.1/0003-evmctl-find-add-missing-closedir-dir-on-error.patch new file mode 100644 index 000000000..4b1c84584 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0003-evmctl-find-add-missing-closedir-dir-on-error.patch @@ -0,0 +1,31 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Fri, 13 Nov 2015 14:02:42 +0100 +Subject: [PATCH] evmctl: find(): add missing closedir(dir) on error + +If a failure in find() happens the directory stream is not closed. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 2ffee786865b..20eccfa93b2b 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -1229,6 +1229,7 @@ static int find(const char *path, int dts, find_cb_t func) + + if (fchdir(dirfd(dir))) { + log_err("Failed to chdir %s\n", path); ++ closedir(dir); + return -1; + } + +@@ -1244,6 +1245,7 @@ static int find(const char *path, int dts, find_cb_t func) + + if (chdir("..")) { + log_err("Failed to chdir: %s\n", path); ++ closedir(dir); + return -1; + } + diff --git a/patches/ima-evm-utils-1.1/0004-evmctl-find-add-missing-error-handling-and-propagate.patch b/patches/ima-evm-utils-1.1/0004-evmctl-find-add-missing-error-handling-and-propagate.patch new file mode 100644 index 000000000..68660d95e --- /dev/null +++ b/patches/ima-evm-utils-1.1/0004-evmctl-find-add-missing-error-handling-and-propagate.patch @@ -0,0 +1,56 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Fri, 13 Nov 2015 14:04:37 +0100 +Subject: [PATCH] evmctl: find(): add missing error handling and propagate + error + +This patch adds the missing error handling to the while() loop in the find() +function, so that evmctl properly fails on errors. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 20eccfa93b2b..55fc619f5990 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -1234,13 +1234,20 @@ static int find(const char *path, int dts, find_cb_t func) + } + + while ((de = readdir(dir))) { ++ int err = 0; ++ + if (!strcmp(de->d_name, "..") || !strcmp(de->d_name, ".")) + continue; + log_debug("path: %s, type: %u\n", de->d_name, de->d_type); + if (de->d_type == DT_DIR) +- find(de->d_name, dts, func); ++ err = find(de->d_name, dts, func); + else if (dts & (1 << de->d_type)) +- func(de->d_name); ++ err = func(de->d_name); ++ ++ if (err) { ++ closedir(dir); ++ return -1; ++ } + } + + if (chdir("..")) { +@@ -1249,8 +1256,13 @@ static int find(const char *path, int dts, find_cb_t func) + return -1; + } + +- if (dts & DIR_MASK) +- func(path); ++ if (dts & DIR_MASK) { ++ int err; ++ ++ err = func(path); ++ if (err) ++ return -1; ++ } + + closedir(dir); + diff --git a/patches/ima-evm-utils-1.1/0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch b/patches/ima-evm-utils-1.1/0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch new file mode 100644 index 000000000..69aadb377 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch @@ -0,0 +1,27 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Fri, 11 Mar 2016 09:49:44 +0100 +Subject: [PATCH] evmctl: add fallback definitions for XATTR_NAME_IMA + +This fixes compilation on old distributions. + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 55fc619f5990..de53be37b69b 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -62,6 +62,11 @@ + #include <openssl/err.h> + #include <openssl/rsa.h> + ++#ifndef XATTR_NAME_IMA ++#define XATTR_IMA_SUFFIX "ima" ++#define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #define USE_FPRINTF + + #include "imaevm.h" diff --git a/patches/ima-evm-utils-1.1/0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch b/patches/ima-evm-utils-1.1/0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch new file mode 100644 index 000000000..a3cd597f8 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch @@ -0,0 +1,73 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Sat, 26 Mar 2016 22:58:07 +0100 +Subject: [PATCH] evmctl, libimaevm: use EVP_MAX_MD_SIZE for hash size instead + of open coding it + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 10 +++++----- + src/libimaevm.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index de53be37b69b..b0f3b6362528 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -495,7 +495,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + + static int sign_evm(const char *file, const char *key) + { +- unsigned char hash[20]; ++ unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned char sig[1024]; + int len, err; + +@@ -533,7 +533,7 @@ static int sign_evm(const char *file, const char *key) + + static int hash_ima(const char *file) + { +- unsigned char hash[66]; /* MAX hash size + 2 */ ++ unsigned char hash[EVP_MAX_MD_SIZE + 2]; /* MAX hash size + 2 */ + int len, err, offset; + int algo = get_hash_algo(params.hash_algo); + +@@ -571,7 +571,7 @@ static int hash_ima(const char *file) + + static int sign_ima(const char *file, const char *key) + { +- unsigned char hash[64]; ++ unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned char sig[1024]; + int len, err; + +@@ -751,7 +751,7 @@ static int cmd_sign_evm(struct command *cmd) + + static int verify_evm(const char *file) + { +- unsigned char hash[20]; ++ unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned char sig[1024]; + int len; + +@@ -1119,7 +1119,7 @@ out: + + static int hmac_evm(const char *file, const char *key) + { +- unsigned char hash[20]; ++ unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned char sig[1024]; + int len, err; + +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 6fa0ed4a1c74..8fc23be08bd7 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -590,7 +590,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned + int ima_verify_signature(const char *file, unsigned char *sig, int siglen, + unsigned char *digest, int digestlen) + { +- unsigned char hash[64]; ++ unsigned char hash[EVP_MAX_MD_SIZE]; + int hashlen, sig_hash_algo; + + if (sig[0] != 0x03) { diff --git a/patches/ima-evm-utils-1.1/0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch b/patches/ima-evm-utils-1.1/0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch new file mode 100644 index 000000000..2164c6238 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch @@ -0,0 +1,31 @@ +From: Marc Kleine-Budde <mkl@pengutronix.de> +Date: Sat, 26 Mar 2016 22:58:53 +0100 +Subject: [PATCH] libimaevm: use SHA_DIGEST_LENGTH instead of open coding it + +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/libimaevm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 8fc23be08bd7..b6c328801708 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -379,7 +379,7 @@ int verify_hash_v1(const char *file, const unsigned char *hash, int size, + SHA_CTX ctx; + unsigned char out[1024]; + RSA *key; +- unsigned char sighash[20]; ++ unsigned char sighash[SHA_DIGEST_LENGTH]; + struct signature_hdr *hdr = (struct signature_hdr *)sig; + + log_info("hash-v1: "); +@@ -744,7 +744,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons + unsigned char pub[1024]; + RSA *key; + char name[20]; +- unsigned char sighash[20]; ++ unsigned char sighash[SHA_DIGEST_LENGTH]; + struct signature_hdr *hdr; + uint16_t *blen; + diff --git a/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch b/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch new file mode 100644 index 000000000..488dfa822 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch @@ -0,0 +1,133 @@ +From: Steffen Trumtrar <s.trumtrar@pengutronix.de> +Date: Tue, 8 Mar 2016 13:46:14 +0100 +Subject: [PATCH] evmctl: add parameter -e to set evm hash algo + +The paramter -a sets the hash algorithm only for IMA. To not break +anything, add a new parameter -e to be able to change the hash for +EVM, too. + +Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de> +--- + src/evmctl.c | 27 +++++++++++++++++++++++---- + src/imaevm.h | 1 + + src/libimaevm.c | 1 + + 3 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index b0f3b6362528..5d664005e915 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -336,6 +336,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + #else + pctx = EVP_MD_CTX_new(); + #endif ++ const EVP_MD *md; + + if (lstat(file, &st)) { + log_err("Failed to stat: %s\n", file); +@@ -379,7 +380,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + return -1; + } + +- err = EVP_DigestInit(pctx, EVP_sha1()); ++ md = EVP_get_digestbyname(params.evm_hash_algo); ++ if (!md) { ++ log_err("EVP_get_digestbyname() failed\n"); ++ return 1; ++ } ++ ++ err = EVP_DigestInit(pctx, md); + if (!err) { + log_err("EVP_DigestInit() failed\n"); + return 1; +@@ -503,7 +510,7 @@ static int sign_evm(const char *file, const char *key) + if (len <= 1) + return len; + +- len = sign_hash("sha1", hash, len, key, NULL, sig + 1); ++ len = sign_hash(params.evm_hash_algo, hash, len, key, NULL, sig + 1); + if (len <= 1) + return len; + +@@ -992,6 +999,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + #else + pctx = HMAC_CTX_new(); + #endif ++ const EVP_MD *md; + + key = file2bin(keyfile, NULL, &keylen); + if (!key) { +@@ -1038,7 +1046,13 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + goto out; + } + +- err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL); ++ md = EVP_get_digestbyname(params.evm_hash_algo); ++ if (!md) { ++ log_err("EVP_get_digestbyname() failed\n"); ++ return 1; ++ } ++ ++ err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), md, NULL); + if (err) { + log_err("HMAC_Init() failed\n"); + goto out; +@@ -1635,6 +1649,7 @@ static void usage(void) + printf( + "\n" + " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512\n" ++ " -e, --evmhashalgo sha1 (default), sha224, sha256, sha384, sha512\n" + " -s, --imasig make IMA signature\n" + " -d, --imahash make IMA hash\n" + " -f, --sigfile store IMA signature in .sig file instead of xattr\n" +@@ -1691,6 +1706,7 @@ static struct option opts[] = { + {"imasig", 0, 0, 's'}, + {"imahash", 0, 0, 'd'}, + {"hashalgo", 1, 0, 'a'}, ++ {"evmhashalgo", 1, 0, 'e'}, + {"pass", 2, 0, 'p'}, + {"sigfile", 0, 0, 'f'}, + {"uuid", 2, 0, 'u'}, +@@ -1758,7 +1774,7 @@ int main(int argc, char *argv[]) + g_argc = argc; + + while (1) { +- c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:ri", opts, &lind); ++ c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:ri", opts, &lind); + if (c == -1) + break; + +@@ -1784,6 +1800,9 @@ int main(int argc, char *argv[]) + case 'a': + params.hash_algo = optarg; + break; ++ case 'e': ++ params.evm_hash_algo = optarg; ++ break; + case 'p': + if (optarg) + params.keypass = optarg; +diff --git a/src/imaevm.h b/src/imaevm.h +index 1bafaad0f4ab..ed92e4d8981d 100644 +--- a/src/imaevm.h ++++ b/src/imaevm.h +@@ -179,6 +179,7 @@ struct libevm_params { + int verbose; + int x509; + const char *hash_algo; ++ const char *evm_hash_algo; + const char *keyfile; + const char *keypass; + }; +diff --git a/src/libimaevm.c b/src/libimaevm.c +index b6c328801708..4c093a038b72 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -129,6 +129,7 @@ struct libevm_params params = { + .verbose = LOG_INFO - 1, + .x509 = 1, + .hash_algo = "sha1", ++ .evm_hash_algo = "sha1", + }; + + static void __attribute__ ((constructor)) libinit(void); diff --git a/patches/ima-evm-utils-1.1/0009-evmctl-add-support-for-offline-image-preparation.patch b/patches/ima-evm-utils-1.1/0009-evmctl-add-support-for-offline-image-preparation.patch new file mode 100644 index 000000000..696528f75 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0009-evmctl-add-support-for-offline-image-preparation.patch @@ -0,0 +1,265 @@ +From: Sascha Hauer <s.hauer@pengutronix.de> +Date: Mon, 1 Dec 2014 15:23:21 +0100 +Subject: [PATCH] evmctl: add support for offline image preparation + +With this change it's possible to sign a directory hierarchy, so that a +filesystem image (e.g. a 'ubifs') can be generated. + +Creating the ima and evm signatues for an image with 'evmctl' has two problems: +1) The inode-numbers of the files are different in the to be created image and + in the current filesystem. +2) The inode generation can be different, too. + +These problems are solved in a 4-step process: + +1) 'evmctl' generates signatures and writes them to the extended attribute + (the usual process so far). +2) The image, for example a 'ubifs' image, is generated. 'mkfs.ubifs' generates + the image (including extended attributes) and stores the used inode number + into an extended attribute "user.image-inode-number". +3) 'evmct' is re-started to generate the signatures, this time with the + additional paramter "--image". Instead of using an 'ioctl' to get the inode + number and generation, the inode is read from the extended attribute + "user.image-inode-number", the generation is set to "0". +4) The image (omitting the exteneded attribute "user.image-inode-number") is + generated. + +This patch adds the command line parameter "--image" to read the inode number +from the extended attribute "user.image-inode-number" instead of using an +ioctl(). The inode generation is set to 0, too. + +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +--- + src/evmctl.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++-------- + src/imaevm.h | 1 + + src/libimaevm.c | 25 ++++++++++++++++++++++++- + 3 files changed, 74 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 5d664005e915..9003f7640c0f 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -337,6 +337,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + pctx = EVP_MD_CTX_new(); + #endif + const EVP_MD *md; ++ ino_t ino; + + if (lstat(file, &st)) { + log_err("Failed to stat: %s\n", file); +@@ -371,9 +372,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + } + close(fd); + } +- log_info("generation: %u\n", generation); + } + ++ if (params.image_mode) { ++ char buf[128] = { }; ++ ++ err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1); ++ if (err < 0) { ++ log_err("image mode: xattr 'user.image-inode-number' not found.\n"); ++ return -1; ++ } ++ ino = strtoull(buf, NULL, 10); ++ generation = 0; ++ } else { ++ ino = st.st_ino; ++ } ++ ++ log_info("inode-number: %llu\n", (unsigned long long)ino); ++ log_info("generation: %u\n", generation); ++ + list_size = llistxattr(file, list, sizeof(list)); + if (list_size < 0) { + log_err("llistxattr() failed\n"); +@@ -439,7 +456,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + + hmac_size = sizeof(*hmac); + if (!evm_portable) { +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + } + hmac->uid = st.st_uid; +@@ -450,7 +467,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + + hmac_size = sizeof(*hmac); + if (!evm_portable) { +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + } + hmac->uid = st.st_uid; +@@ -461,7 +478,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + + hmac_size = sizeof(*hmac); + if (!evm_portable) { +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + } + hmac->uid = st.st_uid; +@@ -1000,6 +1017,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + pctx = HMAC_CTX_new(); + #endif + const EVP_MD *md; ++ ino_t ino; + + key = file2bin(keyfile, NULL, &keylen); + if (!key) { +@@ -1038,10 +1056,26 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + close(fd); + } + ++ if (params.image_mode) { ++ char buf[128] = { }; ++ ++ err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1); ++ if (err < 0) { ++ log_err("image mode: xattr 'user.image-inode-number' not found.\n"); ++ goto out; ++ } ++ ino = strtoull(buf, NULL, 10); ++ generation = 0; ++ } else { ++ ino = st.st_ino; ++ } ++ ++ log_info("inode-number: %llu\n", (unsigned long long)ino); + log_info("generation: %u\n", generation); + + list_size = llistxattr(file, list, sizeof(list)); + if (list_size <= 0) { ++ err = -1; + log_err("llistxattr() failed: %s\n", file); + goto out; + } +@@ -1084,7 +1118,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct h_misc *hmac = (struct h_misc *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -1093,7 +1127,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -1102,7 +1136,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc; + + hmac_size = sizeof(*hmac); +- hmac->ino = st.st_ino; ++ hmac->ino = ino; + hmac->generation = generation; + hmac->uid = st.st_uid; + hmac->gid = st.st_gid; +@@ -1666,6 +1700,9 @@ static void usage(void) + " --smack use extra SMACK xattrs for EVM\n" + " --m32 force EVM hmac/signature for 32 bit target system\n" + " --m64 force EVM hmac/signature for 64 bit target system\n" ++ " -m, --image image generation mode:\n" ++ " Read inode number from xattr 'user.image-inode-number',\n" ++ " and force inode generation to 0.\n" + " --ino use custom inode for EVM\n" + " --uid use custom UID for EVM\n" + " --gid use custom GID for EVM\n" +@@ -1716,6 +1753,7 @@ static struct option opts[] = { + {"recursive", 0, 0, 'r'}, + {"m32", 0, 0, '3'}, + {"m64", 0, 0, '6'}, ++ {"image", 0, 0, 'm'}, + {"portable", 0, 0, 'o'}, + {"smack", 0, 0, 128}, + {"version", 0, 0, 129}, +@@ -1774,7 +1812,7 @@ int main(int argc, char *argv[]) + g_argc = argc; + + while (1) { +- c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:ri", opts, &lind); ++ c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:rim", opts, &lind); + if (c == -1) + break; + +@@ -1847,6 +1885,9 @@ int main(int argc, char *argv[]) + case '6': + msize = 64; + break; ++ case 'm': ++ params.image_mode = true; ++ break; + case 128: + evm_config_xattrnames = evm_extra_smack_xattrs; + break; +diff --git a/src/imaevm.h b/src/imaevm.h +index ed92e4d8981d..7e32d09c6538 100644 +--- a/src/imaevm.h ++++ b/src/imaevm.h +@@ -182,6 +182,7 @@ struct libevm_params { + const char *evm_hash_algo; + const char *keyfile; + const char *keypass; ++ bool image_mode; + }; + + struct RSA_ASN1_template { +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 4c093a038b72..866f74b39b41 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -40,6 +40,7 @@ + + /* should we use logger instead for library? */ + #define USE_FPRINTF ++#define _GNU_SOURCE + + #include <sys/types.h> + #include <sys/param.h> +@@ -49,6 +50,7 @@ + #include <dirent.h> + #include <string.h> + #include <stdio.h> ++#include <attr/xattr.h> + + #include <openssl/pem.h> + #include <openssl/evp.h> +@@ -224,7 +226,28 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx) + } + + while ((de = readdir(dir))) { +- ino = de->d_ino; ++ if (params.image_mode) { ++ char *name; ++ char buf[128] = { }; ++ ++ err = asprintf(&name, "%s/%s", file, de->d_name); ++ if (err == -1) { ++ log_err("failed to allocate mem\n"); ++ return err; ++ } ++ ++ err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1); ++ if (err < 0) { ++ log_err("image mode: xattr 'user.image-inode-number' not found.\n"); ++ return -1; ++ } ++ ino = strtoull(buf, NULL, 10); ++ ++ free(name); ++ } else { ++ ino = de->d_ino; ++ } ++ + off = de->d_off; + type = de->d_type; + log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n", diff --git a/patches/ima-evm-utils-1.1/0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch b/patches/ima-evm-utils-1.1/0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch new file mode 100644 index 000000000..12b77a132 --- /dev/null +++ b/patches/ima-evm-utils-1.1/0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch @@ -0,0 +1,30 @@ +From: Sascha Hauer <s.hauer@pengutronix.de> +Date: Mon, 1 Dec 2014 15:22:19 +0100 +Subject: [PATCH] evmctl: Do not account '.' and '..' for directory hash + generation + +The '.' and '..' directories are in different order depending on the +filesystem, so the calculated hash for the directories differ aswell. +This means an image generated from an ext4 host filesystem won't be +usable on the target if it uses another order for the special directories. +Ignore the entries since they do not add to the security anyway. + +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +--- + src/libimaevm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 866f74b39b41..834b738426bf 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -226,6 +226,9 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx) + } + + while ((de = readdir(dir))) { ++ if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) ++ continue; ++ + if (params.image_mode) { + char *name; + char buf[128] = { }; diff --git a/patches/ima-evm-utils-1.1/0011-HACK-don-t-generate-man-page.patch b/patches/ima-evm-utils-1.1/0011-HACK-don-t-generate-man-page.patch new file mode 100644 index 000000000..bb44e8d6c --- /dev/null +++ b/patches/ima-evm-utils-1.1/0011-HACK-don-t-generate-man-page.patch @@ -0,0 +1,19 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 3 Jun 2015 16:08:51 +0200 +Subject: [PATCH] HACK: don't generate man page + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59ea4aa..e527f34f1faa 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,4 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) diff --git a/patches/ima-evm-utils-1.1/0012-Fix-warning-for-non-debug-use-case.patch b/patches/ima-evm-utils-1.1/0012-Fix-warning-for-non-debug-use-case.patch new file mode 100644 index 000000000..80073f19a --- /dev/null +++ b/patches/ima-evm-utils-1.1/0012-Fix-warning-for-non-debug-use-case.patch @@ -0,0 +1,28 @@ +From: Juergen Borleis <jbe@pengutronix.de> +Date: Wed, 18 Nov 2015 15:15:15 +0100 +Subject: [PATCH] Fix warning for non-debug use case + +This change fixes: + + evmctl.c:1194:12: warning: 'cmd_hmac_evm' defined but not used [-Wunused-function] + +Note: this change is GCC specific + +Signed-off-by: Juergen Borleis <jbe@pengutronix.de> +--- + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 9003f7640c0f..4422c0e84d4a 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -1191,7 +1191,7 @@ static int hmac_evm(const char *file, const char *key) + return 0; + } + +-static int cmd_hmac_evm(struct command *cmd) ++static __attribute__((unused)) int cmd_hmac_evm(struct command *cmd) + { + const char *key, *file = g_argv[optind++]; + int err; diff --git a/patches/ima-evm-utils-1.1/autogen.sh b/patches/ima-evm-utils-1.1/autogen.sh new file mode 120000 index 000000000..9f8a4cb7d --- /dev/null +++ b/patches/ima-evm-utils-1.1/autogen.sh @@ -0,0 +1 @@ +../autogen.sh
\ No newline at end of file diff --git a/patches/ima-evm-utils-1.1/series b/patches/ima-evm-utils-1.1/series new file mode 100644 index 000000000..784fc0147 --- /dev/null +++ b/patches/ima-evm-utils-1.1/series @@ -0,0 +1,15 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch +0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch +0003-evmctl-find-add-missing-closedir-dir-on-error.patch +0004-evmctl-find-add-missing-error-handling-and-propagate.patch +0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch +0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch +0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch +0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch +0009-evmctl-add-support-for-offline-image-preparation.patch +0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch +0011-HACK-don-t-generate-man-page.patch +0012-Fix-warning-for-non-debug-use-case.patch +# 25e6f60853e6b27e45f386bbca0730ab - git-ptx-patches magic |