automatic import of openEuler-rpm-configopeneuler22.03_LTS_SP4 openeuler22.03_LTS_SP3

author: CoprDistGit <infra@openeuler.org> 2024-08-26 07:25:54 +0000
committer: CoprDistGit <infra@openeuler.org> 2024-08-26 07:25:54 +0000
commit: 1bee4fd305174b56955aa02434b778e0b46f515e (patch)
tree: 5f4f9ed56e151fa122fef773f15b0eaa93ad2ab9 /Feature-support-EBS-sign-for-IMA-digest-list.patch
parent: 257b43610b08c33aa43ae1f4caff079ff81f89fe (diff)
1 files changed, 294 insertions, 50 deletions
diff --git a/Feature-support-EBS-sign-for-IMA-digest-list.patch b/Feature-support-EBS-sign-for-IMA-digest-list.patch
index 39b6aae..bd0fed0 100644
--- a/Feature-support-EBS-sign-for-IMA-digest-list.patch
+++ b/Feature-support-EBS-sign-for-IMA-digest-list.patch
@@ -4,79 +4,323 @@ Date: Mon, 12 Dec 2022 00:16:01 +0800
 Subject: [PATCH] support EBS sign for IMA digest list
 
 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
+
 ---
- brp-digest-list | 16 ++++++++++++++++
- brp-ebs-sign    | 34 ++++++++++++++++++++++++++++++++++
- 2 files changed, 50 insertions(+)
+ brp-digest-list |  46 +++++-----
+ brp-ebs-sign    | 238 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 262 insertions(+), 22 deletions(-)
  create mode 100644 brp-ebs-sign
 
 diff --git a/brp-digest-list b/brp-digest-list
-index e698b7a..9ec50a2 100644
+index e698b7a..d1e2600 100644
 --- a/brp-digest-list
 +++ b/brp-digest-list
-@@ -84,6 +84,22 @@ if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
- 	chmod 644 $f
- 	echo $f
+@@ -26,7 +26,6 @@ fi
+ DIGEST_LIST_DIR=$RPM_BUILD_ROOT/$2/etc/ima/digest_lists
+ mkdir -p $DIGEST_LIST_DIR
+ mkdir -p $DIGEST_LIST_DIR.tlv
+-mkdir -p $DIGEST_LIST_DIR.sig
  
-+	# do EBS sign
-+	export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
-+	export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
-+	if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
-+		[ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
-+		for f in $(ls $DIGEST_LIST_DIR); do
-+			sh /usr/lib/rpm/brp-ebs-sign $DIGEST_LIST_DIR/$f &> /dev/null
-+			[ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0
-+			chmod 644 $DIGEST_LIST_DIR/$f.sig
-+			mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR.sig/$f.sig
-+			echo $DIGEST_LIST_DIR.sig/$f.sig
-+		done
-+		exit 0
-+	fi
+ # Generate digest list for the kernel
+ gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
+@@ -70,28 +69,31 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
+ chmod 644 $DIGEST_LIST_TLV_PATH
+ echo $DIGEST_LIST_TLV_PATH
+ 
+-if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
+-      ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
+-	# Generate digest list for the user space parsers
+-	LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/lib64 \
+-		$RPM_BUILD_ROOT/usr/bin/gen_digest_lists \
+-		-d $DIGEST_LIST_DIR -t parser -f compact -m immutable \
+-		-i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i:
+-
+-	f="$DIGEST_LIST_DIR/0-parser_list-compact-libexec"
+-	[ -f $f ] || exit 0
+-
+-	chmod 644 $f
+-	echo $f
++#if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
++#      ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
++# Generate digest list for the user space parsers
 +
-+	# do OBS sign
- 	[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
++# do EBS sign
++export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
++export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
++if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
++	[ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
++	sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_PATH 1>&2
++	[ -f $DIGEST_LIST_PATH.sig ] || exit 0
++	chmod 644 $DIGEST_LIST_PATH.sig
++	mv $DIGEST_LIST_PATH.sig $DIGEST_LIST_PATH
++	exit 0
++fi
+ 
+-	[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
++# do OBS sign
++[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
  
- 	export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
+-	export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
+-	export RPM_BUILD_ROOT
+-	export RPM_PACKAGE_NAME="digest-list-tools"
+-	export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
++export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
++export RPM_BUILD_ROOT
++export RPM_PACKAGE_NAME="digest-list-tools"
++export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
+ 
+-	if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
+-		/usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
+-	fi
++if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
++	/usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
+ fi
++#fi
 diff --git a/brp-ebs-sign b/brp-ebs-sign
 new file mode 100644
-index 0000000..662a9f7
+index 0000000..a7a83e5
 --- /dev/null
 +++ b/brp-ebs-sign
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,238 @@
 +#!/bin/bash
 +
-+# config
-+PUBLISHER_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/sign-files"
-+POST_KEY_BASE64="encoded_file_content"
-+POST_KEY_MD5="file_md5"
-+REQ_KEY_BASE64="signed_file_content"
-+REQ_KEY_MD5="signed_file_md5"
++INPUT_TYPE=$1
++INPUT_FILE=$2
++SIGN_FILE=$INPUT_FILE
++PROJECT_CONF="/lkp/scheduled/job.yaml"
++POST_ADDR=""
++POST_FILE_SHA256=""
++POST_KEY_NAME=""
++POST_KEY_TYPE=""
++POST_FILE_TYPE=""
++POST_SIGN_TYPE=""
++POST_JOB_ID=""
++POST_OS_ORIJECT=""
++CONFIG_RETEST_COUNT=5
++SIGN_RESULT=0
++FAILED_SIGN_PERMISSION_DENIED=2
 +
-+# function definition
++# Tool functions for JSON
 +get_json_value(){
-+	echo "$1" | awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | sed 's/\"//g'
++	echo "$1" | \
++	awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | \
++	sed 's/\"//g'
++}
++
++get_post_json() {
++	printf '{'
++	printf '"file_sha256":"%s",' $POST_FILE_SHA256
++	printf '"key_name":"%s",' $POST_KEY_NAME
++	printf '"key_type":"%s",' $POST_KEY_TYPE
++	printf '"file_type":"%s",' $POST_FILE_TYPE
++	printf '"sign_type":"%s",' $POST_SIGN_TYPE
++	printf '"job_id":"%s",' $POST_JOB_ID
++	printf '"os_project":"%s"' $POST_OS_ORIJECT
++	printf '}'
 +}
 +
-+file="$1"
-+file_base64="$(base64 -w0 $file)"
-+file_md5="$(md5sum $file | awk '{printf $1}')"
-+json="{\"$POST_KEY_BASE64\":\"$file_base64\", \"$POST_KEY_MD5\":\"$file_md5\"}"
++# Prepare sign functions for each sign type
++module_sign_pre() {
++	if [[ "$INPUT_FILE" != *.ko ]]; then
++		echo "The module file must has the .ko extension"
++		return 1
++	fi
++
++	SIGN_FILE="$INPUT_FILE"
++	POST_KEY_NAME="openeuler-kernel-module-ee"
++	POST_KEY_TYPE="x509ee"
++	POST_FILE_TYPE="kernel-module"
++	POST_SIGN_TYPE="cms"
++}
 +
-+req="$(curl -X POST "$PUBLISHER_ADDR" -H 'Content-Type: application/json' -d "$json")"
-+[ $? -eq 0 ] || { echo "Fail to post sign service, REQ="; echo "req"; exit 1; }
++ima_digestlist_sign_pre() {
++	cp -f $INPUT_FILE $INPUT_FILE.ko
++	SIGN_FILE="$INPUT_FILE.ko"
++	POST_KEY_NAME="openeuler-ima-ee"
++	POST_KEY_TYPE="x509ee"
++	POST_FILE_TYPE="kernel-module"
++	POST_SIGN_TYPE="cms"
++}
 +
-+sig_base64=$(get_json_value "$req" "$REQ_KEY_BASE64")
-+[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_BASE64"; exit 1; }
-+echo -e "$sig_base64" | base64 -d > $file.sig
-+[ $? -eq 0 ] || { echo "Fail to decode value of $key"; exit 1; }
++efi_sign_pre() {
++	SIGN_FILE="$INPUT_FILE"
++	POST_KEY_NAME="default-x509ee"
++	POST_KEY_TYPE="x509ee"
++	POST_FILE_TYPE="efi-image"
++	POST_SIGN_TYPE="authenticode"
++}
++
++kernel_sign_pre() {
++	SIGN_FILE="$INPUT_FILE"
++	POST_KEY_NAME="default-x509ee"
++	POST_KEY_TYPE="x509ee"
++	POST_FILE_TYPE="efi-image"
++	POST_SIGN_TYPE="authenticode"
++}
 +
-+sig_md5=$(get_json_value "$req" "$REQ_KEY_MD5")
-+[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_MD5"; exit 1; }
-+md5sum $file.sig | grep "$sig_md5"
-+[ $? -eq 0 ] || { echo "Fail to check md5 of $file.sig"; exit 1; }
++# Post sign functions for each sign type
++module_sign_post() {
++	:
++}
++
++ima_digestlist_sign_post() {
++	rm -f $INPUT_FILE.ko
++}
++
++efi_sign_post() {
++	:
++}
++
++kernel_sign_post() {
++	:
++}
++
++# Global configuration
++sign_config() {
++	if [ -z "$INPUT_TYPE" ] || [ -z "$INPUT_FILE" ]; then
++		echo "Please input the sign type and file"
++		exit 1
++	fi
++
++	if [ ! -f "$INPUT_FILE" ]; then
++		echo "The input file is invalid"
++		exit 1
++	fi
++
++	POST_FILE_SHA256=$(sha256sum "$INPUT_FILE" | awk '{ print $1 }')
++	if [ $? -ne 0 ]; then
++		echo "Failed to calculate file hash"
++	fi
++
++	PUBLISHER_HOST=$(grep PUBLISHER_HOST $PROJECT_CONF | awk '{print $2}')
++	PUBLISHER_PORT=$(grep PUBLISHER_PORT $PROJECT_CONF | awk '{print $2}')
++	if [ -z "$PUBLISHER_HOST" ] || [ -z "$PUBLISHER_PORT" ]; then
++		echo "Please set PUBLISHER_HOST and PUBLISHER_PORT"
++		exit 1
++	fi
++
++	POST_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/code-sign"
++
++	POST_JOB_ID="$(grep -rwn 'id\:' $PROJECT_CONF | awk '{print $2}')"
++	POST_OS_ORIJECT="$(grep -rwn 'os_project\:' $PROJECT_CONF | awk '{print $2}')"
++	if [ -z "$POST_JOB_ID" ] || [ -z "$POST_OS_ORIJECT" ]; then
++		echo "Failed to get POST_JOB_ID and POST_OS_ORIJECT"
++		exit 1
++	fi
++}
++
++sign_pre() {
++	sign_config
++
++	case $INPUT_TYPE in
++	--efi)
++		efi_sign_pre
++		;;
++	--module)
++		module_sign_pre
++		;;
++	--ima-digestlist)
++		ima_digestlist_sign_pre
++		;;
++	--kernel)
++		kernel_sign_pre
++		;;
++	*)
++		echo "Unsupported sign type: $INPUT_TYPE"
++		exit 1
++		;;
++	esac
++}
++
++sign() {
++	# 1. send the request to the sign service
++	# echo "curl "$POST_ADDR" \
++	# 	   -F "file=@$SIGN_FILE" \
++	# 	   -F "data=$(get_post_json);type=application/json""
++	req="$(curl "$POST_ADDR" \
++		    -F "file=@$SIGN_FILE" \
++		    -F "data=$(get_post_json);type=application/json")"
++	if [ $? -ne 0 ]; then
++		echo "Failed to post the sign service"
++		return 1
++	fi
++
++	req_err_msg=$(get_json_value "$req" "err_msg")
++	if [ -n "$req_err_msg" ]; then
++		echo "Failed, err_msg: [$req_err_msg]"
++		if [ "$req_err_msg" == "SIGN_PERMISSION_DENIED" ]; then
++			return $FAILED_SIGN_PERMISSION_DENIED
++		fi
++		return 1
++	fi
++
++	# 2. write the file content
++	encoded_file_content=$(get_json_value "$req" "encoded_file_content")
++	if [ $? -ne 0 ]; then
++		echo "Failed to get encoded file content"
++		return 1
++	fi
++
++	echo -ne "$encoded_file_content" | base64 -d > $INPUT_FILE.sig
++	if [ $? -ne 0 ]; then
++		echo "Failed to write the signed file"
++		return 1
++	fi
++
++	# for test
++	# cp -f $INPUT_FILE $INPUT_FILE.sig
++	# req="{file_sha256:41c68fca7b3870cc9ef13a828a74af933bd8e4ff345fcfa316}"
++
++	# 3. check the hash
++	sha256_cal=$(sha256sum $INPUT_FILE.sig | awk '{print $1}')
++	sha256_get=$(get_json_value "$req" "file_sha256" | tr '[:upper:]' '[:lower:]')
++	if [ "$sha256_cal" != "$sha256_get" ]; then
++		echo "Failed to verify the hash value"
++		return 1
++	fi
++}
++
++sign_post() {
++	case $INPUT_TYPE in
++	--efi)
++		efi_sign_post
++		;;
++	--module)
++		module_sign_post
++		;;
++	--ima-digestlist)
++		ima_digestlist_sign_post
++		;;
++	--kernel)
++		kernel_sign_post
++		;;
++	esac
++}
++
++# Main function
++sign_pre
++
++for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
++	sign
++	ret_sign=$?
++	if [ $ret_sign -eq 0 ]; then
++		echo "Succeed to sign file"
++		break;
++	elif [ $ret_sign -eq $FAILED_SIGN_PERMISSION_DENIED ]; then
++		echo "Failed to sign file, permission denied"
++		SIGN_RESULT=$FAILED_SIGN_PERMISSION_DENIED
++		break;
++	elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
++		echo "Failed to sign file, try again"
++	elif [ $i -eq $CONFIG_RETEST_COUNT ]; then
++		echo "Failed to sign file"
++		SIGN_RESULT=1
++	fi
++done
 +
-+echo "Sign $file ok!"
-+exit 0
++sign_post
++exit $SIGN_RESULT
 -- 
 2.33.0
author	CoprDistGit <infra@openeuler.org>	2024-08-26 07:25:54 +0000
committer	CoprDistGit <infra@openeuler.org>	2024-08-26 07:25:54 +0000
commit	1bee4fd305174b56955aa02434b778e0b46f515e (patch)
tree	5f4f9ed56e151fa122fef773f15b0eaa93ad2ab9 /Feature-support-EBS-sign-for-IMA-digest-list.patch
parent	257b43610b08c33aa43ae1f4caff079ff81f89fe (diff)