summaryrefslogtreecommitdiff
path: root/Feature-support-EBS-sign-for-IMA-digest-list.patch
diff options
context:
space:
mode:
Diffstat (limited to 'Feature-support-EBS-sign-for-IMA-digest-list.patch')
-rw-r--r--Feature-support-EBS-sign-for-IMA-digest-list.patch326
1 files changed, 326 insertions, 0 deletions
diff --git a/Feature-support-EBS-sign-for-IMA-digest-list.patch b/Feature-support-EBS-sign-for-IMA-digest-list.patch
new file mode 100644
index 0000000..bd0fed0
--- /dev/null
+++ b/Feature-support-EBS-sign-for-IMA-digest-list.patch
@@ -0,0 +1,326 @@
+From 0449160c84daff8c557dee47a970e4f4837ff81d Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Mon, 12 Dec 2022 00:16:01 +0800
+Subject: [PATCH] support EBS sign for IMA digest list
+
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
+
+---
+ brp-digest-list | 46 +++++-----
+ brp-ebs-sign | 238 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 262 insertions(+), 22 deletions(-)
+ create mode 100644 brp-ebs-sign
+
+diff --git a/brp-digest-list b/brp-digest-list
+index e698b7a..d1e2600 100644
+--- a/brp-digest-list
++++ b/brp-digest-list
+@@ -26,7 +26,6 @@ fi
+ DIGEST_LIST_DIR=$RPM_BUILD_ROOT/$2/etc/ima/digest_lists
+ mkdir -p $DIGEST_LIST_DIR
+ mkdir -p $DIGEST_LIST_DIR.tlv
+-mkdir -p $DIGEST_LIST_DIR.sig
+
+ # Generate digest list for the kernel
+ gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
+@@ -70,28 +69,31 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
+ chmod 644 $DIGEST_LIST_TLV_PATH
+ echo $DIGEST_LIST_TLV_PATH
+
+-if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
+- ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
+- # Generate digest list for the user space parsers
+- LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/lib64 \
+- $RPM_BUILD_ROOT/usr/bin/gen_digest_lists \
+- -d $DIGEST_LIST_DIR -t parser -f compact -m immutable \
+- -i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i:
+-
+- f="$DIGEST_LIST_DIR/0-parser_list-compact-libexec"
+- [ -f $f ] || exit 0
+-
+- chmod 644 $f
+- echo $f
++#if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
++# ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
++# Generate digest list for the user space parsers
++
++# do EBS sign
++export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
++export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
++if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
++ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
++ sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_PATH 1>&2
++ [ -f $DIGEST_LIST_PATH.sig ] || exit 0
++ chmod 644 $DIGEST_LIST_PATH.sig
++ mv $DIGEST_LIST_PATH.sig $DIGEST_LIST_PATH
++ exit 0
++fi
+
+- [ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
++# do OBS sign
++[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
+
+- export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
+- export RPM_BUILD_ROOT
+- export RPM_PACKAGE_NAME="digest-list-tools"
+- export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
++export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
++export RPM_BUILD_ROOT
++export RPM_PACKAGE_NAME="digest-list-tools"
++export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
+
+- if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
+- /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
+- fi
++if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
++ /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
+ fi
++#fi
+diff --git a/brp-ebs-sign b/brp-ebs-sign
+new file mode 100644
+index 0000000..a7a83e5
+--- /dev/null
++++ b/brp-ebs-sign
+@@ -0,0 +1,238 @@
++#!/bin/bash
++
++INPUT_TYPE=$1
++INPUT_FILE=$2
++SIGN_FILE=$INPUT_FILE
++PROJECT_CONF="/lkp/scheduled/job.yaml"
++POST_ADDR=""
++POST_FILE_SHA256=""
++POST_KEY_NAME=""
++POST_KEY_TYPE=""
++POST_FILE_TYPE=""
++POST_SIGN_TYPE=""
++POST_JOB_ID=""
++POST_OS_ORIJECT=""
++CONFIG_RETEST_COUNT=5
++SIGN_RESULT=0
++FAILED_SIGN_PERMISSION_DENIED=2
++
++# Tool functions for JSON
++get_json_value(){
++ echo "$1" | \
++ awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | \
++ sed 's/\"//g'
++}
++
++get_post_json() {
++ printf '{'
++ printf '"file_sha256":"%s",' $POST_FILE_SHA256
++ printf '"key_name":"%s",' $POST_KEY_NAME
++ printf '"key_type":"%s",' $POST_KEY_TYPE
++ printf '"file_type":"%s",' $POST_FILE_TYPE
++ printf '"sign_type":"%s",' $POST_SIGN_TYPE
++ printf '"job_id":"%s",' $POST_JOB_ID
++ printf '"os_project":"%s"' $POST_OS_ORIJECT
++ printf '}'
++}
++
++# Prepare sign functions for each sign type
++module_sign_pre() {
++ if [[ "$INPUT_FILE" != *.ko ]]; then
++ echo "The module file must has the .ko extension"
++ return 1
++ fi
++
++ SIGN_FILE="$INPUT_FILE"
++ POST_KEY_NAME="openeuler-kernel-module-ee"
++ POST_KEY_TYPE="x509ee"
++ POST_FILE_TYPE="kernel-module"
++ POST_SIGN_TYPE="cms"
++}
++
++ima_digestlist_sign_pre() {
++ cp -f $INPUT_FILE $INPUT_FILE.ko
++ SIGN_FILE="$INPUT_FILE.ko"
++ POST_KEY_NAME="openeuler-ima-ee"
++ POST_KEY_TYPE="x509ee"
++ POST_FILE_TYPE="kernel-module"
++ POST_SIGN_TYPE="cms"
++}
++
++efi_sign_pre() {
++ SIGN_FILE="$INPUT_FILE"
++ POST_KEY_NAME="default-x509ee"
++ POST_KEY_TYPE="x509ee"
++ POST_FILE_TYPE="efi-image"
++ POST_SIGN_TYPE="authenticode"
++}
++
++kernel_sign_pre() {
++ SIGN_FILE="$INPUT_FILE"
++ POST_KEY_NAME="default-x509ee"
++ POST_KEY_TYPE="x509ee"
++ POST_FILE_TYPE="efi-image"
++ POST_SIGN_TYPE="authenticode"
++}
++
++# Post sign functions for each sign type
++module_sign_post() {
++ :
++}
++
++ima_digestlist_sign_post() {
++ rm -f $INPUT_FILE.ko
++}
++
++efi_sign_post() {
++ :
++}
++
++kernel_sign_post() {
++ :
++}
++
++# Global configuration
++sign_config() {
++ if [ -z "$INPUT_TYPE" ] || [ -z "$INPUT_FILE" ]; then
++ echo "Please input the sign type and file"
++ exit 1
++ fi
++
++ if [ ! -f "$INPUT_FILE" ]; then
++ echo "The input file is invalid"
++ exit 1
++ fi
++
++ POST_FILE_SHA256=$(sha256sum "$INPUT_FILE" | awk '{ print $1 }')
++ if [ $? -ne 0 ]; then
++ echo "Failed to calculate file hash"
++ fi
++
++ PUBLISHER_HOST=$(grep PUBLISHER_HOST $PROJECT_CONF | awk '{print $2}')
++ PUBLISHER_PORT=$(grep PUBLISHER_PORT $PROJECT_CONF | awk '{print $2}')
++ if [ -z "$PUBLISHER_HOST" ] || [ -z "$PUBLISHER_PORT" ]; then
++ echo "Please set PUBLISHER_HOST and PUBLISHER_PORT"
++ exit 1
++ fi
++
++ POST_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/code-sign"
++
++ POST_JOB_ID="$(grep -rwn 'id\:' $PROJECT_CONF | awk '{print $2}')"
++ POST_OS_ORIJECT="$(grep -rwn 'os_project\:' $PROJECT_CONF | awk '{print $2}')"
++ if [ -z "$POST_JOB_ID" ] || [ -z "$POST_OS_ORIJECT" ]; then
++ echo "Failed to get POST_JOB_ID and POST_OS_ORIJECT"
++ exit 1
++ fi
++}
++
++sign_pre() {
++ sign_config
++
++ case $INPUT_TYPE in
++ --efi)
++ efi_sign_pre
++ ;;
++ --module)
++ module_sign_pre
++ ;;
++ --ima-digestlist)
++ ima_digestlist_sign_pre
++ ;;
++ --kernel)
++ kernel_sign_pre
++ ;;
++ *)
++ echo "Unsupported sign type: $INPUT_TYPE"
++ exit 1
++ ;;
++ esac
++}
++
++sign() {
++ # 1. send the request to the sign service
++ # echo "curl "$POST_ADDR" \
++ # -F "file=@$SIGN_FILE" \
++ # -F "data=$(get_post_json);type=application/json""
++ req="$(curl "$POST_ADDR" \
++ -F "file=@$SIGN_FILE" \
++ -F "data=$(get_post_json);type=application/json")"
++ if [ $? -ne 0 ]; then
++ echo "Failed to post the sign service"
++ return 1
++ fi
++
++ req_err_msg=$(get_json_value "$req" "err_msg")
++ if [ -n "$req_err_msg" ]; then
++ echo "Failed, err_msg: [$req_err_msg]"
++ if [ "$req_err_msg" == "SIGN_PERMISSION_DENIED" ]; then
++ return $FAILED_SIGN_PERMISSION_DENIED
++ fi
++ return 1
++ fi
++
++ # 2. write the file content
++ encoded_file_content=$(get_json_value "$req" "encoded_file_content")
++ if [ $? -ne 0 ]; then
++ echo "Failed to get encoded file content"
++ return 1
++ fi
++
++ echo -ne "$encoded_file_content" | base64 -d > $INPUT_FILE.sig
++ if [ $? -ne 0 ]; then
++ echo "Failed to write the signed file"
++ return 1
++ fi
++
++ # for test
++ # cp -f $INPUT_FILE $INPUT_FILE.sig
++ # req="{file_sha256:41c68fca7b3870cc9ef13a828a74af933bd8e4ff345fcfa316}"
++
++ # 3. check the hash
++ sha256_cal=$(sha256sum $INPUT_FILE.sig | awk '{print $1}')
++ sha256_get=$(get_json_value "$req" "file_sha256" | tr '[:upper:]' '[:lower:]')
++ if [ "$sha256_cal" != "$sha256_get" ]; then
++ echo "Failed to verify the hash value"
++ return 1
++ fi
++}
++
++sign_post() {
++ case $INPUT_TYPE in
++ --efi)
++ efi_sign_post
++ ;;
++ --module)
++ module_sign_post
++ ;;
++ --ima-digestlist)
++ ima_digestlist_sign_post
++ ;;
++ --kernel)
++ kernel_sign_post
++ ;;
++ esac
++}
++
++# Main function
++sign_pre
++
++for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
++ sign
++ ret_sign=$?
++ if [ $ret_sign -eq 0 ]; then
++ echo "Succeed to sign file"
++ break;
++ elif [ $ret_sign -eq $FAILED_SIGN_PERMISSION_DENIED ]; then
++ echo "Failed to sign file, permission denied"
++ SIGN_RESULT=$FAILED_SIGN_PERMISSION_DENIED
++ break;
++ elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
++ echo "Failed to sign file, try again"
++ elif [ $i -eq $CONFIG_RETEST_COUNT ]; then
++ echo "Failed to sign file"
++ SIGN_RESULT=1
++ fi
++done
++
++sign_post
++exit $SIGN_RESULT
+--
+2.33.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-01 04:40:50 +0000