diff options
Diffstat (limited to 'Feature-support-EBS-sign-for-IMA-digest-list.patch')
| -rw-r--r-- | Feature-support-EBS-sign-for-IMA-digest-list.patch | 326 |
1 files changed, 0 insertions, 326 deletions
diff --git a/Feature-support-EBS-sign-for-IMA-digest-list.patch b/Feature-support-EBS-sign-for-IMA-digest-list.patch deleted file mode 100644 index bd0fed0..0000000 --- a/Feature-support-EBS-sign-for-IMA-digest-list.patch +++ /dev/null @@ -1,326 +0,0 @@ -From 0449160c84daff8c557dee47a970e4f4837ff81d Mon Sep 17 00:00:00 2001 -From: Huaxin Lu <luhuaxin1@huawei.com> -Date: Mon, 12 Dec 2022 00:16:01 +0800 -Subject: [PATCH] support EBS sign for IMA digest list - -Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> -Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com> - ---- - brp-digest-list | 46 +++++----- - brp-ebs-sign | 238 ++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 262 insertions(+), 22 deletions(-) - create mode 100644 brp-ebs-sign - -diff --git a/brp-digest-list b/brp-digest-list -index e698b7a..d1e2600 100644 ---- a/brp-digest-list -+++ b/brp-digest-list -@@ -26,7 +26,6 @@ fi - DIGEST_LIST_DIR=$RPM_BUILD_ROOT/$2/etc/ima/digest_lists - mkdir -p $DIGEST_LIST_DIR - mkdir -p $DIGEST_LIST_DIR.tlv --mkdir -p $DIGEST_LIST_DIR.sig - - # Generate digest list for the kernel - gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \ -@@ -70,28 +69,31 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam - chmod 644 $DIGEST_LIST_TLV_PATH - echo $DIGEST_LIST_TLV_PATH - --if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \ -- ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then -- # Generate digest list for the user space parsers -- LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/lib64 \ -- $RPM_BUILD_ROOT/usr/bin/gen_digest_lists \ -- -d $DIGEST_LIST_DIR -t parser -f compact -m immutable \ -- -i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i: -- -- f="$DIGEST_LIST_DIR/0-parser_list-compact-libexec" -- [ -f $f ] || exit 0 -- -- chmod 644 $f -- echo $f -+#if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \ -+# ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then -+# Generate digest list for the user space parsers -+ -+# do EBS sign -+export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}') -+export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}') -+if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then -+ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0 -+ sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_PATH 1>&2 -+ [ -f $DIGEST_LIST_PATH.sig ] || exit 0 -+ chmod 644 $DIGEST_LIST_PATH.sig -+ mv $DIGEST_LIST_PATH.sig $DIGEST_LIST_PATH -+ exit 0 -+fi - -- [ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0 -+# do OBS sign -+[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0 - -- export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*" -- export RPM_BUILD_ROOT -- export RPM_PACKAGE_NAME="digest-list-tools" -- export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES" -+export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*" -+export RPM_BUILD_ROOT -+export RPM_PACKAGE_NAME="digest-list-tools" -+export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES" - -- if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then -- /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null -- fi -+if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then -+ /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null - fi -+#fi -diff --git a/brp-ebs-sign b/brp-ebs-sign -new file mode 100644 -index 0000000..a7a83e5 ---- /dev/null -+++ b/brp-ebs-sign -@@ -0,0 +1,238 @@ -+#!/bin/bash -+ -+INPUT_TYPE=$1 -+INPUT_FILE=$2 -+SIGN_FILE=$INPUT_FILE -+PROJECT_CONF="/lkp/scheduled/job.yaml" -+POST_ADDR="" -+POST_FILE_SHA256="" -+POST_KEY_NAME="" -+POST_KEY_TYPE="" -+POST_FILE_TYPE="" -+POST_SIGN_TYPE="" -+POST_JOB_ID="" -+POST_OS_ORIJECT="" -+CONFIG_RETEST_COUNT=5 -+SIGN_RESULT=0 -+FAILED_SIGN_PERMISSION_DENIED=2 -+ -+# Tool functions for JSON -+get_json_value(){ -+ echo "$1" | \ -+ awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | \ -+ sed 's/\"//g' -+} -+ -+get_post_json() { -+ printf '{' -+ printf '"file_sha256":"%s",' $POST_FILE_SHA256 -+ printf '"key_name":"%s",' $POST_KEY_NAME -+ printf '"key_type":"%s",' $POST_KEY_TYPE -+ printf '"file_type":"%s",' $POST_FILE_TYPE -+ printf '"sign_type":"%s",' $POST_SIGN_TYPE -+ printf '"job_id":"%s",' $POST_JOB_ID -+ printf '"os_project":"%s"' $POST_OS_ORIJECT -+ printf '}' -+} -+ -+# Prepare sign functions for each sign type -+module_sign_pre() { -+ if [[ "$INPUT_FILE" != *.ko ]]; then -+ echo "The module file must has the .ko extension" -+ return 1 -+ fi -+ -+ SIGN_FILE="$INPUT_FILE" -+ POST_KEY_NAME="openeuler-kernel-module-ee" -+ POST_KEY_TYPE="x509ee" -+ POST_FILE_TYPE="kernel-module" -+ POST_SIGN_TYPE="cms" -+} -+ -+ima_digestlist_sign_pre() { -+ cp -f $INPUT_FILE $INPUT_FILE.ko -+ SIGN_FILE="$INPUT_FILE.ko" -+ POST_KEY_NAME="openeuler-ima-ee" -+ POST_KEY_TYPE="x509ee" -+ POST_FILE_TYPE="kernel-module" -+ POST_SIGN_TYPE="cms" -+} -+ -+efi_sign_pre() { -+ SIGN_FILE="$INPUT_FILE" -+ POST_KEY_NAME="default-x509ee" -+ POST_KEY_TYPE="x509ee" -+ POST_FILE_TYPE="efi-image" -+ POST_SIGN_TYPE="authenticode" -+} -+ -+kernel_sign_pre() { -+ SIGN_FILE="$INPUT_FILE" -+ POST_KEY_NAME="default-x509ee" -+ POST_KEY_TYPE="x509ee" -+ POST_FILE_TYPE="efi-image" -+ POST_SIGN_TYPE="authenticode" -+} -+ -+# Post sign functions for each sign type -+module_sign_post() { -+ : -+} -+ -+ima_digestlist_sign_post() { -+ rm -f $INPUT_FILE.ko -+} -+ -+efi_sign_post() { -+ : -+} -+ -+kernel_sign_post() { -+ : -+} -+ -+# Global configuration -+sign_config() { -+ if [ -z "$INPUT_TYPE" ] || [ -z "$INPUT_FILE" ]; then -+ echo "Please input the sign type and file" -+ exit 1 -+ fi -+ -+ if [ ! -f "$INPUT_FILE" ]; then -+ echo "The input file is invalid" -+ exit 1 -+ fi -+ -+ POST_FILE_SHA256=$(sha256sum "$INPUT_FILE" | awk '{ print $1 }') -+ if [ $? -ne 0 ]; then -+ echo "Failed to calculate file hash" -+ fi -+ -+ PUBLISHER_HOST=$(grep PUBLISHER_HOST $PROJECT_CONF | awk '{print $2}') -+ PUBLISHER_PORT=$(grep PUBLISHER_PORT $PROJECT_CONF | awk '{print $2}') -+ if [ -z "$PUBLISHER_HOST" ] || [ -z "$PUBLISHER_PORT" ]; then -+ echo "Please set PUBLISHER_HOST and PUBLISHER_PORT" -+ exit 1 -+ fi -+ -+ POST_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/code-sign" -+ -+ POST_JOB_ID="$(grep -rwn 'id\:' $PROJECT_CONF | awk '{print $2}')" -+ POST_OS_ORIJECT="$(grep -rwn 'os_project\:' $PROJECT_CONF | awk '{print $2}')" -+ if [ -z "$POST_JOB_ID" ] || [ -z "$POST_OS_ORIJECT" ]; then -+ echo "Failed to get POST_JOB_ID and POST_OS_ORIJECT" -+ exit 1 -+ fi -+} -+ -+sign_pre() { -+ sign_config -+ -+ case $INPUT_TYPE in -+ --efi) -+ efi_sign_pre -+ ;; -+ --module) -+ module_sign_pre -+ ;; -+ --ima-digestlist) -+ ima_digestlist_sign_pre -+ ;; -+ --kernel) -+ kernel_sign_pre -+ ;; -+ *) -+ echo "Unsupported sign type: $INPUT_TYPE" -+ exit 1 -+ ;; -+ esac -+} -+ -+sign() { -+ # 1. send the request to the sign service -+ # echo "curl "$POST_ADDR" \ -+ # -F "file=@$SIGN_FILE" \ -+ # -F "data=$(get_post_json);type=application/json"" -+ req="$(curl "$POST_ADDR" \ -+ -F "file=@$SIGN_FILE" \ -+ -F "data=$(get_post_json);type=application/json")" -+ if [ $? -ne 0 ]; then -+ echo "Failed to post the sign service" -+ return 1 -+ fi -+ -+ req_err_msg=$(get_json_value "$req" "err_msg") -+ if [ -n "$req_err_msg" ]; then -+ echo "Failed, err_msg: [$req_err_msg]" -+ if [ "$req_err_msg" == "SIGN_PERMISSION_DENIED" ]; then -+ return $FAILED_SIGN_PERMISSION_DENIED -+ fi -+ return 1 -+ fi -+ -+ # 2. write the file content -+ encoded_file_content=$(get_json_value "$req" "encoded_file_content") -+ if [ $? -ne 0 ]; then -+ echo "Failed to get encoded file content" -+ return 1 -+ fi -+ -+ echo -ne "$encoded_file_content" | base64 -d > $INPUT_FILE.sig -+ if [ $? -ne 0 ]; then -+ echo "Failed to write the signed file" -+ return 1 -+ fi -+ -+ # for test -+ # cp -f $INPUT_FILE $INPUT_FILE.sig -+ # req="{file_sha256:41c68fca7b3870cc9ef13a828a74af933bd8e4ff345fcfa316}" -+ -+ # 3. check the hash -+ sha256_cal=$(sha256sum $INPUT_FILE.sig | awk '{print $1}') -+ sha256_get=$(get_json_value "$req" "file_sha256" | tr '[:upper:]' '[:lower:]') -+ if [ "$sha256_cal" != "$sha256_get" ]; then -+ echo "Failed to verify the hash value" -+ return 1 -+ fi -+} -+ -+sign_post() { -+ case $INPUT_TYPE in -+ --efi) -+ efi_sign_post -+ ;; -+ --module) -+ module_sign_post -+ ;; -+ --ima-digestlist) -+ ima_digestlist_sign_post -+ ;; -+ --kernel) -+ kernel_sign_post -+ ;; -+ esac -+} -+ -+# Main function -+sign_pre -+ -+for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do -+ sign -+ ret_sign=$? -+ if [ $ret_sign -eq 0 ]; then -+ echo "Succeed to sign file" -+ break; -+ elif [ $ret_sign -eq $FAILED_SIGN_PERMISSION_DENIED ]; then -+ echo "Failed to sign file, permission denied" -+ SIGN_RESULT=$FAILED_SIGN_PERMISSION_DENIED -+ break; -+ elif [ $i -ne $CONFIG_RETEST_COUNT ]; then -+ echo "Failed to sign file, try again" -+ elif [ $i -eq $CONFIG_RETEST_COUNT ]; then -+ echo "Failed to sign file" -+ SIGN_RESULT=1 -+ fi -+done -+ -+sign_post -+exit $SIGN_RESULT --- -2.33.0 - |