Sync from SUSE:SLFO:Main ima-evm-utils revision 30e084dc7635e7115b69d55200b7d506

2024-05-03 13:41:44 +02:00 · 2024-05-03 13:41:44 +02:00 · e67f674767
commit e67f674767
5 changed files with 500 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/0001-fsverity.test-Add-usr-sbin-into-PATH.patch
+++ b/0001-fsverity.test-Add-usr-sbin-into-PATH.patch
@ -0,0 +1,40 @@
+From e445cc94831c55b6c5430716bc03613b7a2bb83b Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Fri, 10 Mar 2023 11:39:00 +0100
+Subject: [PATCH] fsverity.test: Add /usr/sbin into $PATH
+
+Unlike GitHub CI, tests which run by packaging tools often run as non-root,
+thus required tools aren't visible:
+
+./functions.sh: line 45: type: mkfs: not found
+mkfs is required for test
+./functions.sh: line 45: type: blkid: not found
+blkid is required for test
+./functions.sh: line 45: type: e2fsck: not found
+e2fsck is required for test
+./functions.sh: line 45: type: tune2fs: not found
+tune2fs is required for test
+
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+Upstream status: https://lore.kernel.org/linux-integrity/20230310104729.32078-1-pvorel@suse.cz/
+
+ tests/fsverity.test | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/fsverity.test b/tests/fsverity.test
+index 01d5c35..a274158 100755
+--- a/tests/fsverity.test
+++ b/tests/fsverity.test
+@@ -30,7 +30,7 @@
+ # custom policy rules might take precedence.
+ 
+ cd "$(dirname "$0")" || exit 1
+-PATH=../src:../fsverity-utils:$PATH
+PATH=../src:../fsverity-utils:/usr/sbin:$PATH
+ source ./functions.sh
+ 
+ # Base VERBOSE on the environment variable, if set.
+-- 
+2.39.2
+
--- a/ima-evm-utils-1.5.tar.gz
+++ b/ima-evm-utils-1.5.tar.gz
--- a/ima-evm-utils.changes
+++ b/ima-evm-utils.changes
@ -0,0 +1,321 @@
+-------------------------------------------------------------------
+Fri Dec 15 10:55:12 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Update download url.
+
+-------------------------------------------------------------------
+Fri Mar 10 07:53:03 UTC 2023 - Petr Vorel <pvorel@suse.cz>
+
+- Update to version 1.5
+	* CI changes:
+	  * New: UML kernel testing environment
+	  * Support for running specific test(s)
+	  * Update distros
+	  * Update software release versions
+	* New features:
+	  * Signing fs-verity signatures
+	  * Reading TPM 2.0 PCRs via sysfs interface
+	* New tests:
+	  * Missing IMA mmapped file measurements
+	  * Overlapping IMA policy rules
+	  * EVM portable signatures
+	  * fs-verity file measurements in the IMA measurement list
+	* Build and library changes:
+	  * OpenSSL 3.0 version related changes
+	  * New configuration options: --disable-engine, --enable-sigv1
+	  * Deprecate IMA signature v1 format
+	* Misc bug fixes and code cleanup:
+	  * memory leaks, bounds checking, use after free
+	  * Fix and update test output
+	  * Add missing sanity checks
+	* Documentation:
+	  * Store the sourceforge ima-evm-utils wiki for historical
+	    purposes.
+- Upstream bumped soname to 4.0.0
+- Add BuildRequires: e2fsprogs util-linux (required by tests, which are mandatory)
+- /usr/sbin to PATH (0001-fsverity.test-Add-usr-sbin-into-PATH.patch, sent to upstream ML)
+
+-------------------------------------------------------------------
+Mon Apr 25 11:32:18 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- switch to use https urls
+
+-------------------------------------------------------------------
+Fri Nov  5 08:16:40 UTC 2021 - Petr Vorel <pvorel@suse.cz>
+
+- Update to version 1.4
+	* Elliptic curve support and tests
+	* PKCS11 support and tests
+	* Ability to manually specify the keyid included in the IMA xattr
+	* Improve IMA measurement list per TPM bank verification
+	* Linking with IBM TSS
+	* Set default hash algorithm in package configuration
+	* (Minimal) support and test EVM portable signatures
+	* CI testing:
+	  * Refresh and include new distros
+	  * Podman support
+	  * GitHub Actions
+	  * Limit "sudo" usage
+	* Misc bug fixes and code cleanup
+	  * Fix static analysis bug reports, memory leaks
+	  * Remove experimental code that was never upstreamed in the kernel
+	  * Use unsigned variable, remove unused variables, etc
+- Upstream bumped soname to 3.0.0
+
+-------------------------------------------------------------------
+Thu Oct 29 06:12:46 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Update to version 1.3.2
+	* Bugfixes: importing keys
+	* NEW: Docker based travis distro testing
+	* Travis bugfixes, code cleanup, software version update,
+	  and script removal
+	* Initial travis testing
+- Remove 0001-help-Add-missing-new-line-for-ignore-violations.patch
+  (patch from this release)
+- Add make check + dependencies (getfattr => attr, xxd => vim)
+
+-------------------------------------------------------------------
+Thu Oct  1 13:42:17 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Fix missing new line in help
+  (0001-help-Add-missing-new-line-for-ignore-violations.patch)
+
+-------------------------------------------------------------------
+Fri Aug 14 14:50:08 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Update to version 1.3.1
+	* "--pcrs" support for per crypto algorithm
+	* Drop/rename "ima_measurement" options
+	* Moved this summary from "Changelog" to "NEWS", removing
+	  requirement for GNU empty files
+	* Distro build fixes
+
+  * Remove 0001-pcr_tss-Fix-compilation-for-old-compilers.patch (from this
+    release)
+
+-------------------------------------------------------------------
+Thu Jul 23 07:15:19 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Use %autosetup -p1
+
+-------------------------------------------------------------------
+Wed Jul 22 12:10:45 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Remove suse_version check for tpm2-0-tss-devel as the package is available
+  for back as far as SLE 12 SP2 and respective openSUSE versions (also check
+  was wrong, should have been 1500).
+
+-------------------------------------------------------------------
+Wed Jul 22 11:35:42 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Fixes from previous SR (reported by fvogt):
+  * Move ibmtss runtime dependency to evmctl package
+  * Remove dependencies to devel package (should not be needed)
+
+-------------------------------------------------------------------
+Wed Jul 22 08:23:08 UTC 2020 - Petr Vorel <pvorel@suse.cz>
+
+- Update to version 1.3
+	version 1.3 new features:
+	* NEW ima-evm-utils regression test infrastructure with two initial
+	  tests:
+	  - ima_hash.test: calculate/verify different crypto hash algorithms
+	  - sign_verify.test: EVM and IMA sign/verify signature tests
+	* TPM 2.0 support
+	  - Calculate the new per TPM 2.0 bank template data digest
+	  - Support original padding the SHA1 template data digest
+	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
+	    TPM 2.0 bank PCR values
+	  - Calculate the per TPM bank "boot_aggregate" values, including
+	    PCRs 8 & 9 in calculation
+	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
+	  - boot_aggregate.test: compare the calculated "boot_aggregate"
+	    values with the "boot_aggregate" value included in the IMA
+	    measurement.
+	* TPM 1.2 support
+	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
+	    ("--pcrs" option)
+	* Based on original IMA LTP and standalone version support
+	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
+	    TPM 1.2 BIOS event log.
+	  - In addition to verifying the IMA measurement list against the
+	    the TPM PCRs, verify the IMA template data digest against the
+	    template data.  (Based on LTP "--verify" option.)
+	  - Ignore file measurement violations while verifying the IMA
+	    measurment list. (Based on LTP "--validate" option.)
+	  - Verify the file data signature included in the measurement list
+	    based on the file hash also included in the measurement list
+	    (--verify-sig)
+	  - Support original "ima" template (mixed templates not supported)
+	* Support "sm3" crypto name
+
+	Bug fixes and code cleanup:
+	* Don't exit with -1 on failure, exit with 125
+	* On signature verification failure, include pathname.
+	* Provide minimal hash_info.h file in case one doesn't exist, needed
+	  by the ima-evm-utils regression tests.
+	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
+	* Fix hash_algo type comparison mismatch
+	* Simplify/clean up code
+	* Address compiler complaints and failures
+	* Fix memory allocations and leaks
+	* Sanity check provided input files are regular files
+	* Revert making "tsspcrread" a compile build time decision.
+	* Limit additional messages based on log level (-v)
+
+- Add patch 0001-pcr_tss-Fix-compilation-for-old-compilers.patch
+- Upstream bumped soname to 2.0.0
+- Add tpm2-0-tss-devel for Tumbleweed as build dependency, for the rest ibmtss
+  as runtime dependency (needed for for reading PCR in ima_boot_aggregate cmd;
+  better to use libtss2-esys and libtss2-rc than require tsspcrread binary in
+  runtime, but tpm2-0-tss-devel is available only for Tumbleweed) + the same
+  logic as runtime dependency for devel package
+- Mark COPYING as %license
+
+-------------------------------------------------------------------
+Tue Jul 30 21:55:31 UTC 2019 - Petr Vorel <pvorel@suse.cz>
+
+- Update to version 1.2.1 (included changes of unreleased v1.2)
+	version 1.2 new features:
+	* Generate EVM signatures based on the specified hash algorithm
+	* include "security.apparmor" in EVM signature
+	* Add support for writing & verifying "user.xxxx" xattrs for testing
+	* Support Strebog/Gost hash functions
+	* Add OpenSSL engine support
+	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
+	* Support verifying multiple signatures at once
+	* Support new template "buf" field and warn about other unknown fields
+	* Improve OpenSSL error reporting
+	* Support reading TPM 2.0 PCRs using tsspcrread
+
+	Bug fixes and code cleanup:
+	* Update manpage stylesheet detection
+	* Fix xattr.h include file
+	* On error when reading TPM PCRs, don't log gargabe
+	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
+	  limiting keyid output to verbose mode
+	* Fix hash buffer overflow caused by EVM support for larger hashes,
+	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
+	* Linked with libcrypto instead of OpenSSL
+	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
+	* Include new "hash-info.gen" in tar
+	* Log the hash algorithm, not just the hash value
+	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
+	* Fixed other warnings/bugs discovered by clang, coverity
+	* Remove indirect calls in verify_hash() to improve code readability
+	* Don't fallback to using sha1
+	* Namespace some too generic object names
+	* Make functions/arrays static if possible
+
+- Upstream bumped soname to 1.0.0 in v1.2
+- Drop ima-evm-utils-xattr.patch and ima-evm-utils-fix-docbook-xsl-directory.patch (included in v1.2)
+
+-------------------------------------------------------------------
+Wed Sep 12 06:03:41 UTC 2018 - meissner@suse.com
+
+- ima-evm-utils-xattr.patch: xattr.h is now libattr.h
+
+-------------------------------------------------------------------
+Fri Mar 16 09:23:01 UTC 2018 - pvorel@suse.cz
+
+- Update to version 1.1
+  * Support the new openssl 1.1 api
+  * Support for validating multiple pcrs
+  * Verify the measurement list signature based on the list digest
+  * Verify the "ima-sig" measurement list using multiple keys
+  * Fixed parsing the measurement template data field length
+  * Portable & immutable EVM signatures (new format)
+  * Multiple fixes that have been lingering in the next branch. Some
+    are for experimental features that are not yet supported in the
+    kernel.
+- Drop ima-evm-utils-openssl1.patch (not needed any more as IMA got
+  backward compatible support for openssl 1.1).
+
+-------------------------------------------------------------------
+Tue Nov 21 08:42:47 UTC 2017 - mpluskal@suse.com
+
+- Small spec file cleanup with spec-cleaner
+
+-------------------------------------------------------------------
+Wed Nov  8 12:31:07 UTC 2017 - meissner@suse.com
+
+- ima-evm-utils-openssl1.patch: allow building against openssl 1.1 (bsc#1066947)
+
+-------------------------------------------------------------------
+Mon Oct 23 09:25:38 UTC 2017 - matthias.gerstner@suse.com
+
+- added openssl-devel dependency to ima-evm-utils-devel. otherwise the ima
+  header can't be included if the openssl headers are missing
+
+-------------------------------------------------------------------
+Sat Oct 14 22:48:40 UTC 2017 - jengelh@inai.de
+
+- No need to remove .a files which don't exist.
+- Drop extraneous ldconfig call on preun.
+- Update RPM groups and descriptions.
+
+-------------------------------------------------------------------
+Fri Oct 13 14:09:08 UTC 2017 - matthias.gerstner@suse.com
+
+- ima-evm-utils-fix-docbook-xsl-directory.patch: adjusted to refer to the
+  "current" version of stylesheet to make the build work again
+- adjusted spec file to apply stylesheet patch to SLE12 as well
+
+-------------------------------------------------------------------
+Mon May  8 12:48:44 UTC 2017 - meissner@suse.com
+
+- Add ima-evm-utils to SLES. (FATE#321603)
+
+-------------------------------------------------------------------
+Tue Jan 19 09:32:33 UTC 2016 - meissner@suse.com
+
+- ima-evm-utils-fix-docbook-xsl-directory.patch: 
+  fixed the nwalsh docbook directory again
+
+-------------------------------------------------------------------
+Wed Dec  2 13:44:58 UTC 2015 - p.drouand@gmail.com
+
+- Update to version 1.0
+  * Recursive hashing
+  * Immutable EVM signatures (experimental)
+  * Command 'ima_clear' to remove xattrs
+  * Support for passing password to the library
+  * Support for asking password safely from the user
+
+-------------------------------------------------------------------
+Wed Jan 21 17:39:08 UTC 2015 - p.drouand@gmail.com
+
+- Update to version 0.9
+  * Updated README
+  * man page generated and added to the package
+  * Use additional SMACK xattrs for EVM signature generation
+  * Signing functions moved to libimaevm for external use (RPM)
+  * Fixed setting of correct hash header
+- Add additional requirements; asciidoc, docbook-xsl-stylesheets,
+  libattr-devel and libxslt-tools
+- Remove COPYING from sources; upstream provides one now
+- Remove automake.patch; "test" directory isn't provided by upstream
+  anymore
+- Remove ima-evm-utils-xattr.patch; libimaevm0 does link against
+  libattr now
+- Split package in three subpackage
+  * libimaevm0: contains shared library
+  * -devel: contains header and examples files
+  * evmctl: the kernel signing tool
+- Add ima-evm-utils-fix-docbook-xsl-directory.patch; fix path
+  where Make is looking for docbook.xsl
+
+-------------------------------------------------------------------
+Sun Oct 12 15:03:26 UTC 2014 - crrodriguez@opensuse.org
+
+- ima-evm-utils-xattr.patch: libattr is never linked, things
+ still work because glibc provides the same interface, switch
+ the includes to the glibc headers and remove the build dependency.
+
+-------------------------------------------------------------------
+Tue Aug 13 08:52:35 UTC 2013 - meissner@suse.com
+
+- Initial packaging of IMA EVM tool.
+- automake.patch: fix for newer automake
+- supply COPYING for LGPL-2.1+, as package only has an empty one.
--- a/ima-evm-utils.spec
+++ b/ima-evm-utils.spec
@ -0,0 +1,113 @@
+#
+# spec file for package ima-evm-utils
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define sover 4
+%define libname libimaevm%{sover}
+Name:           ima-evm-utils
+Version:        1.5
+Release:        0
+Summary:        IMA/EVM control utility
+License:        LGPL-2.1-or-later
+Group:          System/Base
+URL:            https://sourceforge.net/projects/linux-ima/
+Source0:        https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Patch1:         0001-fsverity.test-Add-usr-sbin-into-PATH.patch
+BuildRequires:  asciidoc
+BuildRequires:  attr
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  docbook-xsl-stylesheets
+BuildRequires:  e2fsprogs
+BuildRequires:  keyutils-devel
+BuildRequires:  libattr-devel
+BuildRequires:  libtool
+BuildRequires:  libxslt-tools
+BuildRequires:  openssl-devel
+BuildRequires:  pkgconfig
+BuildRequires:  tpm2-0-tss-devel
+BuildRequires:  util-linux
+BuildRequires:  vim
+
+%description
+This package provides the control utility for IMA/EVM (Integrity
+Measurement Architecture/ Linux Extended Verification Module).
+
+%package devel
+Summary:        Development files for the IMA/EVM control utility library
+Group:          Development/Libraries/C and C++
+Requires:       %{libname} = %{version}
+Requires:       openssl-devel
+
+%description devel
+This package contains the header files and the utilities for %{name}.
+
+%package -n %{libname}
+Summary:        IMA/EVM control utility libary
+Group:          System/Libraries
+
+%description -n %{libname}
+This package provides the shared library for IMA/EVM (Integrity
+Measurement Architecture/Extended Verification Module).
+
+%package -n evmctl
+Summary:        IMA/EVM signing utility
+Group:          System/Kernel
+Provides:       ima-evm-utils = %{version}
+Obsoletes:      ima-evm-utils < %{version}
+
+%description -n evmctl
+The evmctl utility can be used for producing and verifying digital signatures,
+which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
+used to import keys into the kernel keyring.
+
+%prep
+%autosetup -p1
+
+%build
+autoreconf -fiv
+%configure \
+  --disable-static
+make %{?_smp_mflags}
+
+%install
+%make_install
+# Let do it by ourselves later...
+rm -rf %{buildroot}%{_datadir}/doc
+find %{buildroot} -type f -name "*.la" -delete -print
+
+%check
+make %{?_smp_mflags} check
+
+%post -n %{libname} -p /sbin/ldconfig
+%postun -n %{libname} -p /sbin/ldconfig
+
+%files devel
+%doc examples/*
+%{_includedir}/*
+%{_libdir}/libimaevm.so
+
+%files -n %{libname}
+%doc README NEWS AUTHORS
+%license COPYING
+%{_libdir}/libimaevm.so.%{sover}*
+
+%files -n evmctl
+%{_bindir}/evmctl
+%{_mandir}/man1/evmctl.1%{ext_man}
+
+%changelog