From e67f674767dba0d4ef7e2e8c634a66804934a465781eb7d82cc78f2a8480c5af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 13:41:44 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main ima-evm-utils revision 30e084dc7635e7115b69d55200b7d506 --- .gitattributes | 23 ++ ...fsverity.test-Add-usr-sbin-into-PATH.patch | 40 +++ ima-evm-utils-1.5.tar.gz | 3 + ima-evm-utils.changes | 321 ++++++++++++++++++ ima-evm-utils.spec | 113 ++++++ 5 files changed, 500 insertions(+) create mode 100644 .gitattributes create mode 100644 0001-fsverity.test-Add-usr-sbin-into-PATH.patch create mode 100644 ima-evm-utils-1.5.tar.gz create mode 100644 ima-evm-utils.changes create mode 100644 ima-evm-utils.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0001-fsverity.test-Add-usr-sbin-into-PATH.patch b/0001-fsverity.test-Add-usr-sbin-into-PATH.patch new file mode 100644 index 0000000..154af9f --- /dev/null +++ b/0001-fsverity.test-Add-usr-sbin-into-PATH.patch @@ -0,0 +1,40 @@ +From e445cc94831c55b6c5430716bc03613b7a2bb83b Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Fri, 10 Mar 2023 11:39:00 +0100 +Subject: [PATCH] fsverity.test: Add /usr/sbin into $PATH + +Unlike GitHub CI, tests which run by packaging tools often run as non-root, +thus required tools aren't visible: + +./functions.sh: line 45: type: mkfs: not found +mkfs is required for test +./functions.sh: line 45: type: blkid: not found +blkid is required for test +./functions.sh: line 45: type: e2fsck: not found +e2fsck is required for test +./functions.sh: line 45: type: tune2fs: not found +tune2fs is required for test + +Signed-off-by: Petr Vorel +--- +Upstream status: https://lore.kernel.org/linux-integrity/20230310104729.32078-1-pvorel@suse.cz/ + + tests/fsverity.test | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/fsverity.test b/tests/fsverity.test +index 01d5c35..a274158 100755 +--- a/tests/fsverity.test ++++ b/tests/fsverity.test +@@ -30,7 +30,7 @@ + # custom policy rules might take precedence. + + cd "$(dirname "$0")" || exit 1 +-PATH=../src:../fsverity-utils:$PATH ++PATH=../src:../fsverity-utils:/usr/sbin:$PATH + source ./functions.sh + + # Base VERBOSE on the environment variable, if set. +-- +2.39.2 + diff --git a/ima-evm-utils-1.5.tar.gz b/ima-evm-utils-1.5.tar.gz new file mode 100644 index 0000000..44138a1 --- /dev/null +++ b/ima-evm-utils-1.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d +size 153440 diff --git a/ima-evm-utils.changes b/ima-evm-utils.changes new file mode 100644 index 0000000..7071f80 --- /dev/null +++ b/ima-evm-utils.changes @@ -0,0 +1,321 @@ +------------------------------------------------------------------- +Fri Dec 15 10:55:12 UTC 2023 - Frederic Crozat + +- Update download url. + +------------------------------------------------------------------- +Fri Mar 10 07:53:03 UTC 2023 - Petr Vorel + +- Update to version 1.5 + * CI changes: + * New: UML kernel testing environment + * Support for running specific test(s) + * Update distros + * Update software release versions + * New features: + * Signing fs-verity signatures + * Reading TPM 2.0 PCRs via sysfs interface + * New tests: + * Missing IMA mmapped file measurements + * Overlapping IMA policy rules + * EVM portable signatures + * fs-verity file measurements in the IMA measurement list + * Build and library changes: + * OpenSSL 3.0 version related changes + * New configuration options: --disable-engine, --enable-sigv1 + * Deprecate IMA signature v1 format + * Misc bug fixes and code cleanup: + * memory leaks, bounds checking, use after free + * Fix and update test output + * Add missing sanity checks + * Documentation: + * Store the sourceforge ima-evm-utils wiki for historical + purposes. +- Upstream bumped soname to 4.0.0 +- Add BuildRequires: e2fsprogs util-linux (required by tests, which are mandatory) +- /usr/sbin to PATH (0001-fsverity.test-Add-usr-sbin-into-PATH.patch, sent to upstream ML) + +------------------------------------------------------------------- +Mon Apr 25 11:32:18 UTC 2022 - Marcus Meissner + +- switch to use https urls + +------------------------------------------------------------------- +Fri Nov 5 08:16:40 UTC 2021 - Petr Vorel + +- Update to version 1.4 + * Elliptic curve support and tests + * PKCS11 support and tests + * Ability to manually specify the keyid included in the IMA xattr + * Improve IMA measurement list per TPM bank verification + * Linking with IBM TSS + * Set default hash algorithm in package configuration + * (Minimal) support and test EVM portable signatures + * CI testing: + * Refresh and include new distros + * Podman support + * GitHub Actions + * Limit "sudo" usage + * Misc bug fixes and code cleanup + * Fix static analysis bug reports, memory leaks + * Remove experimental code that was never upstreamed in the kernel + * Use unsigned variable, remove unused variables, etc +- Upstream bumped soname to 3.0.0 + +------------------------------------------------------------------- +Thu Oct 29 06:12:46 UTC 2020 - Petr Vorel + +- Update to version 1.3.2 + * Bugfixes: importing keys + * NEW: Docker based travis distro testing + * Travis bugfixes, code cleanup, software version update, + and script removal + * Initial travis testing +- Remove 0001-help-Add-missing-new-line-for-ignore-violations.patch + (patch from this release) +- Add make check + dependencies (getfattr => attr, xxd => vim) + +------------------------------------------------------------------- +Thu Oct 1 13:42:17 UTC 2020 - Petr Vorel + +- Fix missing new line in help + (0001-help-Add-missing-new-line-for-ignore-violations.patch) + +------------------------------------------------------------------- +Fri Aug 14 14:50:08 UTC 2020 - Petr Vorel + +- Update to version 1.3.1 + * "--pcrs" support for per crypto algorithm + * Drop/rename "ima_measurement" options + * Moved this summary from "Changelog" to "NEWS", removing + requirement for GNU empty files + * Distro build fixes + + * Remove 0001-pcr_tss-Fix-compilation-for-old-compilers.patch (from this + release) + +------------------------------------------------------------------- +Thu Jul 23 07:15:19 UTC 2020 - Petr Vorel + +- Use %autosetup -p1 + +------------------------------------------------------------------- +Wed Jul 22 12:10:45 UTC 2020 - Petr Vorel + +- Remove suse_version check for tpm2-0-tss-devel as the package is available + for back as far as SLE 12 SP2 and respective openSUSE versions (also check + was wrong, should have been 1500). + +------------------------------------------------------------------- +Wed Jul 22 11:35:42 UTC 2020 - Petr Vorel + +- Fixes from previous SR (reported by fvogt): + * Move ibmtss runtime dependency to evmctl package + * Remove dependencies to devel package (should not be needed) + +------------------------------------------------------------------- +Wed Jul 22 08:23:08 UTC 2020 - Petr Vorel + +- Update to version 1.3 + version 1.3 new features: + * NEW ima-evm-utils regression test infrastructure with two initial + tests: + - ima_hash.test: calculate/verify different crypto hash algorithms + - sign_verify.test: EVM and IMA sign/verify signature tests + * TPM 2.0 support + - Calculate the new per TPM 2.0 bank template data digest + - Support original padding the SHA1 template data digest + - Compare ALL the re-calculated TPM 2.0 bank PCRs against the + TPM 2.0 bank PCR values + - Calculate the per TPM bank "boot_aggregate" values, including + PCRs 8 & 9 in calculation + - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS + - boot_aggregate.test: compare the calculated "boot_aggregate" + values with the "boot_aggregate" value included in the IMA + measurement. + * TPM 1.2 support + - Additionally support reading the TPM 1.2 PCRs from a supplied file + ("--pcrs" option) + * Based on original IMA LTP and standalone version support + - Calculate the TPM 1.2 "boot_aggregate" based on the exported + TPM 1.2 BIOS event log. + - In addition to verifying the IMA measurement list against the + the TPM PCRs, verify the IMA template data digest against the + template data. (Based on LTP "--verify" option.) + - Ignore file measurement violations while verifying the IMA + measurment list. (Based on LTP "--validate" option.) + - Verify the file data signature included in the measurement list + based on the file hash also included in the measurement list + (--verify-sig) + - Support original "ima" template (mixed templates not supported) + * Support "sm3" crypto name + + Bug fixes and code cleanup: + * Don't exit with -1 on failure, exit with 125 + * On signature verification failure, include pathname. + * Provide minimal hash_info.h file in case one doesn't exist, needed + by the ima-evm-utils regression tests. + * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs + * Fix hash_algo type comparison mismatch + * Simplify/clean up code + * Address compiler complaints and failures + * Fix memory allocations and leaks + * Sanity check provided input files are regular files + * Revert making "tsspcrread" a compile build time decision. + * Limit additional messages based on log level (-v) + +- Add patch 0001-pcr_tss-Fix-compilation-for-old-compilers.patch +- Upstream bumped soname to 2.0.0 +- Add tpm2-0-tss-devel for Tumbleweed as build dependency, for the rest ibmtss + as runtime dependency (needed for for reading PCR in ima_boot_aggregate cmd; + better to use libtss2-esys and libtss2-rc than require tsspcrread binary in + runtime, but tpm2-0-tss-devel is available only for Tumbleweed) + the same + logic as runtime dependency for devel package +- Mark COPYING as %license + +------------------------------------------------------------------- +Tue Jul 30 21:55:31 UTC 2019 - Petr Vorel + +- Update to version 1.2.1 (included changes of unreleased v1.2) + version 1.2 new features: + * Generate EVM signatures based on the specified hash algorithm + * include "security.apparmor" in EVM signature + * Add support for writing & verifying "user.xxxx" xattrs for testing + * Support Strebog/Gost hash functions + * Add OpenSSL engine support + * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures + * Support verifying multiple signatures at once + * Support new template "buf" field and warn about other unknown fields + * Improve OpenSSL error reporting + * Support reading TPM 2.0 PCRs using tsspcrread + + Bug fixes and code cleanup: + * Update manpage stylesheet detection + * Fix xattr.h include file + * On error when reading TPM PCRs, don't log gargabe + * Properly return keyid string to calc_keyid_v1/v2 callers, caused by + limiting keyid output to verbose mode + * Fix hash buffer overflow caused by EVM support for larger hashes, + defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". + * Linked with libcrypto instead of OpenSSL + * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS + * Include new "hash-info.gen" in tar + * Log the hash algorithm, not just the hash value + * Fixed memory leaks in: EV_MD_CTX, init_public_keys + * Fixed other warnings/bugs discovered by clang, coverity + * Remove indirect calls in verify_hash() to improve code readability + * Don't fallback to using sha1 + * Namespace some too generic object names + * Make functions/arrays static if possible + +- Upstream bumped soname to 1.0.0 in v1.2 +- Drop ima-evm-utils-xattr.patch and ima-evm-utils-fix-docbook-xsl-directory.patch (included in v1.2) + +------------------------------------------------------------------- +Wed Sep 12 06:03:41 UTC 2018 - meissner@suse.com + +- ima-evm-utils-xattr.patch: xattr.h is now libattr.h + +------------------------------------------------------------------- +Fri Mar 16 09:23:01 UTC 2018 - pvorel@suse.cz + +- Update to version 1.1 + * Support the new openssl 1.1 api + * Support for validating multiple pcrs + * Verify the measurement list signature based on the list digest + * Verify the "ima-sig" measurement list using multiple keys + * Fixed parsing the measurement template data field length + * Portable & immutable EVM signatures (new format) + * Multiple fixes that have been lingering in the next branch. Some + are for experimental features that are not yet supported in the + kernel. +- Drop ima-evm-utils-openssl1.patch (not needed any more as IMA got + backward compatible support for openssl 1.1). + +------------------------------------------------------------------- +Tue Nov 21 08:42:47 UTC 2017 - mpluskal@suse.com + +- Small spec file cleanup with spec-cleaner + +------------------------------------------------------------------- +Wed Nov 8 12:31:07 UTC 2017 - meissner@suse.com + +- ima-evm-utils-openssl1.patch: allow building against openssl 1.1 (bsc#1066947) + +------------------------------------------------------------------- +Mon Oct 23 09:25:38 UTC 2017 - matthias.gerstner@suse.com + +- added openssl-devel dependency to ima-evm-utils-devel. otherwise the ima + header can't be included if the openssl headers are missing + +------------------------------------------------------------------- +Sat Oct 14 22:48:40 UTC 2017 - jengelh@inai.de + +- No need to remove .a files which don't exist. +- Drop extraneous ldconfig call on preun. +- Update RPM groups and descriptions. + +------------------------------------------------------------------- +Fri Oct 13 14:09:08 UTC 2017 - matthias.gerstner@suse.com + +- ima-evm-utils-fix-docbook-xsl-directory.patch: adjusted to refer to the + "current" version of stylesheet to make the build work again +- adjusted spec file to apply stylesheet patch to SLE12 as well + +------------------------------------------------------------------- +Mon May 8 12:48:44 UTC 2017 - meissner@suse.com + +- Add ima-evm-utils to SLES. (FATE#321603) + +------------------------------------------------------------------- +Tue Jan 19 09:32:33 UTC 2016 - meissner@suse.com + +- ima-evm-utils-fix-docbook-xsl-directory.patch: + fixed the nwalsh docbook directory again + +------------------------------------------------------------------- +Wed Dec 2 13:44:58 UTC 2015 - p.drouand@gmail.com + +- Update to version 1.0 + * Recursive hashing + * Immutable EVM signatures (experimental) + * Command 'ima_clear' to remove xattrs + * Support for passing password to the library + * Support for asking password safely from the user + +------------------------------------------------------------------- +Wed Jan 21 17:39:08 UTC 2015 - p.drouand@gmail.com + +- Update to version 0.9 + * Updated README + * man page generated and added to the package + * Use additional SMACK xattrs for EVM signature generation + * Signing functions moved to libimaevm for external use (RPM) + * Fixed setting of correct hash header +- Add additional requirements; asciidoc, docbook-xsl-stylesheets, + libattr-devel and libxslt-tools +- Remove COPYING from sources; upstream provides one now +- Remove automake.patch; "test" directory isn't provided by upstream + anymore +- Remove ima-evm-utils-xattr.patch; libimaevm0 does link against + libattr now +- Split package in three subpackage + * libimaevm0: contains shared library + * -devel: contains header and examples files + * evmctl: the kernel signing tool +- Add ima-evm-utils-fix-docbook-xsl-directory.patch; fix path + where Make is looking for docbook.xsl + +------------------------------------------------------------------- +Sun Oct 12 15:03:26 UTC 2014 - crrodriguez@opensuse.org + +- ima-evm-utils-xattr.patch: libattr is never linked, things + still work because glibc provides the same interface, switch + the includes to the glibc headers and remove the build dependency. + +------------------------------------------------------------------- +Tue Aug 13 08:52:35 UTC 2013 - meissner@suse.com + +- Initial packaging of IMA EVM tool. +- automake.patch: fix for newer automake +- supply COPYING for LGPL-2.1+, as package only has an empty one. diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec new file mode 100644 index 0000000..9b187a4 --- /dev/null +++ b/ima-evm-utils.spec @@ -0,0 +1,113 @@ +# +# spec file for package ima-evm-utils +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define sover 4 +%define libname libimaevm%{sover} +Name: ima-evm-utils +Version: 1.5 +Release: 0 +Summary: IMA/EVM control utility +License: LGPL-2.1-or-later +Group: System/Base +URL: https://sourceforge.net/projects/linux-ima/ +Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz +Patch1: 0001-fsverity.test-Add-usr-sbin-into-PATH.patch +BuildRequires: asciidoc +BuildRequires: attr +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: docbook-xsl-stylesheets +BuildRequires: e2fsprogs +BuildRequires: keyutils-devel +BuildRequires: libattr-devel +BuildRequires: libtool +BuildRequires: libxslt-tools +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: tpm2-0-tss-devel +BuildRequires: util-linux +BuildRequires: vim + +%description +This package provides the control utility for IMA/EVM (Integrity +Measurement Architecture/ Linux Extended Verification Module). + +%package devel +Summary: Development files for the IMA/EVM control utility library +Group: Development/Libraries/C and C++ +Requires: %{libname} = %{version} +Requires: openssl-devel + +%description devel +This package contains the header files and the utilities for %{name}. + +%package -n %{libname} +Summary: IMA/EVM control utility libary +Group: System/Libraries + +%description -n %{libname} +This package provides the shared library for IMA/EVM (Integrity +Measurement Architecture/Extended Verification Module). + +%package -n evmctl +Summary: IMA/EVM signing utility +Group: System/Kernel +Provides: ima-evm-utils = %{version} +Obsoletes: ima-evm-utils < %{version} + +%description -n evmctl +The evmctl utility can be used for producing and verifying digital signatures, +which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also +used to import keys into the kernel keyring. + +%prep +%autosetup -p1 + +%build +autoreconf -fiv +%configure \ + --disable-static +make %{?_smp_mflags} + +%install +%make_install +# Let do it by ourselves later... +rm -rf %{buildroot}%{_datadir}/doc +find %{buildroot} -type f -name "*.la" -delete -print + +%check +make %{?_smp_mflags} check + +%post -n %{libname} -p /sbin/ldconfig +%postun -n %{libname} -p /sbin/ldconfig + +%files devel +%doc examples/* +%{_includedir}/* +%{_libdir}/libimaevm.so + +%files -n %{libname} +%doc README NEWS AUTHORS +%license COPYING +%{_libdir}/libimaevm.so.%{sover}* + +%files -n evmctl +%{_bindir}/evmctl +%{_mandir}/man1/evmctl.1%{ext_man} + +%changelog