Merge pull request #115 from lumag/master

Several updates and additional patch for grub-efi MOK2 support
This commit is contained in:
Jia Zhang
2019-09-04 20:01:13 +08:00
committed by GitHub
11 changed files with 89 additions and 315 deletions
@@ -19,6 +19,7 @@ SRC_URI += "\
file://efi-chainloader-implemented-for-32-bit.patch \
file://Grub-get-and-set-efi-variables.patch \
file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
file://mok2verify-multiboot.patch \
file://grub-efi.cfg \
file://boot-menu.inc \
${EXTRA_SRC_URI} \
@@ -0,0 +1,54 @@
Index: grub-2.02/grub-core/loader/multiboot.c
===================================================================
--- grub-2.02.orig/grub-core/loader/multiboot.c
+++ grub-2.02/grub-core/loader/multiboot.c
@@ -47,6 +47,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
#ifdef GRUB_MACHINE_EFI
#include <grub/efi/efi.h>
+#include <grub/efi/mok2verify.h>
#endif
struct grub_relocator *GRUB_MULTIBOOT (relocator) = NULL;
@@ -325,6 +326,20 @@ grub_cmd_multiboot (grub_command_t cmd _
if (! file)
return grub_errno;
+#if GRUB_MACHINE_EFI
+ err = grub_verify_file (argv[0]);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_error(err, N_("Failed to verify module %s"), argv[0]);
+
+ /* An unauthenticated module always causes a complete boot failure. */
+ if (grub_is_secured () == 1)
+ grub_loader_unset();
+
+ return err;
+ }
+#endif
+
grub_dl_ref (my_mod);
/* Skip filename. */
@@ -379,6 +394,20 @@ grub_cmd_module (grub_command_t cmd __at
if (! file)
return grub_errno;
+#if GRUB_MACHINE_EFI
+ err = grub_verify_file (argv[0]);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_error(err, N_("Failed to verify module %s"), argv[0]);
+
+ /* An unauthenticated module always causes a complete boot failure. */
+ if (grub_is_secured () == 1)
+ grub_loader_unset();
+
+ return err;
+ }
+#endif
+
#ifndef GRUB_USE_MULTIBOOT2
lowest_addr = 0x100000;
if (grub_multiboot_quirks & GRUB_MULTIBOOT_QUIRK_MODULES_AFTER_KERNEL)
@@ -14,15 +14,15 @@ diff --git a/src/Makefile.am b/src/Makefile.am
index deb18fb..aa8f666 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -9,7 +9,7 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS)
include_HEADERS = imaevm.h
@@ -15,7 +15,7 @@ EXTRA_DIST = hash_info.gen
hash_info.h: Makefile
$(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@
-bin_PROGRAMS = evmctl
+sbin_PROGRAMS = evmctl
evmctl_SOURCES = evmctl.c
evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
--
2.7.4
@@ -1,299 +0,0 @@
From 61595d2d4eb9d6855680ea2f6d74492a4b7a553f Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 16 Aug 2017 14:32:03 +0800
Subject: [PATCH] Fix the build failure with openssl-1.1.x
- Clean up the opaqu EVP_MD_CTX and RSA.
- Similarly, HMAC_CTX is also opaqu. Note that there is no dynamic
allocation function like HMAC_CTX_create|new() available in 1.0.x.
- HMAC_CTX_cleanup() is replaced by HMAC_CTX_reset().
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/evmctl.c | 79 +++++++++++++++++++++++++++++++++++++++++----------------
src/libimaevm.c | 54 +++++++++++++++++++++++++--------------
2 files changed, 92 insertions(+), 41 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index c54efbb..9156bcb 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
struct stat st;
int err;
uint32_t generation = 0;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned int mdlen;
char **xattrname;
char xattr_value[1024];
@@ -366,10 +366,17 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1;
}
- err = EVP_DigestInit(&ctx, EVP_sha1());
+ ctx = EVP_MD_CTX_create();
+ if (!ctx) {
+ log_err("EVP_MD_CTX_create() failed\n");
+ return -1;
+ }
+
+ err = EVP_DigestInit(ctx, EVP_sha1());
if (!err) {
log_err("EVP_DigestInit() failed\n");
- return 1;
+ err = 1;
+ goto out;
}
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
@@ -398,10 +405,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
/*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err);
- err = EVP_DigestUpdate(&ctx, xattr_value, err);
+ err = EVP_DigestUpdate(ctx, xattr_value, err);
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ err = 1;
+ goto out;
}
}
@@ -446,31 +454,38 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
log_debug("hmac_misc (%d): ", hmac_size);
log_debug_dump(&hmac_misc, hmac_size);
- err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size);
+ err = EVP_DigestUpdate(ctx, &hmac_misc, hmac_size);
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ err = 1;
+ goto out;
}
if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) {
err = get_uuid(&st, uuid);
- if (err)
- return -1;
+ if (err) {
+ err = -1;
+ goto out;
+ }
- err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid));
+ err = EVP_DigestUpdate(ctx, (const unsigned char *)uuid, sizeof(uuid));
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ err = 1;
+ goto out;
}
}
- err = EVP_DigestFinal(&ctx, hash, &mdlen);
- if (!err) {
+ if (!EVP_DigestFinal(ctx, hash, &mdlen)) {
log_err("EVP_DigestFinal() failed\n");
- return 1;
- }
+ err = 1;
+ } else
+ err = 0;
+
+out:
+ EVP_MD_CTX_destroy(ctx);
- return mdlen;
+ return err ?: mdlen;
}
static int sign_evm(const char *file, const char *key)
@@ -908,7 +923,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
struct stat st;
int err = -1;
uint32_t generation = 0;
- HMAC_CTX ctx;
+ HMAC_CTX *ctx = NULL;
unsigned int mdlen;
char **xattrname;
unsigned char xattr_value[1024];
@@ -965,7 +980,17 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
goto out;
}
- err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1());
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ctx = malloc(sizeof(*ctx));
+#else
+ ctx = HMAC_CTX_new();
+#endif
+ if (!ctx) {
+ log_err("HMAC_CTX_new() failed\n");
+ goto out;
+ }
+
+ err = !HMAC_Init(ctx, evmkey, sizeof(evmkey), EVP_sha1());
if (err) {
log_err("HMAC_Init() failed\n");
goto out;
@@ -984,7 +1009,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
/*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err);
- err = !HMAC_Update(&ctx, xattr_value, err);
+ err = !HMAC_Update(ctx, xattr_value, err);
if (err) {
log_err("HMAC_Update() failed\n");
goto out_ctx_cleanup;
@@ -1025,17 +1050,27 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
log_debug("hmac_misc (%d): ", hmac_size);
log_debug_dump(&hmac_misc, hmac_size);
- err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size);
+ err = !HMAC_Update(ctx, (const unsigned char *)&hmac_misc, hmac_size);
if (err) {
log_err("HMAC_Update() failed\n");
goto out_ctx_cleanup;
}
- err = !HMAC_Final(&ctx, hash, &mdlen);
+ err = !HMAC_Final(ctx, hash, &mdlen);
if (err)
log_err("HMAC_Final() failed\n");
out_ctx_cleanup:
- HMAC_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ HMAC_CTX_cleanup(ctx);
+#else
+ HMAC_CTX_reset(ctx);
+#endif
out:
+ if (ctx)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ free(ctx);
+#else
+ HMAC_CTX_free(ctx);
+#endif
free(key);
return err ?: mdlen;
}
diff --git a/src/libimaevm.c b/src/libimaevm.c
index eedffb4..3f23cac 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -271,7 +271,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
{
const EVP_MD *md;
struct stat st;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
unsigned int mdlen;
int err;
@@ -288,41 +288,50 @@ int ima_calc_hash(const char *file, uint8_t *hash)
return 1;
}
- err = EVP_DigestInit(&ctx, md);
+ ctx = EVP_MD_CTX_create();
+ if (!ctx) {
+ log_err("EVP_MD_CTX_create() failed\n");
+ return 1;
+ }
+
+ err = EVP_DigestInit(ctx, md);
if (!err) {
log_err("EVP_DigestInit() failed\n");
- return 1;
+ err = 1;
+ goto out;
}
switch (st.st_mode & S_IFMT) {
case S_IFREG:
- err = add_file_hash(file, &ctx);
+ err = add_file_hash(file, ctx);
break;
case S_IFDIR:
- err = add_dir_hash(file, &ctx);
+ err = add_dir_hash(file, ctx);
break;
case S_IFLNK:
- err = add_link_hash(file, &ctx);
+ err = add_link_hash(file, ctx);
break;
case S_IFIFO: case S_IFSOCK:
case S_IFCHR: case S_IFBLK:
- err = add_dev_hash(&st, &ctx);
+ err = add_dev_hash(&st, ctx);
break;
default:
log_errno("Unsupported file type");
- return -1;
+ err = -1;
}
if (err)
- return err;
+ goto out;
- err = EVP_DigestFinal(&ctx, hash, &mdlen);
- if (!err) {
+ if (!EVP_DigestFinal(ctx, hash, &mdlen)) {
log_err("EVP_DigestFinal() failed\n");
- return 1;
+ err = 1;
}
- return mdlen;
+out:
+ EVP_MD_CTX_destroy(ctx);
+
+ return err ?: mdlen;
}
RSA *read_pub_key(const char *keyfile, int x509)
@@ -549,6 +558,7 @@ int key2bin(RSA *key, unsigned char *pub)
{
int len, b, offset = 0;
struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
+ BIGNUM *n, *e;
/* add key header */
pkh->version = 1;
@@ -558,18 +568,24 @@ int key2bin(RSA *key, unsigned char *pub)
offset += sizeof(*pkh);
- len = BN_num_bytes(key->n);
- b = BN_num_bits(key->n);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ n = key->n;
+ e = key->e;
+#else
+ RSA_get0_key(key, (const BIGNUM **)&n, (const BIGNUM **)&e, NULL);
+#endif
+ len = BN_num_bytes(n);
+ b = BN_num_bits(n);
pub[offset++] = b >> 8;
pub[offset++] = b & 0xff;
- BN_bn2bin(key->n, &pub[offset]);
+ BN_bn2bin(n, &pub[offset]);
offset += len;
- len = BN_num_bytes(key->e);
- b = BN_num_bits(key->e);
+ len = BN_num_bytes(e);
+ b = BN_num_bits(e);
pub[offset++] = b >> 8;
pub[offset++] = b & 0xff;
- BN_bn2bin(key->e, &pub[offset]);
+ BN_bn2bin(e, &pub[offset]);
offset += len;
return offset;
--
2.7.5
@@ -3,16 +3,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS += "openssl attr keyutils"
PV = "1.0+git${SRCPV}"
PV = "1.2.1+git${SRCPV}"
SRC_URI = "\
git://git.code.sf.net/p/linux-ima/ima-evm-utils \
git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y \
file://0001-Don-t-build-man-pages.patch \
file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \
file://Fix-the-build-failure-with-openssl-1.1.x.patch \
file://0001-ima-evm-utils-include-sys-types.h-in-header-to-fix-b.patch \
"
SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7"
SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e"
S = "${WORKDIR}/git"
@@ -0,0 +1,13 @@
Index: git/configure.ac
===================================================================
--- git.orig/configure.ac
+++ git/configure.ac
@@ -9,7 +9,7 @@ AM_INIT_AUTOMAKE([foreign subdir-objects
AC_CONFIG_FILES([Makefile])
PKG_CHECK_MODULES([TCLAP], [tclap])
-AC_SEARCH_LIBS([do_dump], [imaevm], [], [
+AC_SEARCH_LIBS([imaevm_do_hexdump], [imaevm], [], [
AC_MSG_ERROR([unable to find libimaevm, you need ima-evm-utils-devel or similar package])
])
@@ -3,7 +3,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a23a74b3f4caf9616230789d94217acb"
DEPENDS += "attr ima-evm-utils tclap"
SRC_URI = "git://github.com/mgerstner/ima-inspect.git"
SRC_URI = " \
git://github.com/mgerstner/ima-inspect.git \
file://fix-new-imaevm.patch \
"
SRCREV = "e912be2d2a9fdf30a9693a7fc5d6b2473990a71c"
S = "${WORKDIR}/git"
@@ -3,7 +3,7 @@ include ${BPN}.inc
SRC_URI = "\
https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
"
SRC_URI[md5sum] = "ad9e856c4cbd8a19eb205d74ab635adc"
SRC_URI[sha256sum] = "c7f0cdca51ef2006503f60c462b6d183c9b9dc038f4c3f74a89c111088fed8aa"
SRC_URI[md5sum] = "af389756402fa26aa3f08aa4abfc5d88"
SRC_URI[sha256sum] = "ad79ee83e2d4b34302e8883eaf313b27dbfabfd9cbc8ebcd95cf78fa097aef14"
S = "${WORKDIR}/${BPN}-${PV}"
@@ -16,6 +16,8 @@ inherit autotools pkgconfig
EXTRA_OECONF += " \
--with-udevrulesdir=${sysconfdir}/udev/rules.d \
--with-crypto=gcrypt \
--disable-doxygen-doc \
"
PACKAGES = " \
@@ -19,7 +19,7 @@ diff --git a/Makefile.am b/Makefile.am
index d78d23f..7815c4b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -42,7 +42,13 @@ noinst_PROGRAMS =
@@ -19,7 +19,13 @@ noinst_PROGRAMS =
### Add ax_* rules ###
# ax_code_coverage
@@ -37,8 +37,8 @@ diff --git a/configure.ac b/configure.ac
index c8aa314..40883a8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -206,6 +206,9 @@ DX_INIT_DOXYGEN($PACKAGE_NAME, [Doxyfile], [doc/doxygen])
AM_CONDITIONAL(DOXYMAN, [test $DX_FLAG_man -eq 1])
@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xn
[ERROR_IF_NO_PROG([doxygen])])
AX_CODE_COVERAGE
+m4_ifdef([_AX_CODE_COVERAGE_RULES],
@@ -1,10 +1,11 @@
include ${BPN}.inc
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch \
"
SRC_URI[md5sum] = "048ea77be36f881b7b6ecefbc1cf7dbd"
SRC_URI[sha256sum] = "7dfd05f7d2c4d5339d1c9ecbdba25f4ea6df70e96b09928e15e0560cce02d525"
SRC_URI[md5sum] = "593873bb023a0f8bcb93d12bc6640918"
SRC_URI[sha256sum] = "1369aee648b33128b9ee8e3ad87f5fc6dc37c2077b9f134223ea04f4809a99c3"
S = "${WORKDIR}/${BPN}-${PV}"