ima digest list ebs sign use file path and check errmsg
(cherry picked from commit ffcebdf4caeb858138a7a064411b686f16bfd206)
This commit is contained in:
zgzxx
openeuler-sync-bot
parent
1d08a28fc1
commit
b271544d5e
@ -7,13 +7,13 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
|
||||
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
|
||||
|
||||
---
|
||||
brp-digest-list | 48 +++++-----
|
||||
brp-ebs-sign | 231 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 257 insertions(+), 22 deletions(-)
|
||||
brp-digest-list | 46 +++++-----
|
||||
brp-ebs-sign | 238 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 262 insertions(+), 22 deletions(-)
|
||||
create mode 100644 brp-ebs-sign
|
||||
|
||||
diff --git a/brp-digest-list b/brp-digest-list
|
||||
index e698b7a..fe6e75c 100644
|
||||
index e698b7a..d1e2600 100644
|
||||
--- a/brp-digest-list
|
||||
+++ b/brp-digest-list
|
||||
@@ -26,7 +26,6 @@ fi
|
||||
@ -24,7 +24,7 @@ index e698b7a..fe6e75c 100644
|
||||
|
||||
# Generate digest list for the kernel
|
||||
gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
|
||||
@@ -70,28 +69,33 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
|
||||
@@ -70,28 +69,31 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
|
||||
chmod 644 $DIGEST_LIST_TLV_PATH
|
||||
echo $DIGEST_LIST_TLV_PATH
|
||||
|
||||
@ -50,12 +50,10 @@ index e698b7a..fe6e75c 100644
|
||||
+export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
|
||||
+if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
|
||||
+ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
|
||||
+ for f in $(ls $DIGEST_LIST_DIR); do
|
||||
+ sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_DIR/$f 1>&2
|
||||
+ [ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0
|
||||
+ chmod 644 $DIGEST_LIST_DIR/$f.sig
|
||||
+ mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR/$f
|
||||
+ done
|
||||
+ sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_PATH 1>&2
|
||||
+ [ -f $DIGEST_LIST_PATH.sig ] || exit 0
|
||||
+ chmod 644 $DIGEST_LIST_PATH.sig
|
||||
+ mv $DIGEST_LIST_PATH.sig $DIGEST_LIST_PATH
|
||||
+ exit 0
|
||||
+fi
|
||||
|
||||
@ -81,10 +79,10 @@ index e698b7a..fe6e75c 100644
|
||||
+#fi
|
||||
diff --git a/brp-ebs-sign b/brp-ebs-sign
|
||||
new file mode 100644
|
||||
index 0000000..57e208b
|
||||
index 0000000..a7a83e5
|
||||
--- /dev/null
|
||||
+++ b/brp-ebs-sign
|
||||
@@ -0,0 +1,231 @@
|
||||
@@ -0,0 +1,238 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+INPUT_TYPE=$1
|
||||
@ -101,6 +99,7 @@ index 0000000..57e208b
|
||||
+POST_OS_ORIJECT=""
|
||||
+CONFIG_RETEST_COUNT=5
|
||||
+SIGN_RESULT=0
|
||||
+FAILED_SIGN_PERMISSION_DENIED=2
|
||||
+
|
||||
+# Tool functions for JSON
|
||||
+get_json_value(){
|
||||
@ -145,7 +144,6 @@ index 0000000..57e208b
|
||||
+}
|
||||
+
|
||||
+efi_sign_pre() {
|
||||
+ # TODO
|
||||
+ SIGN_FILE="$INPUT_FILE"
|
||||
+ POST_KEY_NAME="default-x509ee"
|
||||
+ POST_KEY_TYPE="x509ee"
|
||||
@ -154,7 +152,6 @@ index 0000000..57e208b
|
||||
+}
|
||||
+
|
||||
+kernel_sign_pre() {
|
||||
+ # TODO
|
||||
+ SIGN_FILE="$INPUT_FILE"
|
||||
+ POST_KEY_NAME="default-x509ee"
|
||||
+ POST_KEY_TYPE="x509ee"
|
||||
@ -252,6 +249,9 @@ index 0000000..57e208b
|
||||
+ req_err_msg=$(get_json_value "$req" "err_msg")
|
||||
+ if [ -n "$req_err_msg" ]; then
|
||||
+ echo "Failed, err_msg: [$req_err_msg]"
|
||||
+ if [ "$req_err_msg" == "SIGN_PERMISSION_DENIED" ]; then
|
||||
+ return $FAILED_SIGN_PERMISSION_DENIED
|
||||
+ fi
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
@ -303,9 +303,14 @@ index 0000000..57e208b
|
||||
+
|
||||
+for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
|
||||
+ sign
|
||||
+ if [ $? -eq 0 ]; then
|
||||
+ ret_sign=$?
|
||||
+ if [ $ret_sign -eq 0 ]; then
|
||||
+ echo "Succeed to sign file"
|
||||
+ break;
|
||||
+ elif [ $ret_sign -eq $FAILED_SIGN_PERMISSION_DENIED ]; then
|
||||
+ echo "Failed to sign file, permission denied"
|
||||
+ SIGN_RESULT=1
|
||||
+ break;
|
||||
+ elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
|
||||
+ echo "Failed to sign file, try again"
|
||||
+ elif [ $i -eq $CONFIG_RETEST_COUNT ]; then
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: %{vendor}-rpm-config
|
||||
Version: 30
|
||||
Release: 52
|
||||
Release: 53
|
||||
License: GPL+
|
||||
Summary: specific rpm configuration files
|
||||
URL: https://gitee.com/openeuler/openEuler-rpm-config
|
||||
@ -149,6 +149,9 @@ sed -i "s/__vendor/%{vendor}/g" `grep "__vendor" -rl %{buildroot}%{_rpmconfigdir
|
||||
%{rpmvdir}/find-requires.ksyms
|
||||
|
||||
%changelog
|
||||
* Fri Mar 29 2024 zhangguangzhi <zhangguangzhi3@huawei.com> - 30-53
|
||||
- ima digest list ebs sign use file path and check errmsg
|
||||
|
||||
* Fri Mar 22 2024 zhangguangzhi <zhangguangzhi3@huawei.com> - 30-52
|
||||
- ima digest list ebs sign support modsig
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user