custom/rpm-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!208 [sync] PR-207: ima digest list ebs sign use file path and check errmsg

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee, @xujing99 
Signed-off-by: @xujing99
This commit is contained in:
openeuler-ci-bot 2024-03-29 09:52:53 +00:00 committed by Gitee
commit bf1a280e0d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Feature-support-EBS-sign-for-IMA-digest-list.patch
View File

@ -7,13 +7,13 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com> Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
--- ---
brp-digest-list | 48 +++++----- brp-digest-list | 46 +++++-----
brp-ebs-sign | 231 ++++++++++++++++++++++++++++++++++++++++++++++++ brp-ebs-sign | 238 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 257 insertions(+), 22 deletions(-) 2 files changed, 262 insertions(+), 22 deletions(-)
create mode 100644 brp-ebs-sign create mode 100644 brp-ebs-sign
diff --git a/brp-digest-list b/brp-digest-list diff --git a/brp-digest-list b/brp-digest-list
index e698b7a..fe6e75c 100644 index e698b7a..d1e2600 100644
--- a/brp-digest-list --- a/brp-digest-list
+++ b/brp-digest-list +++ b/brp-digest-list
@@ -26,7 +26,6 @@ fi @@ -26,7 +26,6 @@ fi
@ -24,7 +24,7 @@ index e698b7a..fe6e75c 100644
# Generate digest list for the kernel # Generate digest list for the kernel
gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \ gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
@@ -70,28 +69,33 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam @@ -70,28 +69,31 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
chmod 644 $DIGEST_LIST_TLV_PATH chmod 644 $DIGEST_LIST_TLV_PATH
echo $DIGEST_LIST_TLV_PATH echo $DIGEST_LIST_TLV_PATH
@ -50,12 +50,10 @@ index e698b7a..fe6e75c 100644
+export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}') +export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
+if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then +if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
+ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0 + [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
+ for f in $(ls $DIGEST_LIST_DIR); do + sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_PATH 1>&2
+ sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_DIR/$f 1>&2 + [ -f $DIGEST_LIST_PATH.sig ] || exit 0
+ [ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0 + chmod 644 $DIGEST_LIST_PATH.sig
+ chmod 644 $DIGEST_LIST_DIR/$f.sig + mv $DIGEST_LIST_PATH.sig $DIGEST_LIST_PATH
+ mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR/$f
+ done
+ exit 0 + exit 0
+fi +fi
@ -81,10 +79,10 @@ index e698b7a..fe6e75c 100644
+#fi +#fi
diff --git a/brp-ebs-sign b/brp-ebs-sign diff --git a/brp-ebs-sign b/brp-ebs-sign
new file mode 100644 new file mode 100644
index 0000000..57e208b index 0000000..a7a83e5
--- /dev/null --- /dev/null
+++ b/brp-ebs-sign +++ b/brp-ebs-sign
@@ -0,0 +1,231 @@ @@ -0,0 +1,238 @@
+#!/bin/bash +#!/bin/bash
+ +
+INPUT_TYPE=$1 +INPUT_TYPE=$1
@ -101,6 +99,7 @@ index 0000000..57e208b
+POST_OS_ORIJECT="" +POST_OS_ORIJECT=""
+CONFIG_RETEST_COUNT=5 +CONFIG_RETEST_COUNT=5
+SIGN_RESULT=0 +SIGN_RESULT=0
+FAILED_SIGN_PERMISSION_DENIED=2
+ +
+# Tool functions for JSON +# Tool functions for JSON
+get_json_value(){ +get_json_value(){
@ -145,7 +144,6 @@ index 0000000..57e208b
+} +}
+ +
+efi_sign_pre() { +efi_sign_pre() {
+ # TODO
+ SIGN_FILE="$INPUT_FILE" + SIGN_FILE="$INPUT_FILE"
+ POST_KEY_NAME="default-x509ee" + POST_KEY_NAME="default-x509ee"
+ POST_KEY_TYPE="x509ee" + POST_KEY_TYPE="x509ee"
@ -154,7 +152,6 @@ index 0000000..57e208b
+} +}
+ +
+kernel_sign_pre() { +kernel_sign_pre() {
+ # TODO
+ SIGN_FILE="$INPUT_FILE" + SIGN_FILE="$INPUT_FILE"
+ POST_KEY_NAME="default-x509ee" + POST_KEY_NAME="default-x509ee"
+ POST_KEY_TYPE="x509ee" + POST_KEY_TYPE="x509ee"
@ -252,6 +249,9 @@ index 0000000..57e208b
+ req_err_msg=$(get_json_value "$req" "err_msg") + req_err_msg=$(get_json_value "$req" "err_msg")
+ if [ -n "$req_err_msg" ]; then + if [ -n "$req_err_msg" ]; then
+ echo "Failed, err_msg: [$req_err_msg]" + echo "Failed, err_msg: [$req_err_msg]"
+ if [ "$req_err_msg" == "SIGN_PERMISSION_DENIED" ]; then
+ return $FAILED_SIGN_PERMISSION_DENIED
+ fi
+ return 1 + return 1
+ fi + fi
+ +
@ -303,9 +303,14 @@ index 0000000..57e208b
+ +
+for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do +for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
+ sign + sign
+ if [ $? -eq 0 ]; then + ret_sign=$?
+ if [ $ret_sign -eq 0 ]; then
+ echo "Succeed to sign file" + echo "Succeed to sign file"
+ break; + break;
+ elif [ $ret_sign -eq $FAILED_SIGN_PERMISSION_DENIED ]; then
+ echo "Failed to sign file, permission denied"
+ SIGN_RESULT=1
+ break;
+ elif [ $i -ne $CONFIG_RETEST_COUNT ]; then + elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
+ echo "Failed to sign file, try again" + echo "Failed to sign file, try again"
+ elif [ $i -eq $CONFIG_RETEST_COUNT ]; then + elif [ $i -eq $CONFIG_RETEST_COUNT ]; then

5
openEuler-rpm-config.spec
View File

@ -3,7 +3,7 @@
Name: %{vendor}-rpm-config Name: %{vendor}-rpm-config
Version: 30 Version: 30
Release: 52 Release: 53
License: GPL+ License: GPL+
Summary: specific rpm configuration files Summary: specific rpm configuration files
URL: https://gitee.com/openeuler/openEuler-rpm-config URL: https://gitee.com/openeuler/openEuler-rpm-config
@ -149,6 +149,9 @@ sed -i "s/__vendor/%{vendor}/g" `grep "__vendor" -rl %{buildroot}%{_rpmconfigdir
%{rpmvdir}/find-requires.ksyms %{rpmvdir}/find-requires.ksyms
%changelog %changelog
* Fri Mar 29 2024 zhangguangzhi <zhangguangzhi3@huawei.com> - 30-53
- ima digest list ebs sign use file path and check errmsg
* Fri Mar 22 2024 zhangguangzhi <zhangguangzhi3@huawei.com> - 30-52 * Fri Mar 22 2024 zhangguangzhi <zhangguangzhi3@huawei.com> - 30-52
- ima digest list ebs sign support modsig - ima digest list ebs sign support modsig