packages/openEuler-rpm-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!204 [sync] PR-199: ima digest list ebs sign support modsig

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @licunlong 
Signed-off-by: @licunlong
This commit is contained in:
openeuler-ci-bot 2024-03-22 07:59:44 +00:00 committed by Gitee
commit 1d08a28fc1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 293 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

319
Feature-support-EBS-sign-for-IMA-digest-list.patch
View File

@ -4,79 +4,318 @@ Date: Mon, 12 Dec 2022 00:16:01 +0800
Subject: [PATCH] support EBS sign for IMA digest list Subject: [PATCH] support EBS sign for IMA digest list
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
--- ---
brp-digest-list | 16 ++++++++++++++++ brp-digest-list | 48 +++++-----
brp-ebs-sign | 34 ++++++++++++++++++++++++++++++++++ brp-ebs-sign | 231 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+) 2 files changed, 257 insertions(+), 22 deletions(-)
create mode 100644 brp-ebs-sign create mode 100644 brp-ebs-sign
diff --git a/brp-digest-list b/brp-digest-list diff --git a/brp-digest-list b/brp-digest-list
index e698b7a..9ec50a2 100644 index e698b7a..fe6e75c 100644
--- a/brp-digest-list --- a/brp-digest-list
+++ b/brp-digest-list +++ b/brp-digest-list
@@ -84,6 +84,22 @@ if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \ @@ -26,7 +26,6 @@ fi
chmod 644 $f DIGEST_LIST_DIR=$RPM_BUILD_ROOT/$2/etc/ima/digest_lists
echo $f mkdir -p $DIGEST_LIST_DIR
mkdir -p $DIGEST_LIST_DIR.tlv
-mkdir -p $DIGEST_LIST_DIR.sig
# Generate digest list for the kernel
gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
@@ -70,28 +69,33 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
chmod 644 $DIGEST_LIST_TLV_PATH
echo $DIGEST_LIST_TLV_PATH
-if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
- ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
- # Generate digest list for the user space parsers
- LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/lib64 \
- $RPM_BUILD_ROOT/usr/bin/gen_digest_lists \
- -d $DIGEST_LIST_DIR -t parser -f compact -m immutable \
- -i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i:
-
- f="$DIGEST_LIST_DIR/0-parser_list-compact-libexec"
- [ -f $f ] || exit 0
-
- chmod 644 $f
- echo $f
+#if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
+# ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
+# Generate digest list for the user space parsers
+
+# do EBS sign +# do EBS sign
+export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}') +export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
+export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}') +export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
+if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then +if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
+ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0 + [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
+ for f in $(ls $DIGEST_LIST_DIR); do + for f in $(ls $DIGEST_LIST_DIR); do
+ sh /usr/lib/rpm/brp-ebs-sign $DIGEST_LIST_DIR/$f &> /dev/null + sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_DIR/$f 1>&2
+ [ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0 + [ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0
+ chmod 644 $DIGEST_LIST_DIR/$f.sig + chmod 644 $DIGEST_LIST_DIR/$f.sig
+ mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR.sig/$f.sig + mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR/$f
+ echo $DIGEST_LIST_DIR.sig/$f.sig
+ done + done
+ exit 0 + exit 0
+fi +fi
+
+ # do OBS sign
[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*" - [ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
+# do OBS sign
+[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
- export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
- export RPM_BUILD_ROOT
- export RPM_PACKAGE_NAME="digest-list-tools"
- export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
+export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
+export RPM_BUILD_ROOT
+export RPM_PACKAGE_NAME="digest-list-tools"
+export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
- if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
- /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
- fi
+if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
+ /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
fi
+#fi
diff --git a/brp-ebs-sign b/brp-ebs-sign diff --git a/brp-ebs-sign b/brp-ebs-sign
new file mode 100644 new file mode 100644
index 0000000..662a9f7 index 0000000..57e208b
--- /dev/null --- /dev/null
+++ b/brp-ebs-sign +++ b/brp-ebs-sign
@@ -0,0 +1,34 @@ @@ -0,0 +1,231 @@
+#!/bin/bash +#!/bin/bash
+ +
+# config +INPUT_TYPE=$1
+PUBLISHER_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/sign-files" +INPUT_FILE=$2
+POST_KEY_BASE64="encoded_file_content" +SIGN_FILE=$INPUT_FILE
+POST_KEY_MD5="file_md5" +PROJECT_CONF="/lkp/scheduled/job.yaml"
+REQ_KEY_BASE64="signed_file_content" +POST_ADDR=""
+REQ_KEY_MD5="signed_file_md5" +POST_FILE_SHA256=""
+POST_KEY_NAME=""
+POST_KEY_TYPE=""
+POST_FILE_TYPE=""
+POST_SIGN_TYPE=""
+POST_JOB_ID=""
+POST_OS_ORIJECT=""
+CONFIG_RETEST_COUNT=5
+SIGN_RESULT=0
+ +
+# function definition +# Tool functions for JSON
+get_json_value(){ +get_json_value(){
+ echo "$1" | awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | sed 's/\"//g' + echo "$1" | \
+ awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | \
+ sed 's/\"//g'
+} +}
+ +
+file="$1" +get_post_json() {
+file_base64="$(base64 -w0 $file)" + printf '{'
+file_md5="$(md5sum $file | awk '{printf $1}')" + printf '"file_sha256":"%s",' $POST_FILE_SHA256
+json="{\"$POST_KEY_BASE64\":\"$file_base64\", \"$POST_KEY_MD5\":\"$file_md5\"}" + printf '"key_name":"%s",' $POST_KEY_NAME
+ printf '"key_type":"%s",' $POST_KEY_TYPE
+ printf '"file_type":"%s",' $POST_FILE_TYPE
+ printf '"sign_type":"%s",' $POST_SIGN_TYPE
+ printf '"job_id":"%s",' $POST_JOB_ID
+ printf '"os_project":"%s"' $POST_OS_ORIJECT
+ printf '}'
+}
+ +
+req="$(curl -X POST "$PUBLISHER_ADDR" -H 'Content-Type: application/json' -d "$json")" +# Prepare sign functions for each sign type
+[ $? -eq 0 ] || { echo "Fail to post sign service, REQ="; echo "req"; exit 1; } +module_sign_pre() {
+ if [[ "$INPUT_FILE" != *.ko ]]; then
+ echo "The module file must has the .ko extension"
+ return 1
+ fi
+ +
+sig_base64=$(get_json_value "$req" "$REQ_KEY_BASE64") + SIGN_FILE="$INPUT_FILE"
+[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_BASE64"; exit 1; } + POST_KEY_NAME="openeuler-kernel-module-ee"
+echo -e "$sig_base64" | base64 -d > $file.sig + POST_KEY_TYPE="x509ee"
+[ $? -eq 0 ] || { echo "Fail to decode value of $key"; exit 1; } + POST_FILE_TYPE="kernel-module"
+ POST_SIGN_TYPE="cms"
+}
+ +
+sig_md5=$(get_json_value "$req" "$REQ_KEY_MD5") +ima_digestlist_sign_pre() {
+[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_MD5"; exit 1; } + cp -f $INPUT_FILE $INPUT_FILE.ko
+md5sum $file.sig | grep "$sig_md5" + SIGN_FILE="$INPUT_FILE.ko"
+[ $? -eq 0 ] || { echo "Fail to check md5 of $file.sig"; exit 1; } + POST_KEY_NAME="openeuler-ima-ee"
+ POST_KEY_TYPE="x509ee"
+ POST_FILE_TYPE="kernel-module"
+ POST_SIGN_TYPE="cms"
+}
+ +
+echo "Sign $file ok!" +efi_sign_pre() {
+exit 0 + # TODO
+ SIGN_FILE="$INPUT_FILE"
+ POST_KEY_NAME="default-x509ee"
+ POST_KEY_TYPE="x509ee"
+ POST_FILE_TYPE="efi-image"
+ POST_SIGN_TYPE="authenticode"
+}
+
+kernel_sign_pre() {
+ # TODO
+ SIGN_FILE="$INPUT_FILE"
+ POST_KEY_NAME="default-x509ee"
+ POST_KEY_TYPE="x509ee"
+ POST_FILE_TYPE="efi-image"
+ POST_SIGN_TYPE="authenticode"
+}
+
+# Post sign functions for each sign type
+module_sign_post() {
+ :
+}
+
+ima_digestlist_sign_post() {
+ rm -f $INPUT_FILE.ko
+}
+
+efi_sign_post() {
+ :
+}
+
+kernel_sign_post() {
+ :
+}
+
+# Global configuration
+sign_config() {
+ if [ -z "$INPUT_TYPE" ] || [ -z "$INPUT_FILE" ]; then
+ echo "Please input the sign type and file"
+ exit 1
+ fi
+
+ if [ ! -f "$INPUT_FILE" ]; then
+ echo "The input file is invalid"
+ exit 1
+ fi
+
+ POST_FILE_SHA256=$(sha256sum "$INPUT_FILE" | awk '{ print $1 }')
+ if [ $? -ne 0 ]; then
+ echo "Failed to calculate file hash"
+ fi
+
+ PUBLISHER_HOST=$(grep PUBLISHER_HOST $PROJECT_CONF | awk '{print $2}')
+ PUBLISHER_PORT=$(grep PUBLISHER_PORT $PROJECT_CONF | awk '{print $2}')
+ if [ -z "$PUBLISHER_HOST" ] || [ -z "$PUBLISHER_PORT" ]; then
+ echo "Please set PUBLISHER_HOST and PUBLISHER_PORT"
+ exit 1
+ fi
+
+ POST_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/code-sign"
+
+ POST_JOB_ID="$(grep -rwn 'id\:' $PROJECT_CONF | awk '{print $2}')"
+ POST_OS_ORIJECT="$(grep -rwn 'os_project\:' $PROJECT_CONF | awk '{print $2}')"
+ if [ -z "$POST_JOB_ID" ] || [ -z "$POST_OS_ORIJECT" ]; then
+ echo "Failed to get POST_JOB_ID and POST_OS_ORIJECT"
+ exit 1
+ fi
+}
+
+sign_pre() {
+ sign_config
+
+ case $INPUT_TYPE in
+ --efi)
+ efi_sign_pre
+ ;;
+ --module)
+ module_sign_pre
+ ;;
+ --ima-digestlist)
+ ima_digestlist_sign_pre
+ ;;
+ --kernel)
+ kernel_sign_pre
+ ;;
+ *)
+ echo "Unsupported sign type: $INPUT_TYPE"
+ exit 1
+ ;;
+ esac
+}
+
+sign() {
+ # 1. send the request to the sign service
+ # echo "curl "$POST_ADDR" \
+ # -F "file=@$SIGN_FILE" \
+ # -F "data=$(get_post_json);type=application/json""
+ req="$(curl "$POST_ADDR" \
+ -F "file=@$SIGN_FILE" \
+ -F "data=$(get_post_json);type=application/json")"
+ if [ $? -ne 0 ]; then
+ echo "Failed to post the sign service"
+ return 1
+ fi
+
+ req_err_msg=$(get_json_value "$req" "err_msg")
+ if [ -n "$req_err_msg" ]; then
+ echo "Failed, err_msg: [$req_err_msg]"
+ return 1
+ fi
+
+ # 2. write the file content
+ encoded_file_content=$(get_json_value "$req" "encoded_file_content")
+ if [ $? -ne 0 ]; then
+ echo "Failed to get encoded file content"
+ return 1
+ fi
+
+ echo -ne "$encoded_file_content" | base64 -d > $INPUT_FILE.sig
+ if [ $? -ne 0 ]; then
+ echo "Failed to write the signed file"
+ return 1
+ fi
+
+ # for test
+ # cp -f $INPUT_FILE $INPUT_FILE.sig
+ # req="{file_sha256:41c68fca7b3870cc9ef13a828a74af933bd8e4ff345fcfa316}"
+
+ # 3. check the hash
+ sha256_cal=$(sha256sum $INPUT_FILE.sig | awk '{print $1}')
+ sha256_get=$(get_json_value "$req" "file_sha256" | tr '[:upper:]' '[:lower:]')
+ if [ "$sha256_cal" != "$sha256_get" ]; then
+ echo "Failed to verify the hash value"
+ return 1
+ fi
+}
+
+sign_post() {
+ case $INPUT_TYPE in
+ --efi)
+ efi_sign_post
+ ;;
+ --module)
+ module_sign_post
+ ;;
+ --ima-digestlist)
+ ima_digestlist_sign_post
+ ;;
+ --kernel)
+ kernel_sign_post
+ ;;
+ esac
+}
+
+# Main function
+sign_pre
+
+for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
+ sign
+ if [ $? -eq 0 ]; then
+ echo "Succeed to sign file"
+ break;
+ elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
+ echo "Failed to sign file, try again"
+ elif [ $i -eq $CONFIG_RETEST_COUNT ]; then
+ echo "Failed to sign file"
+ SIGN_RESULT=1
+ fi
+done
+
+sign_post
+exit $SIGN_RESULT
-- --
2.33.0 2.33.0

5
openEuler-rpm-config.spec
View File

@ -3,7 +3,7 @@
Name: %{vendor}-rpm-config Name: %{vendor}-rpm-config
Version: 30 Version: 30
Release: 51 Release: 52
License: GPL+ License: GPL+
Summary: specific rpm configuration files Summary: specific rpm configuration files
URL: https://gitee.com/openeuler/openEuler-rpm-config URL: https://gitee.com/openeuler/openEuler-rpm-config
@ -149,6 +149,9 @@ sed -i "s/__vendor/%{vendor}/g" `grep "__vendor" -rl %{buildroot}%{_rpmconfigdir
%{rpmvdir}/find-requires.ksyms %{rpmvdir}/find-requires.ksyms
%changelog %changelog
* Fri Mar 22 2024 zhangguangzhi <zhangguangzhi3@huawei.com> - 30-52
- ima digest list ebs sign support modsig
* Fri Mar 15 2024 yueyuankun <yueyuankun@kylinos.cn> - 30-51 * Fri Mar 15 2024 yueyuankun <yueyuankun@kylinos.cn> - 30-51
- Add optflags for loongarch64 and sw_64 - Add optflags for loongarch64 and sw_64