From 3c5bb3890756f2e0504e7f8f3f965025f49694b0 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Mon, 12 Dec 2022 00:16:01 +0800
Subject: [PATCH] support EBS sign for IMA digest list

Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
---
 brp-digest-list |  20 +++-
 brp-ebs-sign    | 238 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 254 insertions(+), 4 deletions(-)
 create mode 100644 brp-ebs-sign

diff --git a/brp-digest-list b/brp-digest-list
index 6c8a94d..645f5e4 100644
--- a/brp-digest-list
+++ b/brp-digest-list
@@ -25,7 +25,6 @@ fi
 DIGEST_LIST_DIR=$RPM_BUILD_ROOT/$2/etc/ima/digest_lists
 mkdir -p $DIGEST_LIST_DIR
 mkdir -p $DIGEST_LIST_DIR.tlv
-mkdir -p $DIGEST_LIST_DIR.sig
 
 # Generate digest list for the kernel
 gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
@@ -69,13 +68,26 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
 chmod 644 $DIGEST_LIST_TLV_PATH
 echo $DIGEST_LIST_TLV_PATH
 
+# do EBS sign
+export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
+export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
+if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
+	[ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
+	sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_PATH 1>&2
+	[ -f $DIGEST_LIST_PATH.sig ] || exit 0
+	chmod 644 $DIGEST_LIST_PATH.sig
+	mv $DIGEST_LIST_PATH.sig $DIGEST_LIST_PATH
+	exit 0
+fi
+
+# do OBS sign
 if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
       ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
 	# Generate digest list for the user space parsers
 	LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/lib64 \
-		$RPM_BUILD_ROOT/usr/bin/gen_digest_lists \
-		-d $DIGEST_LIST_DIR -t parser -f compact -m immutable \
-		-i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i:
+	$RPM_BUILD_ROOT/usr/bin/gen_digest_lists \
+	-d $DIGEST_LIST_DIR -t parser -f compact -m immutable \
+	-i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i:
 
 	f="$DIGEST_LIST_DIR/0-parser_list-compact-libexec"
 	[ -f $f ] || exit 0
diff --git a/brp-ebs-sign b/brp-ebs-sign
new file mode 100644
index 0000000..885d7aa
--- /dev/null
+++ b/brp-ebs-sign
@@ -0,0 +1,238 @@
+#!/bin/bash
+
+INPUT_TYPE=$1
+INPUT_FILE=$2
+SIGN_FILE=$INPUT_FILE
+PROJECT_CONF="/lkp/scheduled/job.yaml"
+POST_ADDR=""
+POST_FILE_SHA256=""
+POST_KEY_NAME=""
+POST_KEY_TYPE=""
+POST_FILE_TYPE=""
+POST_SIGN_TYPE=""
+POST_JOB_ID=""
+POST_OS_ORIJECT=""
+CONFIG_RETEST_COUNT=5
+SIGN_RESULT=0
+FAILED_SIGN_PERMISSION_DENIED=2
+
+# Tool functions for JSON
+get_json_value(){
+	echo "$1" | \
+	awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | \
+	sed 's/\"//g'
+}
+
+get_post_json() {
+	printf '{'
+	printf '"file_sha256":"%s",' $POST_FILE_SHA256
+	printf '"key_name":"%s",' $POST_KEY_NAME
+	printf '"key_type":"%s",' $POST_KEY_TYPE
+	printf '"file_type":"%s",' $POST_FILE_TYPE
+	printf '"sign_type":"%s",' $POST_SIGN_TYPE
+	printf '"job_id":"%s",' $POST_JOB_ID
+	printf '"os_project":"%s"' $POST_OS_ORIJECT
+	printf '}'
+}
+
+# Prepare sign functions for each sign type
+module_sign_pre() {
+	if [[ "$INPUT_FILE" != *.ko ]]; then
+		echo "The module file must has the .ko extension"
+		return 1
+	fi
+
+	SIGN_FILE="$INPUT_FILE"
+	POST_KEY_NAME="openeuler-kernel-module-ee"
+	POST_KEY_TYPE="x509ee"
+	POST_FILE_TYPE="kernel-module"
+	POST_SIGN_TYPE="cms"
+}
+
+ima_digestlist_sign_pre() {
+	cp -f $INPUT_FILE $INPUT_FILE.ko
+	SIGN_FILE="$INPUT_FILE.ko"
+	POST_KEY_NAME="openeuler-ima-ee"
+	POST_KEY_TYPE="x509ee"
+	POST_FILE_TYPE="kernel-module"
+	POST_SIGN_TYPE="cms"
+}
+
+efi_sign_pre() {
+	SIGN_FILE="$INPUT_FILE"
+	POST_KEY_NAME="default-x509ee"
+	POST_KEY_TYPE="x509ee"
+	POST_FILE_TYPE="efi-image"
+	POST_SIGN_TYPE="authenticode"
+}
+
+kernel_sign_pre() {
+	SIGN_FILE="$INPUT_FILE"
+	POST_KEY_NAME="default-x509ee"
+	POST_KEY_TYPE="x509ee"
+	POST_FILE_TYPE="efi-image"
+	POST_SIGN_TYPE="authenticode"
+}
+
+# Post sign functions for each sign type
+module_sign_post() {
+	:
+}
+
+ima_digestlist_sign_post() {
+	rm -f $INPUT_FILE.ko
+}
+
+efi_sign_post() {
+	:
+}
+
+kernel_sign_post() {
+	:
+}
+
+# Global configuration
+sign_config() {
+	if [ -z "$INPUT_TYPE" ] || [ -z "$INPUT_FILE" ]; then
+		echo "Please input the sign type and file"
+		exit 1
+	fi
+
+	if [ ! -f "$INPUT_FILE" ]; then
+		echo "The input file is invalid"
+		exit 1
+	fi
+
+	POST_FILE_SHA256=$(sha256sum "$INPUT_FILE" | awk '{ print $1 }')
+	if [ $? -ne 0 ]; then
+		echo "Failed to calculate file hash"
+	fi
+
+	PUBLISHER_HOST=$(grep PUBLISHER_HOST $PROJECT_CONF | awk '{print $2}')
+	PUBLISHER_PORT=$(grep PUBLISHER_PORT $PROJECT_CONF | awk '{print $2}')
+	if [ -z "$PUBLISHER_HOST" ] || [ -z "$PUBLISHER_PORT" ]; then
+		echo "Please set PUBLISHER_HOST and PUBLISHER_PORT"
+		exit 1
+	fi
+
+	POST_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/code-sign"
+
+	POST_JOB_ID="$(grep -rwn 'id\:' $PROJECT_CONF | awk '{print $2}')"
+	POST_OS_ORIJECT="$(grep -rwn 'os_project\:' $PROJECT_CONF | awk '{print $2}')"
+	if [ -z "$POST_JOB_ID" ] || [ -z "$POST_OS_ORIJECT" ]; then
+		echo "Failed to get POST_JOB_ID and POST_OS_ORIJECT"
+		exit 1
+	fi
+}
+
+sign_pre() {
+	sign_config
+
+	case $INPUT_TYPE in
+	--efi)
+		efi_sign_pre
+		;;
+	--module)
+		module_sign_pre
+		;;
+	--ima-digestlist)
+		ima_digestlist_sign_pre
+		;;
+	--kernel)
+		kernel_sign_pre
+		;;
+	*)
+		echo "Unsupported sign type: $INPUT_TYPE"
+		exit 1
+		;;
+	esac
+}
+
+sign() {
+	# 1. send the request to the sign service
+	# echo "curl "$POST_ADDR" \
+	# 	   -F "file=@$SIGN_FILE" \
+	# 	   -F "data=$(get_post_json);type=application/json""
+	req="$(curl "$POST_ADDR" \
+		    -F "file=@$SIGN_FILE" \
+		    -F "data=$(get_post_json);type=application/json")"
+	if [ $? -ne 0 ]; then
+		echo "Failed to post the sign service"
+		return 1
+	fi
+
+	req_err_msg=$(get_json_value "$req" "err_msg")
+	if [ -n "$req_err_msg" ]; then
+		echo "Failed, err_msg: [$req_err_msg]"
+		if [ "$req_err_msg" == "SIGN_PERMISSION_DENIED" ]; then
+			return $FAILED_SIGN_PERMISSION_DENIED
+		fi
+		return 1
+	fi
+
+	# 2. write the file content
+	encoded_file_content=$(get_json_value "$req" "encoded_file_content")
+	if [ $? -ne 0 ]; then
+		echo "Failed to get encoded file content"
+		return 1
+	fi
+
+	echo -ne "$encoded_file_content" | base64 -d > $INPUT_FILE.sig
+	if [ $? -ne 0 ]; then
+		echo "Failed to write the signed file"
+		return 1
+	fi
+
+	# for test
+	# cp -f $INPUT_FILE $INPUT_FILE.sig
+	# req="{file_sha256:41c68fca7b3870cc9ef13a828a74af933bd8e4ff345fcfa316}"
+
+	# 3. check the hash
+	sha256_cal=$(sha256sum $INPUT_FILE.sig | awk '{print $1}')
+	sha256_get=$(get_json_value "$req" "file_sha256" | tr '[:upper:]' '[:lower:]')
+	if [ "$sha256_cal" != "$sha256_get" ]; then
+		echo "Failed to verify the hash value"
+		return 1
+	fi
+}
+
+sign_post() {
+	case $INPUT_TYPE in
+	--efi)
+		efi_sign_post
+		;;
+	--module)
+		module_sign_post
+		;;
+	--ima-digestlist)
+		ima_digestlist_sign_post
+		;;
+	--kernel)
+		kernel_sign_post
+		;;
+	esac
+}
+
+# Main function
+sign_pre
+
+for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
+	sign
+	ret_sign=$?
+	if [ $ret_sign -eq 0 ]; then
+		echo "Succeed to sign file"
+		break;
+	elif [ $ret_sign -eq $FAILED_SIGN_PERMISSION_DENIED ]; then
+		echo "Failed to sign file, permission denied"
+		SIGN_RESULT=$FAILED_SIGN_PERMISSION_DENIED
+		break;
+	elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
+		echo "Failed to sign file, try again"
+	elif [ $i -eq $CONFIG_RETEST_COUNT ]; then
+		echo "Failed to sign file"
+		SIGN_RESULT=1
+	fi
+done
+
+sign_post
+exit $SIGN_RESULT
-- 
2.33.0