322 lines
8.0 KiB
Diff
322 lines
8.0 KiB
Diff
From 0449160c84daff8c557dee47a970e4f4837ff81d Mon Sep 17 00:00:00 2001
|
|
From: Huaxin Lu <luhuaxin1@huawei.com>
|
|
Date: Mon, 12 Dec 2022 00:16:01 +0800
|
|
Subject: [PATCH] support EBS sign for IMA digest list
|
|
|
|
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
|
|
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
|
|
|
|
---
|
|
brp-digest-list | 48 +++++-----
|
|
brp-ebs-sign | 231 ++++++++++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 257 insertions(+), 22 deletions(-)
|
|
create mode 100644 brp-ebs-sign
|
|
|
|
diff --git a/brp-digest-list b/brp-digest-list
|
|
index e698b7a..fe6e75c 100644
|
|
--- a/brp-digest-list
|
|
+++ b/brp-digest-list
|
|
@@ -26,7 +26,6 @@ fi
|
|
DIGEST_LIST_DIR=$RPM_BUILD_ROOT/$2/etc/ima/digest_lists
|
|
mkdir -p $DIGEST_LIST_DIR
|
|
mkdir -p $DIGEST_LIST_DIR.tlv
|
|
-mkdir -p $DIGEST_LIST_DIR.sig
|
|
|
|
# Generate digest list for the kernel
|
|
gen_digest_lists -i M: -t metadata -f compact -d $DIGEST_LIST_DIR -i l:policy \
|
|
@@ -70,28 +69,33 @@ DIGEST_LIST_TLV_PATH="$DIGEST_LIST_DIR.tlv/0-metadata_list-compact_tlv-$(basenam
|
|
chmod 644 $DIGEST_LIST_TLV_PATH
|
|
echo $DIGEST_LIST_TLV_PATH
|
|
|
|
-if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
|
|
- ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
|
|
- # Generate digest list for the user space parsers
|
|
- LD_LIBRARY_PATH=$RPM_BUILD_ROOT/usr/lib64 \
|
|
- $RPM_BUILD_ROOT/usr/bin/gen_digest_lists \
|
|
- -d $DIGEST_LIST_DIR -t parser -f compact -m immutable \
|
|
- -i I:$RPM_BUILD_ROOT/usr/libexec -o add -p -1 -i i:
|
|
-
|
|
- f="$DIGEST_LIST_DIR/0-parser_list-compact-libexec"
|
|
- [ -f $f ] || exit 0
|
|
-
|
|
- chmod 644 $f
|
|
- echo $f
|
|
+#if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
|
|
+# ! $(basename $BIN_PKG_FILES) =~ "debug" ]]; then
|
|
+# Generate digest list for the user space parsers
|
|
+
|
|
+# do EBS sign
|
|
+export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
|
|
+export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
|
|
+if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
|
|
+ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
|
|
+ for f in $(ls $DIGEST_LIST_DIR); do
|
|
+ sh /usr/lib/rpm/brp-ebs-sign --ima-digestlist $DIGEST_LIST_DIR/$f 1>&2
|
|
+ [ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0
|
|
+ chmod 644 $DIGEST_LIST_DIR/$f.sig
|
|
+ mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR/$f
|
|
+ done
|
|
+ exit 0
|
|
+fi
|
|
|
|
- [ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
|
|
+# do OBS sign
|
|
+[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
|
|
|
|
- export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
|
|
- export RPM_BUILD_ROOT
|
|
- export RPM_PACKAGE_NAME="digest-list-tools"
|
|
- export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
|
|
+export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
|
|
+export RPM_BUILD_ROOT
|
|
+export RPM_PACKAGE_NAME="digest-list-tools"
|
|
+export RPM_SOURCE_DIR="$(rpm --eval %_topdir)/SOURCES"
|
|
|
|
- if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
|
|
- /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
|
|
- fi
|
|
+if [ -f "/usr/lib/rpm/brp-suse.d/brp-99-pesign" ]; then
|
|
+ /usr/lib/rpm/brp-suse.d/brp-99-pesign &> /dev/null
|
|
fi
|
|
+#fi
|
|
diff --git a/brp-ebs-sign b/brp-ebs-sign
|
|
new file mode 100644
|
|
index 0000000..57e208b
|
|
--- /dev/null
|
|
+++ b/brp-ebs-sign
|
|
@@ -0,0 +1,231 @@
|
|
+#!/bin/bash
|
|
+
|
|
+INPUT_TYPE=$1
|
|
+INPUT_FILE=$2
|
|
+SIGN_FILE=$INPUT_FILE
|
|
+PROJECT_CONF="/lkp/scheduled/job.yaml"
|
|
+POST_ADDR=""
|
|
+POST_FILE_SHA256=""
|
|
+POST_KEY_NAME=""
|
|
+POST_KEY_TYPE=""
|
|
+POST_FILE_TYPE=""
|
|
+POST_SIGN_TYPE=""
|
|
+POST_JOB_ID=""
|
|
+POST_OS_ORIJECT=""
|
|
+CONFIG_RETEST_COUNT=5
|
|
+SIGN_RESULT=0
|
|
+
|
|
+# Tool functions for JSON
|
|
+get_json_value(){
|
|
+ echo "$1" | \
|
|
+ awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | \
|
|
+ sed 's/\"//g'
|
|
+}
|
|
+
|
|
+get_post_json() {
|
|
+ printf '{'
|
|
+ printf '"file_sha256":"%s",' $POST_FILE_SHA256
|
|
+ printf '"key_name":"%s",' $POST_KEY_NAME
|
|
+ printf '"key_type":"%s",' $POST_KEY_TYPE
|
|
+ printf '"file_type":"%s",' $POST_FILE_TYPE
|
|
+ printf '"sign_type":"%s",' $POST_SIGN_TYPE
|
|
+ printf '"job_id":"%s",' $POST_JOB_ID
|
|
+ printf '"os_project":"%s"' $POST_OS_ORIJECT
|
|
+ printf '}'
|
|
+}
|
|
+
|
|
+# Prepare sign functions for each sign type
|
|
+module_sign_pre() {
|
|
+ if [[ "$INPUT_FILE" != *.ko ]]; then
|
|
+ echo "The module file must has the .ko extension"
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ SIGN_FILE="$INPUT_FILE"
|
|
+ POST_KEY_NAME="openeuler-kernel-module-ee"
|
|
+ POST_KEY_TYPE="x509ee"
|
|
+ POST_FILE_TYPE="kernel-module"
|
|
+ POST_SIGN_TYPE="cms"
|
|
+}
|
|
+
|
|
+ima_digestlist_sign_pre() {
|
|
+ cp -f $INPUT_FILE $INPUT_FILE.ko
|
|
+ SIGN_FILE="$INPUT_FILE.ko"
|
|
+ POST_KEY_NAME="openeuler-ima-ee"
|
|
+ POST_KEY_TYPE="x509ee"
|
|
+ POST_FILE_TYPE="kernel-module"
|
|
+ POST_SIGN_TYPE="cms"
|
|
+}
|
|
+
|
|
+efi_sign_pre() {
|
|
+ # TODO
|
|
+ SIGN_FILE="$INPUT_FILE"
|
|
+ POST_KEY_NAME="default-x509ee"
|
|
+ POST_KEY_TYPE="x509ee"
|
|
+ POST_FILE_TYPE="efi-image"
|
|
+ POST_SIGN_TYPE="authenticode"
|
|
+}
|
|
+
|
|
+kernel_sign_pre() {
|
|
+ # TODO
|
|
+ SIGN_FILE="$INPUT_FILE"
|
|
+ POST_KEY_NAME="default-x509ee"
|
|
+ POST_KEY_TYPE="x509ee"
|
|
+ POST_FILE_TYPE="efi-image"
|
|
+ POST_SIGN_TYPE="authenticode"
|
|
+}
|
|
+
|
|
+# Post sign functions for each sign type
|
|
+module_sign_post() {
|
|
+ :
|
|
+}
|
|
+
|
|
+ima_digestlist_sign_post() {
|
|
+ rm -f $INPUT_FILE.ko
|
|
+}
|
|
+
|
|
+efi_sign_post() {
|
|
+ :
|
|
+}
|
|
+
|
|
+kernel_sign_post() {
|
|
+ :
|
|
+}
|
|
+
|
|
+# Global configuration
|
|
+sign_config() {
|
|
+ if [ -z "$INPUT_TYPE" ] || [ -z "$INPUT_FILE" ]; then
|
|
+ echo "Please input the sign type and file"
|
|
+ exit 1
|
|
+ fi
|
|
+
|
|
+ if [ ! -f "$INPUT_FILE" ]; then
|
|
+ echo "The input file is invalid"
|
|
+ exit 1
|
|
+ fi
|
|
+
|
|
+ POST_FILE_SHA256=$(sha256sum "$INPUT_FILE" | awk '{ print $1 }')
|
|
+ if [ $? -ne 0 ]; then
|
|
+ echo "Failed to calculate file hash"
|
|
+ fi
|
|
+
|
|
+ PUBLISHER_HOST=$(grep PUBLISHER_HOST $PROJECT_CONF | awk '{print $2}')
|
|
+ PUBLISHER_PORT=$(grep PUBLISHER_PORT $PROJECT_CONF | awk '{print $2}')
|
|
+ if [ -z "$PUBLISHER_HOST" ] || [ -z "$PUBLISHER_PORT" ]; then
|
|
+ echo "Please set PUBLISHER_HOST and PUBLISHER_PORT"
|
|
+ exit 1
|
|
+ fi
|
|
+
|
|
+ POST_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/code-sign"
|
|
+
|
|
+ POST_JOB_ID="$(grep -rwn 'id\:' $PROJECT_CONF | awk '{print $2}')"
|
|
+ POST_OS_ORIJECT="$(grep -rwn 'os_project\:' $PROJECT_CONF | awk '{print $2}')"
|
|
+ if [ -z "$POST_JOB_ID" ] || [ -z "$POST_OS_ORIJECT" ]; then
|
|
+ echo "Failed to get POST_JOB_ID and POST_OS_ORIJECT"
|
|
+ exit 1
|
|
+ fi
|
|
+}
|
|
+
|
|
+sign_pre() {
|
|
+ sign_config
|
|
+
|
|
+ case $INPUT_TYPE in
|
|
+ --efi)
|
|
+ efi_sign_pre
|
|
+ ;;
|
|
+ --module)
|
|
+ module_sign_pre
|
|
+ ;;
|
|
+ --ima-digestlist)
|
|
+ ima_digestlist_sign_pre
|
|
+ ;;
|
|
+ --kernel)
|
|
+ kernel_sign_pre
|
|
+ ;;
|
|
+ *)
|
|
+ echo "Unsupported sign type: $INPUT_TYPE"
|
|
+ exit 1
|
|
+ ;;
|
|
+ esac
|
|
+}
|
|
+
|
|
+sign() {
|
|
+ # 1. send the request to the sign service
|
|
+ # echo "curl "$POST_ADDR" \
|
|
+ # -F "file=@$SIGN_FILE" \
|
|
+ # -F "data=$(get_post_json);type=application/json""
|
|
+ req="$(curl "$POST_ADDR" \
|
|
+ -F "file=@$SIGN_FILE" \
|
|
+ -F "data=$(get_post_json);type=application/json")"
|
|
+ if [ $? -ne 0 ]; then
|
|
+ echo "Failed to post the sign service"
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ req_err_msg=$(get_json_value "$req" "err_msg")
|
|
+ if [ -n "$req_err_msg" ]; then
|
|
+ echo "Failed, err_msg: [$req_err_msg]"
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ # 2. write the file content
|
|
+ encoded_file_content=$(get_json_value "$req" "encoded_file_content")
|
|
+ if [ $? -ne 0 ]; then
|
|
+ echo "Failed to get encoded file content"
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ echo -ne "$encoded_file_content" | base64 -d > $INPUT_FILE.sig
|
|
+ if [ $? -ne 0 ]; then
|
|
+ echo "Failed to write the signed file"
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ # for test
|
|
+ # cp -f $INPUT_FILE $INPUT_FILE.sig
|
|
+ # req="{file_sha256:41c68fca7b3870cc9ef13a828a74af933bd8e4ff345fcfa316}"
|
|
+
|
|
+ # 3. check the hash
|
|
+ sha256_cal=$(sha256sum $INPUT_FILE.sig | awk '{print $1}')
|
|
+ sha256_get=$(get_json_value "$req" "file_sha256" | tr '[:upper:]' '[:lower:]')
|
|
+ if [ "$sha256_cal" != "$sha256_get" ]; then
|
|
+ echo "Failed to verify the hash value"
|
|
+ return 1
|
|
+ fi
|
|
+}
|
|
+
|
|
+sign_post() {
|
|
+ case $INPUT_TYPE in
|
|
+ --efi)
|
|
+ efi_sign_post
|
|
+ ;;
|
|
+ --module)
|
|
+ module_sign_post
|
|
+ ;;
|
|
+ --ima-digestlist)
|
|
+ ima_digestlist_sign_post
|
|
+ ;;
|
|
+ --kernel)
|
|
+ kernel_sign_post
|
|
+ ;;
|
|
+ esac
|
|
+}
|
|
+
|
|
+# Main function
|
|
+sign_pre
|
|
+
|
|
+for ((i=1; i<=$CONFIG_RETEST_COUNT; i++)); do
|
|
+ sign
|
|
+ if [ $? -eq 0 ]; then
|
|
+ echo "Succeed to sign file"
|
|
+ break;
|
|
+ elif [ $i -ne $CONFIG_RETEST_COUNT ]; then
|
|
+ echo "Failed to sign file, try again"
|
|
+ elif [ $i -eq $CONFIG_RETEST_COUNT ]; then
|
|
+ echo "Failed to sign file"
|
|
+ SIGN_RESULT=1
|
|
+ fi
|
|
+done
|
|
+
|
|
+sign_post
|
|
+exit $SIGN_RESULT
|
|
--
|
|
2.33.0
|
|
|