dcavalca / rpms / rpm

Forked from rpms/rpm 2 years ago
Clone
Source Code
GIT

Blame 0016-Add-basic-autoconf-and-framework-for-fsverity-suppor.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-imaevm-bootstrap c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   633b5987f95aaaa0877b4e4d23f79850cea74357
  2.   0016-Add-basic-autoconf-and-framework-for-fsverity-suppor.patch
Blob History Raw
45e748 
From f525681b4f66026578bc728b864bfea3d814c29e Mon Sep 17 00:00:00 2001
45e748 
From: Jes Sorensen <jsorensen@fb.com>
45e748 
Date: Fri, 27 Mar 2020 18:31:36 -0400
45e748 
Subject: [PATCH 16/33] Add basic autoconf and framework for fsverity support
45e748
45e748 
Use the same signing key argument as is used for IMA file signing.
45e748
45e748 
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
45e748 
---
45e748 
 configure.ac     | 19 +++++++++++++++++++
45e748 
 rpmsign.c        | 20 ++++++++++++++------
45e748 
 sign/Makefile.am |  5 +++++
45e748 
 sign/rpmsign.h   |  1 +
45e748 
 4 files changed, 39 insertions(+), 6 deletions(-)
45e748
45e748 
diff --git a/configure.ac b/configure.ac
45e748 
index 3c102d5eb..cc7144440 100644
45e748 
--- a/configure.ac
45e748 
+++ b/configure.ac
45e748 
@@ -919,6 +919,25 @@ fi
45e748 
 AM_CONDITIONAL(WITH_IMAEVM,[test "$with_imaevm" = yes])
45e748 
 AC_SUBST(WITH_IMAEVM_LIB)
45e748
45e748 
+# fsverity
45e748 
+AC_ARG_WITH([fsverity], [AS_HELP_STRING([--with-fsverity],[build with fsverity support])],[],[with_fsverity=no])
45e748 
+if test "$with_fsverity" = yes ; then
45e748 
+  AC_MSG_CHECKING([libfsverity])
45e748 
+  AC_COMPILE_IFELSE(
45e748 
+    [AC_LANG_PROGRAM(
45e748 
+      [[#include <libfsverity.h>]],
45e748 
+      [[return libfsverity_sign_digest(NULL, NULL, NULL, NULL);]]
45e748 
+    )],
45e748 
+    [AC_MSG_RESULT(yes)
45e748 
+      AC_DEFINE(WITH_FSVERITY, 1, [Build with fsverity support?])
45e748 
+      WITH_FSVERITY_LIB="-lfsverity"
45e748 
+    ],
45e748 
+    [AC_MSG_ERROR([--with-fsverity given, libfsverity or libfsverity.h missing])]
45e748 
+  )
45e748 
+fi
45e748 
+AM_CONDITIONAL(WITH_FSVERITY,[test "$with_fsverity" = yes])
45e748 
+AC_SUBST(WITH_FSVERITY_LIB)
45e748 
+
45e748 
 # libcap
45e748 
 WITH_CAP_LIB=
45e748 
 AC_ARG_WITH(cap, [AS_HELP_STRING([--with-cap],[build with capability support])],
45e748 
diff --git a/rpmsign.c b/rpmsign.c
45e748 
index e1d207da5..8861c2c59 100644
45e748 
--- a/rpmsign.c
45e748 
+++ b/rpmsign.c
45e748 
@@ -18,7 +18,7 @@ enum modes {
45e748
45e748 
 static int mode = MODE_NONE;
45e748
45e748 
-#ifdef WITH_IMAEVM
45e748 
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45e748 
 static int fskpass = 0;
45e748 
 static char * fileSigningKey = NULL;
45e748 
 #endif
45e748 
@@ -39,6 +39,13 @@ static struct poptOption signOptsTable[] = {
45e748 
     { "signfiles", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
45e748 
 	&sargs.signflags, RPMSIGN_FLAG_IMA,
45e748 
 	N_("sign package(s) files"), NULL},
45e748 
+#endif
45e748 
+#ifdef WITH_FSVERITY
45e748 
+    { "signverity", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
45e748 
+	&sargs.signflags, RPMSIGN_FLAG_FSVERITY,
45e748 
+	N_("generate fsverity signatures for package(s) files"), NULL},
45e748 
+#endif
45e748 
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45e748 
     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
45e748 
 	N_("use file signing key <key>"),
45e748 
 	N_("<key>") },
45e748 
@@ -59,7 +66,7 @@ static struct poptOption optionsTable[] = {
45e748 
     POPT_TABLEEND
45e748 
 };
45e748
45e748 
-#ifdef WITH_IMAEVM
45e748 
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45e748 
 static char *get_fskpass(void)
45e748 
 {
45e748 
     struct termios flags, tmp_flags;
45e748 
@@ -106,12 +113,12 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
45e748 
 	goto exit;
45e748 
     }
45e748
45e748 
-#ifdef WITH_IMAEVM
45e748 
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45e748 
     if (fileSigningKey) {
45e748 
 	rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
45e748 
     }
45e748
45e748 
-    if (sargs->signflags & RPMSIGN_FLAG_IMA) {
45e748 
+    if (sargs->signflags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) {
45e748 
 	char *fileSigningKeyPassword = NULL;
45e748 
 	char *key = rpmExpand("%{?_file_signing_key}", NULL);
45e748 
 	if (rstreq(key, "")) {
45e748 
@@ -165,8 +172,9 @@ int main(int argc, char *argv[])
45e748 
 	argerror(_("no arguments given"));
45e748 
     }
45e748
45e748 
-#ifdef WITH_IMAEVM
45e748 
-    if (fileSigningKey && !(sargs.signflags & RPMSIGN_FLAG_IMA)) {
45e748 
+#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
45e748 
+    if (fileSigningKey &&
45e748 
+	!(sargs.signflags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY))) {
45e748 
 	argerror(_("--fskpath may only be specified when signing files"));
45e748 
     }
45e748 
 #endif
45e748 
diff --git a/sign/Makefile.am b/sign/Makefile.am
45e748 
index db774de0e..8d372915a 100644
45e748 
--- a/sign/Makefile.am
45e748 
+++ b/sign/Makefile.am
45e748 
@@ -24,3 +24,8 @@ if WITH_IMAEVM
45e748 
 librpmsign_la_SOURCES += rpmsignfiles.c rpmsignfiles.h
45e748 
 librpmsign_la_LIBADD += @WITH_IMAEVM_LIB@
45e748 
 endif
45e748 
+
45e748 
+if WITH_FSVERITY
45e748 
+librpmsign_la_SOURCES += rpmsignverity.c rpmsignverity.h
45e748 
+librpmsign_la_LIBADD += @WITH_FSVERITY_LIB@
45e748 
+endif
45e748 
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
45e748 
index 7a770d879..2b8a10a1a 100644
45e748 
--- a/sign/rpmsign.h
45e748 
+++ b/sign/rpmsign.h
45e748 
@@ -17,6 +17,7 @@ enum rpmSignFlags_e {
45e748 
     RPMSIGN_FLAG_NONE		= 0,
45e748 
     RPMSIGN_FLAG_IMA		= (1 << 0),
45e748 
     RPMSIGN_FLAG_RPMV3		= (1 << 1),
45e748 
+    RPMSIGN_FLAG_FSVERITY	= (1 << 2),
45e748 
 };
45e748 
 typedef rpmFlags rpmSignFlags;
45e748
45e748 
--
45e748 
2.27.0
45e748

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation