From f525681b4f66026578bc728b864bfea3d814c29e Mon Sep 17 00:00:00 2001 From: Jes Sorensen Date: Fri, 27 Mar 2020 18:31:36 -0400 Subject: [PATCH 16/33] Add basic autoconf and framework for fsverity support Use the same signing key argument as is used for IMA file signing. Signed-off-by: Jes Sorensen --- configure.ac | 19 +++++++++++++++++++ rpmsign.c | 20 ++++++++++++++------ sign/Makefile.am | 5 +++++ sign/rpmsign.h | 1 + 4 files changed, 39 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 3c102d5eb..cc7144440 100644 --- a/configure.ac +++ b/configure.ac @@ -919,6 +919,25 @@ fi AM_CONDITIONAL(WITH_IMAEVM,[test "$with_imaevm" = yes]) AC_SUBST(WITH_IMAEVM_LIB) +# fsverity +AC_ARG_WITH([fsverity], [AS_HELP_STRING([--with-fsverity],[build with fsverity support])],[],[with_fsverity=no]) +if test "$with_fsverity" = yes ; then + AC_MSG_CHECKING([libfsverity]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[#include ]], + [[return libfsverity_sign_digest(NULL, NULL, NULL, NULL);]] + )], + [AC_MSG_RESULT(yes) + AC_DEFINE(WITH_FSVERITY, 1, [Build with fsverity support?]) + WITH_FSVERITY_LIB="-lfsverity" + ], + [AC_MSG_ERROR([--with-fsverity given, libfsverity or libfsverity.h missing])] + ) +fi +AM_CONDITIONAL(WITH_FSVERITY,[test "$with_fsverity" = yes]) +AC_SUBST(WITH_FSVERITY_LIB) + # libcap WITH_CAP_LIB= AC_ARG_WITH(cap, [AS_HELP_STRING([--with-cap],[build with capability support])], diff --git a/rpmsign.c b/rpmsign.c index e1d207da5..8861c2c59 100644 --- a/rpmsign.c +++ b/rpmsign.c @@ -18,7 +18,7 @@ enum modes { static int mode = MODE_NONE; -#ifdef WITH_IMAEVM +#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY) static int fskpass = 0; static char * fileSigningKey = NULL; #endif @@ -39,6 +39,13 @@ static struct poptOption signOptsTable[] = { { "signfiles", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &sargs.signflags, RPMSIGN_FLAG_IMA, N_("sign package(s) files"), NULL}, +#endif +#ifdef WITH_FSVERITY + { "signverity", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), + &sargs.signflags, RPMSIGN_FLAG_FSVERITY, + N_("generate fsverity signatures for package(s) files"), NULL}, +#endif +#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY) { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0, N_("use file signing key "), N_("") }, @@ -59,7 +66,7 @@ static struct poptOption optionsTable[] = { POPT_TABLEEND }; -#ifdef WITH_IMAEVM +#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY) static char *get_fskpass(void) { struct termios flags, tmp_flags; @@ -106,12 +113,12 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) goto exit; } -#ifdef WITH_IMAEVM +#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY) if (fileSigningKey) { rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL); } - if (sargs->signflags & RPMSIGN_FLAG_IMA) { + if (sargs->signflags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY)) { char *fileSigningKeyPassword = NULL; char *key = rpmExpand("%{?_file_signing_key}", NULL); if (rstreq(key, "")) { @@ -165,8 +172,9 @@ int main(int argc, char *argv[]) argerror(_("no arguments given")); } -#ifdef WITH_IMAEVM - if (fileSigningKey && !(sargs.signflags & RPMSIGN_FLAG_IMA)) { +#if defined(WITH_IMAEVM) || defined(WITH_FSVERITY) + if (fileSigningKey && + !(sargs.signflags & (RPMSIGN_FLAG_IMA | RPMSIGN_FLAG_FSVERITY))) { argerror(_("--fskpath may only be specified when signing files")); } #endif diff --git a/sign/Makefile.am b/sign/Makefile.am index db774de0e..8d372915a 100644 --- a/sign/Makefile.am +++ b/sign/Makefile.am @@ -24,3 +24,8 @@ if WITH_IMAEVM librpmsign_la_SOURCES += rpmsignfiles.c rpmsignfiles.h librpmsign_la_LIBADD += @WITH_IMAEVM_LIB@ endif + +if WITH_FSVERITY +librpmsign_la_SOURCES += rpmsignverity.c rpmsignverity.h +librpmsign_la_LIBADD += @WITH_FSVERITY_LIB@ +endif diff --git a/sign/rpmsign.h b/sign/rpmsign.h index 7a770d879..2b8a10a1a 100644 --- a/sign/rpmsign.h +++ b/sign/rpmsign.h @@ -17,6 +17,7 @@ enum rpmSignFlags_e { RPMSIGN_FLAG_NONE = 0, RPMSIGN_FLAG_IMA = (1 << 0), RPMSIGN_FLAG_RPMV3 = (1 << 1), + RPMSIGN_FLAG_FSVERITY = (1 << 2), }; typedef rpmFlags rpmSignFlags; -- 2.27.0