|
 |
ac3a84 |
From 17cc25a2d7c2ebe75e18cf813d539e5997610e25 Mon Sep 17 00:00:00 2001
|
|
|
ac3a84 |
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
|
|
ac3a84 |
Date: Fri, 2 Dec 2022 12:48:26 +0100
|
|
|
ac3a84 |
Subject: [PATCH] test: check if we can use SHA1 MD for signing before using it
|
|
|
ac3a84 |
|
|
|
ac3a84 |
Some distributions have started phasing out SHA1, which breaks
|
|
|
ac3a84 |
the systemd-measure test case in its current form. Let's make sure we
|
|
|
ac3a84 |
can use SHA1 for signing beforehand to mitigate this.
|
|
|
ac3a84 |
|
|
|
ac3a84 |
Spotted on RHEL 9, where SHA1 signatures are disallowed by [0]:
|
|
|
ac3a84 |
```
|
|
|
ac3a84 |
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
|
|
|
ac3a84 |
...
|
|
|
ac3a84 |
openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
|
|
|
ac3a84 |
writing RSA key
|
|
|
ac3a84 |
/usr/lib/systemd/systemd-measure sign --current --bank=sha1 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem"
|
|
|
ac3a84 |
Failed to initialize signature context.
|
|
|
ac3a84 |
```
|
|
|
ac3a84 |
|
|
|
ac3a84 |
[0] https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selectively-disallow-SHA1-signatures.patch
|
|
|
ac3a84 |
|
|
|
ac3a84 |
(cherry picked from commit d19e5540f20c78caa949ff33050b4a530cae1982)
|
|
|
ac3a84 |
|
|
|
ac3a84 |
Related: #2141979
|
|
|
ac3a84 |
---
|
|
|
ac3a84 |
test/units/testsuite-70.sh | 15 ++++++++++++---
|
|
|
ac3a84 |
1 file changed, 12 insertions(+), 3 deletions(-)
|
|
|
ac3a84 |
|
|
|
ac3a84 |
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
|
|
|
ac3a84 |
index b1cf7e83c4..89cd2a3f82 100755
|
|
|
ac3a84 |
--- a/test/units/testsuite-70.sh
|
|
|
ac3a84 |
+++ b/test/units/testsuite-70.sh
|
|
|
ac3a84 |
@@ -102,8 +102,17 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
|
|
|
ac3a84 |
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
|
|
|
ac3a84 |
openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
|
|
|
ac3a84 |
|
|
|
ac3a84 |
+ MEASURE_BANKS=("--bank=sha256")
|
|
|
ac3a84 |
+ # Check if SHA1 signatures are supported
|
|
|
ac3a84 |
+ #
|
|
|
ac3a84 |
+ # Some distros have started phasing out SHA1, so make sure the SHA1
|
|
|
ac3a84 |
+ # signatures are supported before trying to use them.
|
|
|
ac3a84 |
+ if echo hello | openssl dgst -sign /tmp/pcrsign-private.pem -sha1 >/dev/null; then
|
|
|
ac3a84 |
+ MEASURE_BANKS+=("--bank=sha1")
|
|
|
ac3a84 |
+ fi
|
|
|
ac3a84 |
+
|
|
|
ac3a84 |
# Sign current PCR state with it
|
|
|
ac3a84 |
- /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig"
|
|
|
ac3a84 |
+ /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig"
|
|
|
ac3a84 |
dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64
|
|
|
ac3a84 |
systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem"
|
|
|
ac3a84 |
systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata
|
|
|
ac3a84 |
@@ -113,7 +122,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
|
|
|
ac3a84 |
systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" > /dev/null && { echo 'unexpected success'; exit 1; }
|
|
|
ac3a84 |
|
|
|
ac3a84 |
# Sign new PCR state, decrypting should work now.
|
|
|
ac3a84 |
- /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2"
|
|
|
ac3a84 |
+ /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2"
|
|
|
ac3a84 |
systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata
|
|
|
ac3a84 |
|
|
|
ac3a84 |
# Now, do the same, but with a cryptsetup binding
|
|
|
ac3a84 |
@@ -135,7 +144,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \
|
|
|
ac3a84 |
SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
ac3a84 |
|
|
|
ac3a84 |
# But once we sign the current PCRs, we should be able to unlock again
|
|
|
ac3a84 |
- /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3"
|
|
|
ac3a84 |
+ /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3"
|
|
|
ac3a84 |
SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1
|
|
|
ac3a84 |
/usr/lib/systemd/systemd-cryptsetup detach test-volume2
|
|
|
ac3a84 |
SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1
|