tree: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity.ima-sigv3-support-1 head: 9037cd4a36eb9554fb5968a4c1a990d44843190b commit: d45011bbc88d112e7eea4dbb9a1b3b0081d0b30a [13/15] ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures config: i386-buildonly-randconfig-005-20260317 (https://download.01.org/0day-ci/archive/20260317/[email protected]/config) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260317/[email protected]/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <[email protected]> | Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/ All errors (new ones prefixed by >>): >> security/integrity/evm/evm_main.c:270:6: error: too many arguments to >> function call, expected 5, have 6 267 | rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, | ~~~~~~~~~~~~~~~~~~~~~~~ 268 | (const char *)xattr_data, xattr_len, 269 | digest.digest, digest.hdr.length, 270 | digest.hdr.algo); | ^~~~~~~~~~~~~~~ security/integrity/evm/../integrity.h:143:19: note: 'integrity_digsig_verify' declared here 143 | static inline int integrity_digsig_verify(const unsigned int id, | ^ ~~~~~~~~~~~~~~~~~~~~~~ 144 | const char *sig, int siglen, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 145 | const char *digest, int digestlen) | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. vim +270 security/integrity/evm/evm_main.c 172 173 /* 174 * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr 175 * 176 * Compute the HMAC on the dentry's protected set of extended attributes 177 * and compare it against the stored security.evm xattr. 178 * 179 * For performance: 180 * - use the previously retrieved xattr value and length to calculate the 181 * HMAC.) 182 * - cache the verification result in the iint, when available. 183 * 184 * Returns integrity status 185 */ 186 static enum integrity_status evm_verify_hmac(struct dentry *dentry, 187 const char *xattr_name, 188 char *xattr_value, 189 size_t xattr_value_len) 190 { 191 struct evm_ima_xattr_data *xattr_data = NULL; 192 struct signature_v2_hdr *hdr; 193 enum integrity_status evm_status = INTEGRITY_PASS; 194 struct evm_digest digest; 195 struct inode *inode = d_backing_inode(dentry); 196 struct evm_iint_cache *iint = evm_iint_inode(inode); 197 int rc, xattr_len, evm_immutable = 0; 198 199 if (iint && (iint->evm_status == INTEGRITY_PASS || 200 iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) 201 return iint->evm_status; 202 203 /* 204 * On unsupported filesystems without EVM_INIT_X509 enabled, skip 205 * signature verification. 206 */ 207 if (!(evm_initialized & EVM_INIT_X509) && 208 is_unsupported_hmac_fs(dentry)) 209 return INTEGRITY_UNKNOWN; 210 211 /* if status is not PASS, try to check again - against -ENOMEM */ 212 213 /* first need to know the sig type */ 214 rc = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, XATTR_NAME_EVM, 215 (char **)&xattr_data, 0, GFP_NOFS); 216 if (rc <= 0) { 217 evm_status = INTEGRITY_FAIL; 218 if (rc == -ENODATA) { 219 rc = evm_find_protected_xattrs(dentry); 220 if (rc > 0) 221 evm_status = INTEGRITY_NOLABEL; 222 else if (rc == 0) 223 evm_status = INTEGRITY_NOXATTRS; /* new file */ 224 } else if (rc == -EOPNOTSUPP) { 225 evm_status = INTEGRITY_UNKNOWN; 226 } 227 goto out; 228 } 229 230 xattr_len = rc; 231 232 /* check value type */ 233 switch (xattr_data->type) { 234 case EVM_XATTR_HMAC: 235 if (xattr_len != sizeof(struct evm_xattr)) { 236 evm_status = INTEGRITY_FAIL; 237 goto out; 238 } 239 240 digest.hdr.algo = HASH_ALGO_SHA1; 241 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 242 xattr_value_len, &digest, iint); 243 if (rc) 244 break; 245 rc = crypto_memneq(xattr_data->data, digest.digest, 246 SHA1_DIGEST_SIZE); 247 if (rc) 248 rc = -EINVAL; 249 break; 250 case EVM_XATTR_PORTABLE_DIGSIG: 251 evm_immutable = 1; 252 fallthrough; 253 case EVM_IMA_XATTR_DIGSIG: 254 /* accept xattr with non-empty signature field */ 255 if (xattr_len <= sizeof(struct signature_v2_hdr)) { 256 evm_status = INTEGRITY_FAIL; 257 goto out; 258 } 259 260 hdr = (struct signature_v2_hdr *)xattr_data; 261 digest.hdr.algo = hdr->hash_algo; 262 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 263 xattr_value_len, xattr_data->type, &digest, 264 iint); 265 if (rc) 266 break; 267 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 268 (const char *)xattr_data, xattr_len, 269 digest.digest, digest.hdr.length, > 270 digest.hdr.algo); 271 if (!rc) { 272 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) { 273 if (iint) 274 iint->flags |= EVM_IMMUTABLE_DIGSIG; 275 evm_status = INTEGRITY_PASS_IMMUTABLE; 276 } else if (!IS_RDONLY(inode) && 277 !(inode->i_sb->s_readonly_remount) && 278 !IS_IMMUTABLE(inode) && 279 !is_unsupported_hmac_fs(dentry)) { 280 evm_update_evmxattr(dentry, xattr_name, 281 xattr_value, 282 xattr_value_len); 283 } 284 } 285 break; 286 default: 287 rc = -EINVAL; 288 break; 289 } 290 291 if (rc) { 292 if (rc == -ENODATA) 293 evm_status = INTEGRITY_NOXATTRS; 294 else if (evm_immutable) 295 evm_status = INTEGRITY_FAIL_IMMUTABLE; 296 else 297 evm_status = INTEGRITY_FAIL; 298 } 299 pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length, 300 digest.digest); 301 out: 302 if (iint) 303 iint->evm_status = evm_status; 304 kfree(xattr_data); 305 return evm_status; 306 } 307 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
