Enable both IMA and EVM file signatures with a new --v3 option that sets the previously introduced global variable that states which signature version to use.
Similarly, introduce a --v2 option for users to (already) choose old V2 type of signatures. Update the README with the dump of the evmctl help screen and mention v3 signature format that is expected for Linux 7.1. Signed-off-by: Stefan Berger <[email protected]> --- README | 6 ++++-- src/evmctl.c | 10 ++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/README b/README index 815b555..34dfddf 100644 --- a/README +++ b/README @@ -84,6 +84,8 @@ OPTIONS --provider p preload OpenSSL provider (such as: pkcs11) --ignore-violations ignore ToMToU measurement violations --hmackey path to symmetric key (default: /etc/keys/evm-key-plain) + --v2 create V2 signatures; this is the default + --v3 create V3 signatures; this requires Linux 7.1 or later -v increase verbosity level -h, --help display this help and exit @@ -139,7 +141,7 @@ evmctl '--smack' options enables that. Key and signature formats ------------------------- -Linux integrity subsystem supports two type of signature and respectively two +Linux integrity subsystem supports three types of signature and respectively two key formats. First key format (v1) is pure RSA key encoded in PEM a format and uses own signature @@ -149,7 +151,7 @@ for signing and importing the key. Second key format uses X509 DER encoded public key certificates and uses asymmetric key support in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default). -For v2 signatures x509 certificate (containing the public key) could be appended to the +For v2 and v3 signatures x509 certificate (containing the public key) could be appended to the private key (they both are in PEM format) to automatically extract keyid from its Subject Key Identifier (SKID). diff --git a/src/evmctl.c b/src/evmctl.c index aab5af9..2843ff8 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -3017,6 +3017,8 @@ static void usage(void) #ifdef DEBUG " --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n" #endif + " --v2 create V2 signatures; this is the default\n" + " --v3 create V3 signatures; this requires Linux 7.1 or later\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n" @@ -3092,6 +3094,8 @@ static struct option opts[] = { #if CONFIG_IMA_EVM_PROVIDER {"provider", 1, 0, 149}, #endif + {"v2", 0, 0, 150}, + {"v3", 0, 0, 151}, {} }; @@ -3370,6 +3374,12 @@ int main(int argc, char *argv[]) access_info.type = IMAEVM_OSSL_ACCESS_TYPE_PROVIDER; break; #endif + case 150: /* --v2 */ + g_signature_version = SIGNATURE_V2; + break; + case 151: /* --v3 */ + g_signature_version = SIGNATURE_V3; + break; case '?': exit(1); break; -- 2.53.0
