Re: [PATCH v2 5/6] ima: support fs-verity file digest based signatures

From: Eric Biggers
Date: Mon Jan 10 2022 - 23:48:14 EST


On Mon, Jan 10, 2022 at 10:26:23PM -0500, Stefan Berger wrote:
>
> On 1/10/22 17:45, Eric Biggers wrote:
> > On Sun, Jan 09, 2022 at 01:55:16PM -0500, Mimi Zohar wrote:
> > > + case IMA_VERITY_DIGSIG:
> > > + set_bit(IMA_DIGSIG, &iint->atomic_flags);
> > > +
> > > + algo = iint->ima_hash->algo;
> > > + hash = kzalloc(sizeof(*hash) + hash_digest_size[algo],
> > > + GFP_KERNEL);
> > > + if (!hash) {
> > > + *cause = "verity-hashing-error";
> > > + *status = INTEGRITY_FAIL;
> > > + break;
> > > + }
> > > +
> > > + rc = calc_tbs_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
> > > + iint->ima_hash->digest, hash);
> > > + if (rc) {
> > > + *cause = "verity-hashing-error";
> > > + *status = INTEGRITY_FAIL;
> > > + break;
> > > + }
> > > +
> > > + rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
> > > + (const char *)xattr_value,
> > > + xattr_len, hash->digest,
> > > + hash->length);
> > This is still verifying a raw hash value, which is wrong as I've explained
> > several times. Yes, you are now hashing the hash algorithm ID together with the
> > original hash value, but at the end the thing being signed/verified is still a
> > raw hash value, which is ambigious.
> >
> > I think I see where the confusion is. If rsa-pkcs1pad is used, then the
> > asymmetric algorithm is parameterized by a hash algorithm, and this hash
> > algorithm's identifier is automatically built-in to the data which is
> > signed/verified. And the data being signed/verified is assumed to be a hash
> > value of the same type. So in this case, the caller doesn't need to handle
> > disambiguating raw hashes.
> >
> > However, asymmetric_verify() also supports ecdsa and ecrdsa signatures. As far
> > as I can tell, those do *not* have the hash algorithm identifier built-in to the
> > data which is signed/verified; they just sign/verify the data given. That
>
>
> The signatures are generated by evmctl by this code here, which works for
> RSA and ECDSA and likely also ECRDSA:
>
> https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/src/libimaevm.c#l1036
>
>    if (!EVP_PKEY_sign_init(ctx))
>         goto err;
>     st = "EVP_get_digestbyname";
>     if (!(md = EVP_get_digestbyname(algo)))
>         goto err;
>     st = "EVP_PKEY_CTX_set_signature_md";
>     if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
>         goto err;
>     st = "EVP_PKEY_sign";
>     sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1;
>     if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
>         goto err;
>     len = (int)sigsize;
>
> As far as I know, these are not raw signatures but generate the OIDs for RSA
> + shaXYZ or ECDSA + shaXYZ (1.2.840.10045.4.1 et al) and prepend them to the
> hash and then sign that.

As I said, this appears to be true for RSA but not for ECDSA or ECRDSA.

- Eric