Created attachment 1819906 [details] PatchWork link: https://patchwork.kernel.org/project/linux-fscrypt/patch/20210828013037.2250639-1-olo@fb.com/ Description of problem: The latest version of "fsverity-utils-1.4-2" in Fedora (originally from Kernel) doesn't support generating fsverity file signatures on hardware security modules (HSMs) and similar hardware tokens because of requirement to directly access private key file. This patch provides implementation of PKCS#11 opaque keys support through OpenSSL pkcs11 engine, which allows us to use opaque keys confined in HSMs and similar hardware tokens without direct access to the key material, providing logical separation of the keys from the cryptographic operations performed using them. Version-Release number of selected component (if applicable): fsverity-utils-1.4-2.el8 How reproducible: In Kernel current master version it requires both "--key" and "--cert" files: $ ./fsverity sign dummy dummy.sig --cert=ca-cert.pem ERROR: Missing --key argument Usage: fsverity sign FILE OUT_SIGFILE --key=KEYFILE [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT] [--out-merkle-tree=FILE] [--out-descriptor=FILE] [--cert=CERTFILE] With this patch, the signing will succeed and test is available in the patch. Steps to Reproduce: 1. With current fsverity-utils 1.4, try sign for fsverity signatures without --key specified 2. 3. Actual results: ERROR: Missing --key argument Expected results: With PKCS#11 support, by specifying pkcs11 engine and module, even without --key specified, still can generate fsverity signatures properly. Additional info:
I created a pull request: https://src.fedoraproject.org/rpms/fsverity-utils/pull-request/4 And produced a scratch build (for EPEL 8): https://koji.fedoraproject.org/koji/taskinfo?taskID=75028455 Can you please check the PR to confirm the patch is correct, and test the packages to confirm the feature works as expected? Cheers! Filipe
I updated the pull request: https://src.fedoraproject.org/rpms/fsverity-utils/pull-request/4 To use a backport of the commit that made it upstream: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/commit/?id=66b1d8a276cb3836ac275cb9f3f6517a07462737 I'm planning to merge the PR tomorrow, so if you have any objections please comment here or on the PR.
FEDORA-2021-cef3f68bd4 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4
FEDORA-EPEL-2021-a2d5955810 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a2d5955810
I merged the PR and built new packages for fsverity-utils including this feature. Pushed it to: - FC36 (Rawhide) - FC35 (https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4) - EPEL8 (https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a2d5955810)
FEDORA-2021-cef3f68bd4 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cef3f68bd4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-cef3f68bd4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-a2d5955810 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-cef3f68bd4 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-0be0d9381f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0be0d9381f
FEDORA-2021-0be0d9381f has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-0be0d9381f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0be0d9381f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-0be0d9381f has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.