Re: [PATCH v2 1/3] ima-evm-utils: Allow manual setting keyid for signing

[Vitaly Chikunov <vt@altlinux.org>]

Stefan,

On Tue, May 04, 2021 at 08:51:03AM -0400, Stefan Berger wrote:
> > @@ -932,8 +932,10 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
> >   		return -1;
> >   	}
> > -	calc_keyid_v2(&keyid, name, pkey);
> > -	hdr->keyid = keyid;
> > +	if (imaevm_params.keyid)
> > +		hdr->keyid = htonl(imaevm_params.keyid);
> 
> 
> Nit: Since existing code uses __be32_to_cpup I would use __cpu_to_be32 here.

That __be32_to_cpup usage is highly dubious. Perhaps, it should be
converted to some user-space and standard functions like be32toh(3).

Even in the kernel you should use be32_to_cpup, not __be32_to_cpup.
The "__" prefix is for a reason.

Thanks,

> 
> 
> > +	else
> > +		calc_keyid_v2(&hdr->keyid, name, pkey);
> >   	st = "EVP_PKEY_CTX_new";
> >   	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
> > diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> > index 288e133..2c21812 100755
> > --- a/tests/sign_verify.test
> > +++ b/tests/sign_verify.test
> > @@ -359,6 +359,7 @@ sign_verify  rsa1024  sha256  0x0301 --rsa
> >   sign_verify  rsa1024  md5     0x030201:K:0080
> >   sign_verify  rsa1024  sha1    0x030202:K:0080
> >   sign_verify  rsa1024  sha224  0x030207:K:0080
> > +expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
> >   sign_verify  rsa1024  sha256  0x030204:K:0080
> >     try_different_keys
> >     try_different_sigs
> 
> 
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>