fips: More portable integrity check.
dcc6979fd2edUnpublished
Actions

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

fips: More portable integrity check.

* src/Makefile.am (EXTRA_DIST): Change the name of the script.
(libgcrypt.la.done): Invoce OBJCOPY with --add-section.
(libgcrypt.so.hmac): Specify ECHO_N.
* src/fips.c (get_file_offset): Rename from get_file_offsets.
Find the note section and return the value in HMAC.
(hmac256_check): Simplify by HMAC from the note section, not loaded.
(check_binary_integrity): Use dladdr instead of dladdr1.
* src/gen-note-integrity.sh: Rename from genhmac.sh.
Generate ElfN_Nhdr, and then the hmac.

Backport master commit of:
a340e980388243ceae6df57d101036f3f2a955be

The idea of use of .note is by Daiki Ueno.

https://gitlab.com/dueno/integrity-notes

Further, instead of NOTE segment loaded onto memory, use noload
section in the file.

Thanks to Clemens Lang for initiating this direction of improvement.

The namespace "FDO" would need to be changed.

GnuPG-bug-id: T5835
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

Details

Provenance

• gniibe

Authored on Feb 16 2022, 12:08 PM

Parents

rC974f4c7e698b: fips: Integrity check improvement, with only loadable segments.

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (4)

Path

Size

src/

Makefile.am

fips.c

	gen-note-integrity.sh
	genhmac.sh

genhmac.sh

rCdcc6979fd2ed

View Options

src/Makefile.am

View Options

src/fips.c

View Options

src/gen-note-integrity.sh

View Options

fips: More portable integrity check.dcc6979fd2edUnpublishedActions

Unpublished Commit · Learn More

Description

Details

Event Timeline

Changes (4)

rCdcc6979fd2ed

src/Makefile.am

src/fips.c

src/gen-note-integrity.sh

src/genhmac.sh

fips: More portable integrity check.
dcc6979fd2edUnpublished
Actions