debuginfod: PR28204 - RPM IMA per-file signature verification

Recent versions of Fedora/RHEL include per-file cryptographic
signatures in RPMs, not just an overall RPM signature.  This work
extends debuginfod client & server to extract, transfer, and verify
those signatures.  These allow clients to assure users that the
downloaded files have not been corrupted since their original
packaging.  Downloads that fail the test are rejected.

Clients may select a desired level of enforcement for sets of URLs in
the DEBUGINFOD_URLS by inserting special markers ahead of them:

ima:ignore       pay no attention to absence or presence of signatures
ima:enforcing    require every file to be correctly signed

The default is ima:ignore mode.  In ima:enforcing mode, section
queries are forced to be entire-file downloads, as it is not
possible to crypto-verify just sections.

IMA signatures are verified against a set of signing certificates.
These are normally published by distributions.  The environment
variable $DEBUGINFOD_IMA_CERT_PATH contains a colon-separated path for
finding DER or PEM formatted certificates / public keys.  These
certificates are assumed trusted.  The profile.d scripts transcribe
/etc/debuginfod/*.certdir files into that variable.

As for implementation:

* configure.ac: Add --enable-debuginfod-ima-verification parameter.
  Add --enable-default-ima-cert-path=PATH parameter.
  Check for libimaevm (using headers only).

* config/Makefile.am: Install defaults into /etc files.
* config/profile.{csh,sh}.in: Process defaults into env variables.
* config/elfutils.spec.in: Add more buildrequires.

* debuginfod/debuginfod.cxx (handle_buildid_r_match): Added extraction of the
  per-file IMA signature for the queried file and store in http header.
  (find_globbed_koji_filepath): New function.
  (parse_opt): New flag --koji-sigcache.
* debuginfod/debuginfod-client.c (debuginfod_query_server): Added policy for
  validating IMA signatures
  (debuginfod_validate_imasig): New function, with friends.
* debuginfod/debuginfod.h.in: Added DEBUGINFOD_IMA_CERT_PATH_ENV_VAR.
* debuginfod/Makefile.am: Add linker flags for rpm and crypto.

* doc/debuginfod-client-config.7: Document DEBUGINFOD_IMA_CERT_PATH,
  update DEBUGINFOD_URLS.
* doc/debuginfod.8: Document --koji-sigcache.
* doc/debuginfod-find.1, doc/debuginfod_find_debuginfo.3: Update SECURITY.

* tests/run-debuginfod-ima-verification.sh: New test.
* tests/debuginfod-ima: Some new files for the tests.
* tests/Makefile.am: run/distribute them.

Signed-off-by: Ryan Goldberg <[email protected]>
Signed-off-by: Frank Ch. Eigler <[email protected]>

1 files changed, 47 insertions, 1 deletions

diff --git a/configure.ac b/configure.ac
index 2aa728bd..5adf7667 100644
--- a/configure.ac
+++ b/configure.ac
@@ -671,6 +671,41 @@ case "$ac_cv_search__obstack_free" in
 esac
 AC_SUBST([obstack_LIBS])
 
+enable_ima_verification="x"
+AC_CHECK_LIB(rpm, headerGet, [
+  AC_CHECK_DECL(RPMSIGTAG_FILESIGNATURES,
+  [
+    enable_ima_verification=$enable_ima_verification"rpm"
+    AC_SUBST(rpm_LIBS, '-lrpm -lrpmio')
+  ],
+  [], [#include <rpm/rpmlib.h>])
+])
+
+dnl we use only the header, not the code of this library
+AC_CHECK_HEADER(imaevm.h, [
+  enable_ima_verification=$enable_ima_verification"imaevm"
+])
+
+AC_CHECK_LIB(crypto, EVP_MD_CTX_new, [
+  enable_ima_verification=$enable_ima_verification"crypto"
+  AC_SUBST(crypto_LIBS, '-lcrypto')
+])
+
+AC_ARG_ENABLE(debuginfod-ima-verification,
+             [AS_HELP_STRING([--enable-debuginfod-ima-verification],[enable per-file signature verification])],
+             [want_ima_verification=$enableval],[want_ima_verification=auto])
+
+debuginfod_ima_verification_enabled="no"
+if test "x$want_ima_verification" = "xno"; then
+  enable_ima_verification=nope # indicate failure of prerequisites for AM_CONDITIONAL below
+elif test "$enable_ima_verification" = "xrpmimaevmcrypto"; then
+  debuginfod_ima_verification_enabled="yes"
+  AC_DEFINE([ENABLE_IMA_VERIFICATION], [1], [Define if the required ima verification libraries are available])
+elif test "x$want_ima_verification" = "xyes"; then
+  AC_MSG_ERROR("missing prerequisites for ima verification")
+fi
+AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "$enable_ima_verification" = "xrpmimaevmcrypto"])
+
 dnl The directories with content.
 
 dnl Documentation.
@@ -884,7 +919,17 @@ AC_ARG_ENABLE(debuginfod-urls,
              default_debuginfod_urls="${enableval}";
              fi],
             [default_debuginfod_urls=""])
-AC_SUBST(DEBUGINFOD_URLS, $default_debuginfod_urls)                
+AC_SUBST(DEBUGINFOD_URLS, $default_debuginfod_urls)
+
+AC_ARG_ENABLE(debuginfod-ima-cert-path,
+            [AS_HELP_STRING([--enable-debuginfod-ima-cert-path@<:@=PATH@:>@],[add PATH to profile.d DEBUGINFOD_IMA_CERT_PATH])],
+            [if test "x${enableval}" = "xyes";
+             then AC_MSG_ERROR([PATH required])
+             elif test "x${enableval}" != "xno"; then
+             default_debuginfod_ima_cert_path="${enableval}";
+             fi],
+            [default_debuginfod_ima_cert_path=""])
+AC_SUBST(DEBUGINFOD_IMA_CERT_PATH, $default_debuginfod_ima_cert_path)
 AC_CONFIG_FILES([config/profile.sh config/profile.csh config/profile.fish])
 
 AC_OUTPUT
@@ -924,6 +969,7 @@ AC_MSG_NOTICE([
     libdebuginfod client support       : ${enable_libdebuginfod}
     Debuginfod server support          : ${enable_debuginfod}
     Default DEBUGINFOD_URLS            : ${default_debuginfod_urls}
+    Debuginfod RPM sig checking        : ${debuginfod_ima_verification_enabled} ${default_debuginfod_ima_cert_path}
 
   EXTRA TEST FEATURES (used with make check)
     have bunzip2 installed (required)  : ${HAVE_BUNZIP2}