0.192-5

- Enable debuginfod IMA verification - Add elfutils-0.192-fix-configure-conditional.patch - Add elfutils-0.192-skip-ima-test.patch Resolves: RHEL-69472
2024-12-12 17:01:41 -05:00 · 2024-12-12 17:01:41 -05:00 · 9f0d1325fb
commit 9f0d1325fb
parent 9dfd07e7df
3 changed files with 96 additions and 2 deletions
--- a/elfutils-0.192-fix-configure-conditional.patch
+++ b/elfutils-0.192-fix-configure-conditional.patch
@ -0,0 +1,26 @@
+From fb4753feb0ed7e3387f52b54bb02c6c74aac6a3e Mon Sep 17 00:00:00 2001
+From: Aaron Merey <amerey@redhat.com>
+Date: Tue, 29 Oct 2024 14:54:10 -0400
+Subject: [PATCH] Fix ENABLE_DEBUGINFOD_IMA_VERIFICATION always
+evaluating to false
+
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f191488..3d2d3ee 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -892,7 +892,7 @@ AS_IF([test "x$enable_debuginfod" != "xno"],AC_DEFINE([ENABLE_DEBUGINFOD],[1],[B
+ AM_CONDITIONAL([DEBUGINFOD],[test "x$enable_debuginfod" = "xyes"])
+ AS_IF([test "x$enable_debuginfod_ima_verification" = "xyes"],AC_DEFINE([ENABLE_IMA_VERIFICATION],[1],[Build IMA verification]))
+ AS_IF([test "x$have_libarchive" = "xyes"],AC_DEFINE([HAVE_LIBARCHIVE],[1],[Define to 1 if libarchive is available]))
+-AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "$enable_debuginfod_ima_verification" = "xyes"])
+AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "x$enable_debuginfod_ima_verification" = "xyes"])
+ AM_CONDITIONAL([OLD_LIBMICROHTTPD],[test "x$old_libmicrohttpd" = "xyes"])
+ 
+ dnl for /etc/profile.d/elfutils.{csh,sh}
+-- 
+2.47.0
+
--- a/elfutils-0.192-skip-ima-test.patch
+++ b/elfutils-0.192-skip-ima-test.patch
@ -0,0 +1,48 @@
+From 36bd0ffe72f63a187902679823dfd50510bf7300 Mon Sep 17 00:00:00 2001
+From: Aaron Merey <amerey@redhat.com>
+Date: Fri, 13 Dec 2024 11:14:39 -0500
+Subject: [PATCH] run-debuginfod-ima-verification.sh: Skip test 4
+
+Test 4 requires `rpmsign --delfilesign` to remove IMA signatures.
+RHEL 9 rpmsign does not currently support delfilesign, so skip this
+test for now.
+---
+ tests/run-debuginfod-ima-verification.sh | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/tests/run-debuginfod-ima-verification.sh b/tests/run-debuginfod-ima-verification.sh
+index d582af5f..a5e6eeb2 100755
+--- a/tests/run-debuginfod-ima-verification.sh
+++ b/tests/run-debuginfod-ima-verification.sh
+@@ -127,17 +127,17 @@ RC=0
+ testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
+ test $RC -ne 0
+ 
+-echo Test 4: A rpm without a signature will fail
+-cp signed.rpm R/signed.rpm
+-rpmsign --delfilesign R/signed.rpm
+-rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
+-kill -USR1 $PID1
+-wait_ready $PORT1 'thread_work_total{role="traverse"}' 4
+-wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
+-wait_ready $PORT1 'thread_busy{role="scan"}' 0
+-RC=0
+-testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
+-test $RC -ne 0
+#echo Test 4: A rpm without a signature will fail
+#cp signed.rpm R/signed.rpm
+#rpmsign --delfilesign R/signed.rpm
+#rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
+#kill -USR1 $PID1
+#wait_ready $PORT1 'thread_work_total{role="traverse"}' 4
+#wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
+#wait_ready $PORT1 'thread_busy{role="scan"}' 0
+#RC=0
+#testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
+#test $RC -ne 0
+ 
+ echo Test 5: Only tests 1,2 will result in extracted signature
+ [[ $(curl -s http://127.0.0.1:$PORT1/metrics | grep 'http_responses_total{extra="ima-sigs-extracted"}' | awk '{print $NF}') -eq 2 ]]
+-- 
+2.47.1
+
--- a/elfutils.spec
+++ b/elfutils.spec
@ -4,7 +4,7 @@

 Name: elfutils
 Version: 0.192
-%global baserelease 2
+%global baserelease 3
 Release: %{baserelease}%{?dist}
 URL: http://elfutils.org/
 %global source_url ftp://sourceware.org/pub/elfutils/%{version}/
@ -60,6 +60,12 @@ BuildRequires: curl
 # For run-debuginfod-response-headers.sh test case
 BuildRequires: socat

+# For debuginfod rpm IMA verification
+BuildRequires: rpm-devel
+BuildRequires: ima-evm-utils-devel
+BuildRequires: openssl-devel
+BuildRequires: rpm-sign
+
 # For eu-stacktrace
 %if %{enable_stacktrace}
 BuildRequires: sysprof-capture-devel
@ -92,6 +98,12 @@ Patch1: elfutils-0.192-libelf-static.patch
 # Fix eu-stacktrace LTO build error.
 Patch2: elfutils-0.192-stacktrace-lto.patch

+# Fix configure.ac setting ENABLE_DEBUGINFOD_IMA_VERIFICATION.
+Patch3: elfutils-0.192-fix-configure-conditional.patch
+
+# Skip IMA test not currently supported in RHEL 9.
+Patch4: elfutils-0.192-skip-ima-test.patch
+
 %description
 Elfutils is a collection of utilities, including stack (to show
 backtraces), nm (for listing symbols from object files), size
@ -325,7 +337,9 @@ trap 'cat config.log' EXIT
 %if %{enable_stacktrace}
 	--enable-stacktrace \
 %endif
-	--enable-debuginfod
+	--enable-debuginfod \
+	--enable-debuginfod-ima-verification \
+	--enable-debuginfod-ima-cert-path=%{_sysconfdir}/keys/ima
 trap '' EXIT
 %make_build

@ -479,6 +493,7 @@ fi
 %config(noreplace) %{_datadir}/fish/vendor_conf.d/*
 %if 0%{?centos} >= 8
 %{_sysconfdir}/debuginfod/*.urls
+%{_sysconfdir}/debuginfod/*.certpath
 %endif

 %files debuginfod-client-devel
@ -518,6 +533,11 @@ exit 0
 %systemd_postun_with_restart debuginfod.service

 %changelog
+* Fri Dec 13 2024 Aaron Merey <amerey@redhat.com> - 0.192-5
+- Enable debuginfod IMA verification
+- Add elfutils-0.192-fix-configure-conditional.patch
+- Add elfutils-0.192-skip-ima-test.patch
+
 * Thu Oct 24 2024 Aaron Merey <amerey@redhat.com> - 0.192-2
 - Enable eu-stacktrace on x86_64
 - Add elfutils-0.192-stacktrace-lto.patch