- Enable debuginfod IMA verification
- Add elfutils-0.192-fix-configure-conditional.patch
- Add elfutils-0.192-skip-ima-test.patch

Resolves: RHEL-69472
This commit is contained in:
Aaron Merey 2024-12-12 17:01:41 -05:00
parent 9dfd07e7df
commit 9f0d1325fb
3 changed files with 96 additions and 2 deletions

View File

@ -0,0 +1,26 @@
From fb4753feb0ed7e3387f52b54bb02c6c74aac6a3e Mon Sep 17 00:00:00 2001
From: Aaron Merey <amerey@redhat.com>
Date: Tue, 29 Oct 2024 14:54:10 -0400
Subject: [PATCH] Fix ENABLE_DEBUGINFOD_IMA_VERIFICATION always
evaluating to false
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index f191488..3d2d3ee 100644
--- a/configure.ac
+++ b/configure.ac
@@ -892,7 +892,7 @@ AS_IF([test "x$enable_debuginfod" != "xno"],AC_DEFINE([ENABLE_DEBUGINFOD],[1],[B
AM_CONDITIONAL([DEBUGINFOD],[test "x$enable_debuginfod" = "xyes"])
AS_IF([test "x$enable_debuginfod_ima_verification" = "xyes"],AC_DEFINE([ENABLE_IMA_VERIFICATION],[1],[Build IMA verification]))
AS_IF([test "x$have_libarchive" = "xyes"],AC_DEFINE([HAVE_LIBARCHIVE],[1],[Define to 1 if libarchive is available]))
-AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "$enable_debuginfod_ima_verification" = "xyes"])
+AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "x$enable_debuginfod_ima_verification" = "xyes"])
AM_CONDITIONAL([OLD_LIBMICROHTTPD],[test "x$old_libmicrohttpd" = "xyes"])
dnl for /etc/profile.d/elfutils.{csh,sh}
--
2.47.0

View File

@ -0,0 +1,48 @@
From 36bd0ffe72f63a187902679823dfd50510bf7300 Mon Sep 17 00:00:00 2001
From: Aaron Merey <amerey@redhat.com>
Date: Fri, 13 Dec 2024 11:14:39 -0500
Subject: [PATCH] run-debuginfod-ima-verification.sh: Skip test 4
Test 4 requires `rpmsign --delfilesign` to remove IMA signatures.
RHEL 9 rpmsign does not currently support delfilesign, so skip this
test for now.
---
tests/run-debuginfod-ima-verification.sh | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/tests/run-debuginfod-ima-verification.sh b/tests/run-debuginfod-ima-verification.sh
index d582af5f..a5e6eeb2 100755
--- a/tests/run-debuginfod-ima-verification.sh
+++ b/tests/run-debuginfod-ima-verification.sh
@@ -127,17 +127,17 @@ RC=0
testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
test $RC -ne 0
-echo Test 4: A rpm without a signature will fail
-cp signed.rpm R/signed.rpm
-rpmsign --delfilesign R/signed.rpm
-rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
-kill -USR1 $PID1
-wait_ready $PORT1 'thread_work_total{role="traverse"}' 4
-wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
-wait_ready $PORT1 'thread_busy{role="scan"}' 0
-RC=0
-testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
-test $RC -ne 0
+#echo Test 4: A rpm without a signature will fail
+#cp signed.rpm R/signed.rpm
+#rpmsign --delfilesign R/signed.rpm
+#rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
+#kill -USR1 $PID1
+#wait_ready $PORT1 'thread_work_total{role="traverse"}' 4
+#wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
+#wait_ready $PORT1 'thread_busy{role="scan"}' 0
+#RC=0
+#testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
+#test $RC -ne 0
echo Test 5: Only tests 1,2 will result in extracted signature
[[ $(curl -s http://127.0.0.1:$PORT1/metrics | grep 'http_responses_total{extra="ima-sigs-extracted"}' | awk '{print $NF}') -eq 2 ]]
--
2.47.1

View File

@ -4,7 +4,7 @@
Name: elfutils
Version: 0.192
%global baserelease 2
%global baserelease 3
Release: %{baserelease}%{?dist}
URL: http://elfutils.org/
%global source_url ftp://sourceware.org/pub/elfutils/%{version}/
@ -60,6 +60,12 @@ BuildRequires: curl
# For run-debuginfod-response-headers.sh test case
BuildRequires: socat
# For debuginfod rpm IMA verification
BuildRequires: rpm-devel
BuildRequires: ima-evm-utils-devel
BuildRequires: openssl-devel
BuildRequires: rpm-sign
# For eu-stacktrace
%if %{enable_stacktrace}
BuildRequires: sysprof-capture-devel
@ -92,6 +98,12 @@ Patch1: elfutils-0.192-libelf-static.patch
# Fix eu-stacktrace LTO build error.
Patch2: elfutils-0.192-stacktrace-lto.patch
# Fix configure.ac setting ENABLE_DEBUGINFOD_IMA_VERIFICATION.
Patch3: elfutils-0.192-fix-configure-conditional.patch
# Skip IMA test not currently supported in RHEL 9.
Patch4: elfutils-0.192-skip-ima-test.patch
%description
Elfutils is a collection of utilities, including stack (to show
backtraces), nm (for listing symbols from object files), size
@ -325,7 +337,9 @@ trap 'cat config.log' EXIT
%if %{enable_stacktrace}
--enable-stacktrace \
%endif
--enable-debuginfod
--enable-debuginfod \
--enable-debuginfod-ima-verification \
--enable-debuginfod-ima-cert-path=%{_sysconfdir}/keys/ima
trap '' EXIT
%make_build
@ -479,6 +493,7 @@ fi
%config(noreplace) %{_datadir}/fish/vendor_conf.d/*
%if 0%{?centos} >= 8
%{_sysconfdir}/debuginfod/*.urls
%{_sysconfdir}/debuginfod/*.certpath
%endif
%files debuginfod-client-devel
@ -518,6 +533,11 @@ exit 0
%systemd_postun_with_restart debuginfod.service
%changelog
* Fri Dec 13 2024 Aaron Merey <amerey@redhat.com> - 0.192-5
- Enable debuginfod IMA verification
- Add elfutils-0.192-fix-configure-conditional.patch
- Add elfutils-0.192-skip-ima-test.patch
* Thu Oct 24 2024 Aaron Merey <amerey@redhat.com> - 0.192-2
- Enable eu-stacktrace on x86_64
- Add elfutils-0.192-stacktrace-lto.patch