From 9f0d1325fbb107aa361fd92518dc1a96cc59818f Mon Sep 17 00:00:00 2001 From: Aaron Merey Date: Thu, 12 Dec 2024 17:01:41 -0500 Subject: [PATCH] 0.192-5 - Enable debuginfod IMA verification - Add elfutils-0.192-fix-configure-conditional.patch - Add elfutils-0.192-skip-ima-test.patch Resolves: RHEL-69472 --- ...tils-0.192-fix-configure-conditional.patch | 26 ++++++++++ elfutils-0.192-skip-ima-test.patch | 48 +++++++++++++++++++ elfutils.spec | 24 +++++++++- 3 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 elfutils-0.192-fix-configure-conditional.patch create mode 100644 elfutils-0.192-skip-ima-test.patch diff --git a/elfutils-0.192-fix-configure-conditional.patch b/elfutils-0.192-fix-configure-conditional.patch new file mode 100644 index 0000000..dda720e --- /dev/null +++ b/elfutils-0.192-fix-configure-conditional.patch @@ -0,0 +1,26 @@ +From fb4753feb0ed7e3387f52b54bb02c6c74aac6a3e Mon Sep 17 00:00:00 2001 +From: Aaron Merey +Date: Tue, 29 Oct 2024 14:54:10 -0400 +Subject: [PATCH] Fix ENABLE_DEBUGINFOD_IMA_VERIFICATION always +evaluating to false + +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index f191488..3d2d3ee 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -892,7 +892,7 @@ AS_IF([test "x$enable_debuginfod" != "xno"],AC_DEFINE([ENABLE_DEBUGINFOD],[1],[B + AM_CONDITIONAL([DEBUGINFOD],[test "x$enable_debuginfod" = "xyes"]) + AS_IF([test "x$enable_debuginfod_ima_verification" = "xyes"],AC_DEFINE([ENABLE_IMA_VERIFICATION],[1],[Build IMA verification])) + AS_IF([test "x$have_libarchive" = "xyes"],AC_DEFINE([HAVE_LIBARCHIVE],[1],[Define to 1 if libarchive is available])) +-AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "$enable_debuginfod_ima_verification" = "xyes"]) ++AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "x$enable_debuginfod_ima_verification" = "xyes"]) + AM_CONDITIONAL([OLD_LIBMICROHTTPD],[test "x$old_libmicrohttpd" = "xyes"]) + + dnl for /etc/profile.d/elfutils.{csh,sh} +-- +2.47.0 + diff --git a/elfutils-0.192-skip-ima-test.patch b/elfutils-0.192-skip-ima-test.patch new file mode 100644 index 0000000..a887e62 --- /dev/null +++ b/elfutils-0.192-skip-ima-test.patch @@ -0,0 +1,48 @@ +From 36bd0ffe72f63a187902679823dfd50510bf7300 Mon Sep 17 00:00:00 2001 +From: Aaron Merey +Date: Fri, 13 Dec 2024 11:14:39 -0500 +Subject: [PATCH] run-debuginfod-ima-verification.sh: Skip test 4 + +Test 4 requires `rpmsign --delfilesign` to remove IMA signatures. +RHEL 9 rpmsign does not currently support delfilesign, so skip this +test for now. +--- + tests/run-debuginfod-ima-verification.sh | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/tests/run-debuginfod-ima-verification.sh b/tests/run-debuginfod-ima-verification.sh +index d582af5f..a5e6eeb2 100755 +--- a/tests/run-debuginfod-ima-verification.sh ++++ b/tests/run-debuginfod-ima-verification.sh +@@ -127,17 +127,17 @@ RC=0 + testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1 + test $RC -ne 0 + +-echo Test 4: A rpm without a signature will fail +-cp signed.rpm R/signed.rpm +-rpmsign --delfilesign R/signed.rpm +-rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests +-kill -USR1 $PID1 +-wait_ready $PORT1 'thread_work_total{role="traverse"}' 4 +-wait_ready $PORT1 'thread_work_pending{role="scan"}' 0 +-wait_ready $PORT1 'thread_busy{role="scan"}' 0 +-RC=0 +-testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1 +-test $RC -ne 0 ++#echo Test 4: A rpm without a signature will fail ++#cp signed.rpm R/signed.rpm ++#rpmsign --delfilesign R/signed.rpm ++#rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests ++#kill -USR1 $PID1 ++#wait_ready $PORT1 'thread_work_total{role="traverse"}' 4 ++#wait_ready $PORT1 'thread_work_pending{role="scan"}' 0 ++#wait_ready $PORT1 'thread_busy{role="scan"}' 0 ++#RC=0 ++#testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1 ++#test $RC -ne 0 + + echo Test 5: Only tests 1,2 will result in extracted signature + [[ $(curl -s http://127.0.0.1:$PORT1/metrics | grep 'http_responses_total{extra="ima-sigs-extracted"}' | awk '{print $NF}') -eq 2 ]] +-- +2.47.1 + diff --git a/elfutils.spec b/elfutils.spec index bc16325..c6668e4 100644 --- a/elfutils.spec +++ b/elfutils.spec @@ -4,7 +4,7 @@ Name: elfutils Version: 0.192 -%global baserelease 2 +%global baserelease 3 Release: %{baserelease}%{?dist} URL: http://elfutils.org/ %global source_url ftp://sourceware.org/pub/elfutils/%{version}/ @@ -60,6 +60,12 @@ BuildRequires: curl # For run-debuginfod-response-headers.sh test case BuildRequires: socat +# For debuginfod rpm IMA verification +BuildRequires: rpm-devel +BuildRequires: ima-evm-utils-devel +BuildRequires: openssl-devel +BuildRequires: rpm-sign + # For eu-stacktrace %if %{enable_stacktrace} BuildRequires: sysprof-capture-devel @@ -92,6 +98,12 @@ Patch1: elfutils-0.192-libelf-static.patch # Fix eu-stacktrace LTO build error. Patch2: elfutils-0.192-stacktrace-lto.patch +# Fix configure.ac setting ENABLE_DEBUGINFOD_IMA_VERIFICATION. +Patch3: elfutils-0.192-fix-configure-conditional.patch + +# Skip IMA test not currently supported in RHEL 9. +Patch4: elfutils-0.192-skip-ima-test.patch + %description Elfutils is a collection of utilities, including stack (to show backtraces), nm (for listing symbols from object files), size @@ -325,7 +337,9 @@ trap 'cat config.log' EXIT %if %{enable_stacktrace} --enable-stacktrace \ %endif - --enable-debuginfod + --enable-debuginfod \ + --enable-debuginfod-ima-verification \ + --enable-debuginfod-ima-cert-path=%{_sysconfdir}/keys/ima trap '' EXIT %make_build @@ -479,6 +493,7 @@ fi %config(noreplace) %{_datadir}/fish/vendor_conf.d/* %if 0%{?centos} >= 8 %{_sysconfdir}/debuginfod/*.urls +%{_sysconfdir}/debuginfod/*.certpath %endif %files debuginfod-client-devel @@ -518,6 +533,11 @@ exit 0 %systemd_postun_with_restart debuginfod.service %changelog +* Fri Dec 13 2024 Aaron Merey - 0.192-5 +- Enable debuginfod IMA verification +- Add elfutils-0.192-fix-configure-conditional.patch +- Add elfutils-0.192-skip-ima-test.patch + * Thu Oct 24 2024 Aaron Merey - 0.192-2 - Enable eu-stacktrace on x86_64 - Add elfutils-0.192-stacktrace-lto.patch