integritysetup: Add PHMAC algorithm to list of known algorithms

Add the PHMAC integrity algorithm to the list of supported algorithms.

The PHMAC algorithm is like the regular HMAC algorithm, but it takes a wrapped key
as input. A key for the PHMAC algorithm is an opaque key blob, who's physical size
has nothing to do with the cryptographic size. Currently PHMAC is only available
for the s390x architecture.

diff --git a/man/integritytab.xml b/man/integritytab.xml
index 196ae2fc97843abbffb883383a401eeb264a6f2e..8b2aea70f7288097b961db533c3a7c8098eef4ec 100644 (file)
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -56,7 +56,7 @@
     <para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>
     to specify none.  When the filename is present, the "integrity-algorithm" defaults to <literal>hmac-sha256</literal>
     with the key length derived from the number of bytes in the key file.  At this time the only supported integrity algorithms
-    when using key file are hmac-sha256 and hmac-sha512.  The maximum size of the key file is 4096 bytes.
+    when using key file are hmac-sha256, hmac-sha512, phmac-sha256, and hmac-sha512.  The maximum size of the key file is 4096 bytes.
     </para>
 
      <para>The fourth field, if present, is a comma-delimited list of options or a <literal>-</literal> to specify none. The following options are
@@ -125,7 +125,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512]</option></term>
+        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512|phmac-sha256|phmac-sha512]</option></term>
 
         <listitem><para>
         The algorithm used for integrity checking.  The default is crc32c. Must match option used during format.

diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c
index 94ff62bf76a9c13dcd8c4c3f461b4d069ab0cf34..7e52f5c0dcba49e22535e41d8d8ce6fe7717ed7c 100644 (file)
--- a/src/integritysetup/integrity-util.c
+++ b/src/integritysetup/integrity-util.c
@@ -11,7 +11,7 @@
 #include "time-util.h"
 
 static int supported_integrity_algorithm(char *user_supplied) {
-        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512"))
+        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512", "phmac-sha256", "phmac-sha512"))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied);
         return 0;
 }

diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h
index 4347a0ac7efde2d950f7608465dba2b8479ed88a..5cc7e42de9270507d2165b5cf48c4e67ff75047f 100644 (file)
--- a/src/integritysetup/integrity-util.h
+++ b/src/integritysetup/integrity-util.h
@@ -13,4 +13,6 @@ int parse_integrity_options(
 
 #define DM_HMAC_256 "hmac(sha256)"
 #define DM_HMAC_512 "hmac(sha512)"
+#define DM_PHMAC_256 "phmac(sha256)"
+#define DM_PHMAC_512 "phmac(sha512)"
 #define DM_MAX_KEY_SIZE 4096            /* Maximum size of key allowed for dm-integrity */

diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c
index c55535febb7c8cb6e8f538852adb12f368d10593..6bb3958fc6b49db63dbc520e756a213c000fdf23 100644 (file)
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@@ -79,6 +79,10 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
                         return DM_HMAC_256;
                 if (streq("hmac-sha512", arg_integrity_algorithm))
                         return DM_HMAC_512;
+                if (streq("phmac-sha256", arg_integrity_algorithm))
+                        return DM_PHMAC_256;
+                if (streq("phmac-sha512", arg_integrity_algorithm))
+                        return DM_PHMAC_512;
                 return arg_integrity_algorithm;
         } else if (key_file_buf)
                 return DM_HMAC_256;