From 7bf1cfe3b20037f3732d8854833b00f6a3511d95 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 5 Mar 2024 08:28:40 +0100
Subject: [PATCH 1/2] integritysetup: Add support for hmac-sha512

Currently the only supported integrity algorithm using HMAC is 'hmac-sha256'.
Add 'hmac-sha512' to the list of supported algorithms as well.
---
 man/integritytab.xml                | 6 +++---
 src/integritysetup/integrity-util.c | 2 +-
 src/integritysetup/integrity-util.h | 1 +
 src/integritysetup/integritysetup.c | 2 ++
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/man/integritytab.xml b/man/integritytab.xml
index 413f5f49bc..196ae2fc97 100644
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -55,8 +55,8 @@
 
     <para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>
     to specify none.  When the filename is present, the "integrity-algorithm" defaults to <literal>hmac-sha256</literal>
-    with the key length derived from the number of bytes in the key file.  At this time the only supported integrity algorithm
-    when using key file is hmac-sha256.  The maximum size of the key file is 4096 bytes.
+    with the key length derived from the number of bytes in the key file.  At this time the only supported integrity algorithms
+    when using key file are hmac-sha256 and hmac-sha512.  The maximum size of the key file is 4096 bytes.
     </para>
 
      <para>The fourth field, if present, is a comma-delimited list of options or a <literal>-</literal> to specify none. The following options are
@@ -125,7 +125,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256]</option></term>
+        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512]</option></term>
 
         <listitem><para>
         The algorithm used for integrity checking.  The default is crc32c. Must match option used during format.
diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c
index f421487805..94ff62bf76 100644
--- a/src/integritysetup/integrity-util.c
+++ b/src/integritysetup/integrity-util.c
@@ -11,7 +11,7 @@
 #include "time-util.h"
 
 static int supported_integrity_algorithm(char *user_supplied) {
-        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256"))
+        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512"))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied);
         return 0;
 }
diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h
index 64aa79da87..4347a0ac7e 100644
--- a/src/integritysetup/integrity-util.h
+++ b/src/integritysetup/integrity-util.h
@@ -12,4 +12,5 @@ int parse_integrity_options(
                 char **ret_integrity_alg);
 
 #define DM_HMAC_256 "hmac(sha256)"
+#define DM_HMAC_512 "hmac(sha512)"
 #define DM_MAX_KEY_SIZE 4096            /* Maximum size of key allowed for dm-integrity */
diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c
index b643a48e11..c55535febb 100644
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@@ -77,6 +77,8 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
         if (arg_integrity_algorithm) {
                 if (streq("hmac-sha256", arg_integrity_algorithm))
                         return DM_HMAC_256;
+                if (streq("hmac-sha512", arg_integrity_algorithm))
+                        return DM_HMAC_512;
                 return arg_integrity_algorithm;
         } else if (key_file_buf)
                 return DM_HMAC_256;

From eb7b0d413e5f7ca35e9f6a0b211dd71a710cb60d Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 4 Mar 2024 09:26:18 +0100
Subject: [PATCH 2/2] integritysetup: Add PHMAC algorithm to list of known
 algorithms

Add the PHMAC integrity algorithm to the list of supported algorithms.

The PHMAC algorithm is like the regular HMAC algorithm, but it takes a wrapped key
as input. A key for the PHMAC algorithm is an opaque key blob, who's physical size
has nothing to do with the cryptographic size. Currently PHMAC is only available
for the s390x architecture.
---
 man/integritytab.xml                | 4 ++--
 src/integritysetup/integrity-util.c | 2 +-
 src/integritysetup/integrity-util.h | 2 ++
 src/integritysetup/integritysetup.c | 4 ++++
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/man/integritytab.xml b/man/integritytab.xml
index 196ae2fc97..8b2aea70f7 100644
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -56,7 +56,7 @@
     <para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>
     to specify none.  When the filename is present, the "integrity-algorithm" defaults to <literal>hmac-sha256</literal>
     with the key length derived from the number of bytes in the key file.  At this time the only supported integrity algorithms
-    when using key file are hmac-sha256 and hmac-sha512.  The maximum size of the key file is 4096 bytes.
+    when using key file are hmac-sha256, hmac-sha512, phmac-sha256, and hmac-sha512.  The maximum size of the key file is 4096 bytes.
     </para>
 
      <para>The fourth field, if present, is a comma-delimited list of options or a <literal>-</literal> to specify none. The following options are
@@ -125,7 +125,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512]</option></term>
+        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512|phmac-sha256|phmac-sha512]</option></term>
 
         <listitem><para>
         The algorithm used for integrity checking.  The default is crc32c. Must match option used during format.
diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c
index 94ff62bf76..7e52f5c0dc 100644
--- a/src/integritysetup/integrity-util.c
+++ b/src/integritysetup/integrity-util.c
@@ -11,7 +11,7 @@
 #include "time-util.h"
 
 static int supported_integrity_algorithm(char *user_supplied) {
-        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512"))
+        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512", "phmac-sha256", "phmac-sha512"))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied);
         return 0;
 }
diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h
index 4347a0ac7e..5cc7e42de9 100644
--- a/src/integritysetup/integrity-util.h
+++ b/src/integritysetup/integrity-util.h
@@ -13,4 +13,6 @@ int parse_integrity_options(
 
 #define DM_HMAC_256 "hmac(sha256)"
 #define DM_HMAC_512 "hmac(sha512)"
+#define DM_PHMAC_256 "phmac(sha256)"
+#define DM_PHMAC_512 "phmac(sha512)"
 #define DM_MAX_KEY_SIZE 4096            /* Maximum size of key allowed for dm-integrity */
diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c
index c55535febb..6bb3958fc6 100644
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@@ -79,6 +79,10 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
                         return DM_HMAC_256;
                 if (streq("hmac-sha512", arg_integrity_algorithm))
                         return DM_HMAC_512;
+                if (streq("phmac-sha256", arg_integrity_algorithm))
+                        return DM_PHMAC_256;
+                if (streq("phmac-sha512", arg_integrity_algorithm))
+                        return DM_PHMAC_512;
                 return arg_integrity_algorithm;
         } else if (key_file_buf)
                 return DM_HMAC_256;