evmctl - IMA/EVM control tool

evmctl provides signing support for IMA/EVM. Functionality includes signing of file content (IMA), file metadata (EVM), importing public keys into kernel keyring. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2025-07-04 06:25:15 +02:00 · 2011-10-14 16:53:34 +03:00
parent 6ec041487e
commit 273701a5b2
21 changed files with 1699 additions and 0 deletions
--- a/tests/evm_enable.sh
+++ b/tests/evm_enable.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+
+# import EVM HMAC key
+keyctl clear @u
+keyctl add user kmk "testing123" @u
+keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
+
+# import Moule public key
+mod_id=`keyctl newring _module @u`
+evmctl import /etc/keys/pubkey_evm.pem $mod_id
+
+# import IMA public key
+ima_id=`keyctl newring _ima @u`
+evmctl import /etc/keys/pubkey_evm.pem $ima_id
+
+# import EVM public key
+evm_id=`keyctl newring _evm @u`
+evmctl import /etc/keys/pubkey_evm.pem $evm_id
+
+# enable EVM
+echo "1" > /sys/kernel/security/evm
+
+# enable module checking
+echo "1" > /sys/kernel/security/ima/module_check
+