dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-27 22:32:31 +02:00
Code Releases Activity

Update README

Browse Source 
Update the README to reflect the changes to "evmctl --help".

Update the "--pass" option format in both the README and evmctl usage
to reflect passing an optional password on the command line (not
recommended).  When providing the password, the format is:
 "[--pass[=<password>]]".

Also fix some typos.

Still include references to both the deprecated "--rsa" and "--engine"
options.

Related confiigure options:
--enable-sigv1          Build ima-evm-utils with signature v1 support
--disable-engine        build ima-evm-utils without OpenSSL engine support

Reported-by: Vitaly Chikunov <vt@altlinux.org> # typos, "--pass" format
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Mimi Zohar 2023-03-03 08:12:10 -05:00
parent 02c833339b
commit 2ea31a943c
2 changed files with 30 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README
View File

@ -25,29 +25,34 @@ COMMANDS
--version --version
help <command> help <command>
import [--rsa] pubkey keyring import [--rsa (deprecated)] pubkey keyring
sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file sign [-r] [--imahash | --imasig ] [--key key] [--pass[=<password>] file
verify file verify file
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] ima_sign [--sigfile] [--key key] [--pass[=<password>]] file
ima_sign [--sigfile] [--key key] [--pass password] file
ima_verify file ima_verify file
ima_setxattr [--sigfile file]
ima_hash file ima_hash file
ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]
[--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...]
[--verify-bank hash-algorithm] file
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
[--hwtpm]
ima_fix [-t fdsxm] path ima_fix [-t fdsxm] path
sign_hash [--veritysig] [--key key] [--pass password] ima_clear [-t fdsxm] path
sign_hash [--veritysig] [--key key] [--pass=<password>]
hmac [--imahash | --imasig ] file hmac [--imahash | --imasig ] file
OPTIONS OPTIONS
------- -------
-a, --hashalgo sha1, sha224, sha256, sha384, sha512 -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256)
-s, --imasig make IMA signature -s, --imasig make IMA signature
--veritysig sign an fs-verity file digest hash --veritysig sign an fs-verity file digest hash
-d, --imahash make IMA hash -d, --imahash make IMA hash
-f, --sigfile store IMA signature in .sig file instead of xattr -f, --sigfile store IMA signature in .sig file instead of xattr
--xattr-user store xattrs in user namespace (for testing purposes) --xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1 --rsa use RSA key type and signing scheme v1 (deprecated)
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
or a pkcs11 URI or a pkcs11 URI
--keyid n overwrite signature keyid with a 32-bit value in hex (for signing) --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
@ -64,7 +69,15 @@ OPTIONS
--smack use extra SMACK xattrs for EVM --smack use extra SMACK xattrs for EVM
--m32 force EVM hmac/signature for 32 bit target system --m32 force EVM hmac/signature for 32 bit target system
--m64 force EVM hmac/signature for 64 bit target system --m64 force EVM hmac/signature for 64 bit target system
--engine e preload OpenSSL engine e (such as: gost) --engine e preload OpenSSL engine e (such as: gost) is deprecated
--ino use custom inode for EVM
--uid use custom UID for EVM
--gid use custom GID for EVM
--mode use custom Mode for EVM
--generation use custom Generation for EVM(unspecified: from FS, empty: use 0)
--ima use custom IMA signature for EVM
--selinux use custom Selinux label for EVM
--caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
--pcrs file containing TPM pcrs, one per hash-algorithm/bank --pcrs file containing TPM pcrs, one per hash-algorithm/bank
--ignore-violations ignore ToMToU measurement violations --ignore-violations ignore ToMToU measurement violations
--verify-sig verify the file signature based on the file hash, both --verify-sig verify the file signature based on the file hash, both
@ -206,7 +219,7 @@ asymmetric keys support:
Configuration file x509_evm.genkey: Configuration file x509_evm.genkey:
# Begining of the file # Beginning of the file
[ req ] [ req ]
default_bits = 1024 default_bits = 1024
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
@ -257,7 +270,7 @@ following steps:
Configuration file ima-local-ca.genkey: Configuration file ima-local-ca.genkey:
# Begining of the file # Beginning of the file
[ req ] [ req ]
default_bits = 2048 default_bits = 2048
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
@ -288,7 +301,7 @@ Produce X509 in DER format for using while building the kernel:
Configuration file ima.genkey: Configuration file ima.genkey:
# Begining of the file # Beginning of the file
[ req ] [ req ]
default_bits = 1024 default_bits = 1024
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name

9
src/evmctl.c
View File

@ -2820,6 +2820,7 @@ static void usage(void)
"\n" "\n"
" -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n" " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n"
" -s, --imasig make IMA signature\n" " -s, --imasig make IMA signature\n"
" --veritysig sign an fs-verity file digest hash\n"
" -d, --imahash make IMA hash\n" " -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n" " -f, --sigfile store IMA signature in .sig file instead of xattr\n"
" --xattr-user store xattrs in user namespace (for testing purposes)\n" " --xattr-user store xattrs in user namespace (for testing purposes)\n"
@ -2867,14 +2868,14 @@ struct command cmds[] = {
{"--version", NULL, 0, ""}, {"--version", NULL, 0, ""},
{"help", cmd_help, 0, "<command>"}, {"help", cmd_help, 0, "<command>"},
#if CONFIG_SIGV1 #if CONFIG_SIGV1
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. ([--rsa] deprecated)\n"}, {"import", cmd_import, 0, "[--rsa (deprecated)] pubkey keyring", "Import public key into the keyring.\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"}, {"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
#else #else
{"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"}, {"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"},
#endif #endif
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"}, {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=<password>]] file", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"}, {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=<password>]] file", "Make file content signature.\n"},
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
@ -2882,7 +2883,7 @@ struct command cmds[] = {
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass password]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
#ifdef DEBUG #ifdef DEBUG
{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"}, {"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
#endif #endif