mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-10-31 13:10:42 +01:00
Update README
Update the README to reflect the changes to "evmctl --help". Update the "--pass" option format in both the README and evmctl usage to reflect passing an optional password on the command line (not recommended). When providing the password, the format is: "[--pass[=<password>]]". Also fix some typos. Still include references to both the deprecated "--rsa" and "--engine" options. Related confiigure options: --enable-sigv1 Build ima-evm-utils with signature v1 support --disable-engine build ima-evm-utils without OpenSSL engine support Reported-by: Vitaly Chikunov <vt@altlinux.org> # typos, "--pass" format Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Mimi Zohar
37
README
37
README
@@ -25,29 +25,34 @@ COMMANDS
|
||||
|
||||
--version
|
||||
help <command>
|
||||
import [--rsa] pubkey keyring
|
||||
sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
|
||||
import [--rsa (deprecated)] pubkey keyring
|
||||
sign [-r] [--imahash | --imasig ] [--key key] [--pass[=<password>] file
|
||||
verify file
|
||||
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
|
||||
ima_sign [--sigfile] [--key key] [--pass password] file
|
||||
ima_sign [--sigfile] [--key key] [--pass[=<password>]] file
|
||||
ima_verify file
|
||||
ima_setxattr [--sigfile file]
|
||||
ima_hash file
|
||||
ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
|
||||
ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]
|
||||
[--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...]
|
||||
[--verify-bank hash-algorithm] file
|
||||
ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
|
||||
[--hwtpm]
|
||||
ima_fix [-t fdsxm] path
|
||||
sign_hash [--veritysig] [--key key] [--pass password]
|
||||
ima_clear [-t fdsxm] path
|
||||
sign_hash [--veritysig] [--key key] [--pass=<password>]
|
||||
hmac [--imahash | --imasig ] file
|
||||
|
||||
|
||||
OPTIONS
|
||||
-------
|
||||
|
||||
-a, --hashalgo sha1, sha224, sha256, sha384, sha512
|
||||
-a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256)
|
||||
-s, --imasig make IMA signature
|
||||
--veritysig sign an fs-verity file digest hash
|
||||
-d, --imahash make IMA hash
|
||||
-f, --sigfile store IMA signature in .sig file instead of xattr
|
||||
--xattr-user store xattrs in user namespace (for testing purposes)
|
||||
--rsa use RSA key type and signing scheme v1
|
||||
--rsa use RSA key type and signing scheme v1 (deprecated)
|
||||
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
|
||||
or a pkcs11 URI
|
||||
--keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
|
||||
@@ -64,7 +69,15 @@ OPTIONS
|
||||
--smack use extra SMACK xattrs for EVM
|
||||
--m32 force EVM hmac/signature for 32 bit target system
|
||||
--m64 force EVM hmac/signature for 64 bit target system
|
||||
--engine e preload OpenSSL engine e (such as: gost)
|
||||
--engine e preload OpenSSL engine e (such as: gost) is deprecated
|
||||
--ino use custom inode for EVM
|
||||
--uid use custom UID for EVM
|
||||
--gid use custom GID for EVM
|
||||
--mode use custom Mode for EVM
|
||||
--generation use custom Generation for EVM(unspecified: from FS, empty: use 0)
|
||||
--ima use custom IMA signature for EVM
|
||||
--selinux use custom Selinux label for EVM
|
||||
--caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
|
||||
--pcrs file containing TPM pcrs, one per hash-algorithm/bank
|
||||
--ignore-violations ignore ToMToU measurement violations
|
||||
--verify-sig verify the file signature based on the file hash, both
|
||||
@@ -206,7 +219,7 @@ asymmetric keys support:
|
||||
|
||||
Configuration file x509_evm.genkey:
|
||||
|
||||
# Begining of the file
|
||||
# Beginning of the file
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
distinguished_name = req_distinguished_name
|
||||
@@ -257,7 +270,7 @@ following steps:
|
||||
|
||||
Configuration file ima-local-ca.genkey:
|
||||
|
||||
# Begining of the file
|
||||
# Beginning of the file
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
@@ -288,7 +301,7 @@ Produce X509 in DER format for using while building the kernel:
|
||||
|
||||
Configuration file ima.genkey:
|
||||
|
||||
# Begining of the file
|
||||
# Beginning of the file
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
@@ -2820,6 +2820,7 @@ static void usage(void)
|
||||
"\n"
|
||||
" -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n"
|
||||
" -s, --imasig make IMA signature\n"
|
||||
" --veritysig sign an fs-verity file digest hash\n"
|
||||
" -d, --imahash make IMA hash\n"
|
||||
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
|
||||
" --xattr-user store xattrs in user namespace (for testing purposes)\n"
|
||||
@@ -2867,14 +2868,14 @@ struct command cmds[] = {
|
||||
{"--version", NULL, 0, ""},
|
||||
{"help", cmd_help, 0, "<command>"},
|
||||
#if CONFIG_SIGV1
|
||||
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. ([--rsa] deprecated)\n"},
|
||||
{"import", cmd_import, 0, "[--rsa (deprecated)] pubkey keyring", "Import public key into the keyring.\n"},
|
||||
{"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
|
||||
#else
|
||||
{"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"},
|
||||
#endif
|
||||
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
|
||||
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=<password>]] file", "Sign file metadata.\n"},
|
||||
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
|
||||
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
|
||||
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=<password>]] file", "Make file content signature.\n"},
|
||||
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
|
||||
{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
|
||||
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
|
||||
@@ -2882,7 +2883,7 @@ struct command cmds[] = {
|
||||
{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"},
|
||||
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
|
||||
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
|
||||
{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass password]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
|
||||
{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
|
||||
#ifdef DEBUG
|
||||
{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user