ima-evm-utils: verify the template data file signature

The file signature stored in the ima_measurement list is verified based on the file hash. Instead of reading the file data to calculate the file hash, compare with the file hash stored in the template data. In both cases, the set of public keys need to be specified. This patch renames the "--list" option to "verify-sig" option. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-07-01 21:31:14 +02:00 · 2020-07-10 11:01:44 -04:00
parent 1816644727
commit 4a96edb6e8
2 changed files with 9 additions and 7 deletions
--- a/4
+++ b/4
@ -31,7 +31,7 @@ COMMANDS
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
- ima_measurement [--key "key1, key2, ..."] [--list] file
+ ima_measurement [--verify-sig [--key "key1, key2, ..."]] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
@ -59,6 +59,8 @@ OPTIONS
      --m32          force EVM hmac/signature for 32 bit target system
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
+      --verify-sig   verify the file signature based on the file hash, both
+                     stored in the template data.
  -v                 increase verbosity level
  -h, --help         display this help and exit