Drop the ima_measurement "--verify" option

While walking the IMA measurement list re-calculating the PCRS, ima_measurement should always re-calculate the template data digest and verify it against the measurement list value. This patch removes the "--verify" option. On success, return 0. Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-07-01 21:31:14 +02:00 · 2020-07-29 16:34:37 -04:00
parent 8e2738dd44
commit 5b58f47570
2 changed files with 9 additions and 17 deletions
--- a/3
+++ b/3
@ -31,7 +31,7 @@ COMMANDS
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
- ima_measurement [--validate] [--verify] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
@ -61,7 +61,6 @@ OPTIONS
      --engine e     preload OpenSSL engine e (such as: gost)
      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
      --validate     ignore ToMToU measurement violations
-      --verify       verify the template data digest
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level