Rename "--validate" to "--ignore-violations"

IMA records file "Time of Measure, Time of Use (ToMToU)" and "open writers" integrity violations by adding a record to the measurement list containing one value (0x00's), but extending the TPM with a different value (0xFF's). To avoid known file integrity violations, the builtin "tcb" measurement policy should be replaced with a custom policy as early as possible. This patch renames the existing "--validate" option to "--ignore-violations". Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-07-02 21:53:17 +02:00 · 2020-07-29 16:44:09 -04:00
parent 5b58f47570
commit 62534f2127
2 changed files with 9 additions and 8 deletions
--- a/4
+++ b/4
@ -31,7 +31,7 @@ COMMANDS
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
- ima_measurement [--validate] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
@ -60,7 +60,7 @@ OPTIONS
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
-      --validate     ignore ToMToU measurement violations
+      --ignore-violations ignore ToMToU measurement violations
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level