evmctl - IMA/EVM control tool

evmctl provides signing support for IMA/EVM. Functionality includes signing of file content (IMA), file metadata (EVM), importing public keys into kernel keyring. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2025-07-04 06:25:15 +02:00 · 2011-10-14 16:53:34 +03:00
parent 6ec041487e
commit e2da6956c4
21 changed files with 1723 additions and 0 deletions
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -0,0 +1,6 @@
+pkglib_PROGRAMS = openclose
+
+openclose_SOURCES = openclose.c
+
+dist_pkglib_SCRIPTS = evm_enable.sh evm_genkey.sh evm_label_all.sh sign_modules_dir.sh ima_fix_dir.sh
+
--- a/tests/evm_enable.sh
+++ b/tests/evm_enable.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+
+# import EVM HMAC key
+keyctl clear @u
+keyctl add user kmk "testing123" @u
+keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
+
+# import Moule public key
+mod_id=`keyctl newring _module @u`
+evmctl import /etc/keys/pubkey_evm.pem $mod_id
+
+# import IMA public key
+ima_id=`keyctl newring _ima @u`
+evmctl import /etc/keys/pubkey_evm.pem $ima_id
+
+# import EVM public key
+evm_id=`keyctl newring _evm @u`
+evmctl import /etc/keys/pubkey_evm.pem $evm_id
+
+# enable EVM
+echo "1" > /sys/kernel/security/evm
+
+# enable module checking
+echo "1" > /sys/kernel/security/ima/module_check
+
--- a/tests/evm_genkey.sh
+++ b/tests/evm_genkey.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+keyctl add user kmk "testing123" @u
+key=`keyctl add encrypted evm-key "new user:kmk 32" @u`
+keyctl print $key >/etc/keys/evm-key
+
+keyctl list @u
+
--- a/tests/evm_label_all.sh
+++ b/tests/evm_label_all.sh
@ -0,0 +1,17 @@
+#!/bin/sh
+
+verbose=""
+if [ "$1" = "-v" ] ; then
+	verbose="-v"
+	shift 1
+fi
+
+dir=${1:-/}
+
+echo "Label: $dir"
+
+find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash $verbose '{}' \;
+find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash $verbose '{}' \;
+# security.ima needs to have signature for modules
+find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig $verbose '{}' \;
+
--- a/tests/ima_fix_dir.sh
+++ b/tests/ima_fix_dir.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+dir=${1:-/}
+
+echo "Fixing dir: $dir"
+
+find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -uid 0 -exec openclose '{}' \;
+
--- a/tests/openclose.c
+++ b/tests/openclose.c
@ -0,0 +1,20 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[])
+{
+	int fd;
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd < 0) {
+		perror("open()");
+		exit(1);
+	}
+
+	close(fd);
+
+	return 0;
+}
+
--- a/tests/sign_modules_dir.sh
+++ b/tests/sign_modules_dir.sh
@ -0,0 +1,15 @@
+#!/bin/sh
+
+verbose=""
+if [ "$1" = "-v" ] ; then
+	verbose="-v"
+	shift 1
+fi
+
+dir=${1:-/lib/modules}
+
+echo "Signing modules: $dir"
+
+find $dir -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
+find $dir ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
+