Added RPM and TAR building rules

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
evm-utils renamed to ima-evm-utils
2025-07-03 14:13:16 +02:00 · 2012-04-05 15:24:01 +03:00 · 2012-04-05 14:54:28 +03:00 · 2012-04-05 14:32:28 +03:00 · 2012-04-05 13:48:39 +03:00 · 2012-04-05 13:48:08 +03:00
47 changed files with 938 additions and 6214 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,8 +2,6 @@
 *~
 # Generated by autotools
 .libs
 m4
 .deps
 aclocal.m4
 autom4te.cache
@ -21,13 +19,10 @@ missing
 compile
 libtool
 ltmain.sh
 test-driver
 # Compiled executables
 *.o
 *.a
 *.lo
 *.la
 src/evmctl
 tests/openclose
 config.h
@ -45,7 +40,6 @@ cscope.*
 ncscope.*
 # Generated documentation
 *.1
 *.8
 *.5
 manpage.links
--- a/6
+++ b/6
@ -1,6 +1,2 @@
-Dmitry Kasatkin <d.kasatkin@samsung.com>
+Dmitry Kasatkin <dmitry.kasatkin@intel.com>
 CONTRIBUTORS:
 Vivek Goyal <vgoyal@redhat.com>
 Mimi Zohar <zohar@linux.vnet.ibm.com>
--- a/339
+++ b/339
@ -1,339 +0,0 @@
                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
                            Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
 License is intended to guarantee your freedom to share and change free
 software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
 the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 this service if you wish), that you receive source code or can get it
 if you want it, that you can change the software or use pieces of it
 in new free programs; and that you know you can do these things.
  To protect your rights, we need to make restrictions that forbid
 anyone to deny you these rights or to ask you to surrender the rights.
 These restrictions translate to certain responsibilities for you if you
 distribute copies of the software, or if you modify it.
  For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must give the recipients all the rights that
 you have.  You must make sure that they, too, receive or can get the
 source code.  And you must show them these terms so they know their
 rights.
  We protect your rights with two steps: (1) copyright the software, and
 (2) offer you this license which gives you legal permission to copy,
 distribute and/or modify the software.
  Also, for each author's protection and ours, we want to make certain
 that everyone understands that there is no warranty for this free
 software.  If the software is modified by someone else and passed on, we
 want its recipients to know that what they have is not the original, so
 that any problems introduced by others will not reflect on the original
 authors' reputations.
  Finally, any free program is threatened constantly by software
 patents.  We wish to avoid the danger that redistributors of a free
 program will individually obtain patent licenses, in effect making the
 program proprietary.  To prevent this, we have made it clear that any
 patent must be licensed for everyone's free use or not licensed at all.
  The precise terms and conditions for copying, distribution and
 modification follow.
                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License applies to any program or other work which contains
 a notice placed by the copyright holder saying it may be distributed
 under the terms of this General Public License.  The "Program", below,
 refers to any such program or work, and a "work based on the Program"
 means either the Program or any derivative work under copyright law:
 that is to say, a work containing the Program or a portion of it,
 either verbatim or with modifications and/or translated into another
 language.  (Hereinafter, translation is included without limitation in
 the term "modification".)  Each licensee is addressed as "you".
 Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.  The act of
 running the Program is not restricted, and the output from the Program
 is covered only if its contents constitute a work based on the
 Program (independent of having been made by running the Program).
 Whether that is true depends on what the Program does.
  1. You may copy and distribute verbatim copies of the Program's
 source code as you receive it, in any medium, provided that you
 conspicuously and appropriately publish on each copy an appropriate
 copyright notice and disclaimer of warranty; keep intact all the
 notices that refer to this License and to the absence of any warranty;
 and give any other recipients of the Program a copy of this License
 along with the Program.
 You may charge a fee for the physical act of transferring a copy, and
 you may at your option offer warranty protection in exchange for a fee.
  2. You may modify your copy or copies of the Program or any portion
 of it, thus forming a work based on the Program, and copy and
 distribute such modifications or work under the terms of Section 1
 above, provided that you also meet all of these conditions:
    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.
    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.
    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
 themselves, then this License, and its terms, do not apply to those
 sections when you distribute them as separate works.  But when you
 distribute the same sections as part of a whole which is a work based
 on the Program, the distribution of the whole must be on the terms of
 this License, whose permissions for other licensees extend to the
 entire whole, and thus to each and every part regardless of who wrote it.
 Thus, it is not the intent of this section to claim rights or contest
 your rights to work written entirely by you; rather, the intent is to
 exercise the right to control the distribution of derivative or
 collective works based on the Program.
 In addition, mere aggregation of another work not based on the Program
 with the Program (or with a work based on the Program) on a volume of
 a storage or distribution medium does not bring the other work under
 the scope of this License.
  3. You may copy and distribute the Program (or a work based on it,
 under Section 2) in object code or executable form under the terms of
 Sections 1 and 2 above provided that you also do one of the following:
    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,
    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,
    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)
 The source code for a work means the preferred form of the work for
 making modifications to it.  For an executable work, complete source
 code means all the source code for all modules it contains, plus any
 associated interface definition files, plus the scripts used to
 control compilation and installation of the executable.  However, as a
 special exception, the source code distributed need not include
 anything that is normally distributed (in either source or binary
 form) with the major components (compiler, kernel, and so on) of the
 operating system on which the executable runs, unless that component
 itself accompanies the executable.
 If distribution of executable or object code is made by offering
 access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
 void, and will automatically terminate your rights under this License.
 However, parties who have received copies, or rights, from you under
 this License will not have their licenses terminated so long as such
 parties remain in full compliance.
  5. You are not required to accept this License, since you have not
 signed it.  However, nothing else grants you permission to modify or
 distribute the Program or its derivative works.  These actions are
 prohibited by law if you do not accept this License.  Therefore, by
 modifying or distributing the Program (or any work based on the
 Program), you indicate your acceptance of this License to do so, and
 all its terms and conditions for copying, distributing or modifying
 the Program or works based on it.
  6. Each time you redistribute the Program (or any work based on the
 Program), the recipient automatically receives a license from the
 original licensor to copy, distribute or modify the Program subject to
 these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties to
 this License.
  7. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot
 distribute so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you
 may not distribute the Program at all.  For example, if a patent
 license would not permit royalty-free redistribution of the Program by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
 refrain entirely from distribution of the Program.
 If any portion of this section is held invalid or unenforceable under
 any particular circumstance, the balance of the section is intended to
 apply and the section as a whole is intended to apply in other
 circumstances.
 It is not the purpose of this section to induce you to infringe any
 patents or other property right claims or to contest validity of any
 such claims; this section has the sole purpose of protecting the
 integrity of the free software distribution system, which is
 implemented by public license practices.  Many people have made
 generous contributions to the wide range of software distributed
 through that system in reliance on consistent application of that
 system; it is up to the author/donor to decide if he or she is willing
 to distribute software through any other system and a licensee cannot
 impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
 may add an explicit geographical distribution limitation excluding
 those countries, so that distribution is permitted only in or among
 countries not thus excluded.  In such case, this License incorporates
 the limitation as if written in the body of this License.
  9. The Free Software Foundation may publish revised and/or new versions
 of the General Public License from time to time.  Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
 Each version is given a distinguishing version number.  If the Program
 specifies a version number of this License which applies to it and "any
 later version", you have the option of following the terms and conditions
 either of that version or of any later version published by the Free
 Software Foundation.  If the Program does not specify a version number of
 this License, you may choose any version ever published by the Free Software
 Foundation.
  10. If you wish to incorporate parts of the Program into other free
 programs whose distribution conditions are different, write to the author
 to ask for permission.  For software which is copyrighted by the Free
 Software Foundation, write to the Free Software Foundation; we sometimes
 make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
                            NO WARRANTY
  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
 REPAIR OR CORRECTION.
  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 Also add information on how to contact you by electronic and paper mail.
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
    Gnomovision version 69, Copyright (C) year name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, the commands you use may
 be called something other than `show w' and `show c'; they could even be
 mouse-clicks or menu items--whatever suits your program.
 You should also get your employer (if you work as a programmer) or your
 school, if any, to sign a "copyright disclaimer" for the program, if
 necessary.  Here is a sample; alter the names:
  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.
  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.
--- a/10
+++ b/10
@ -0,0 +1,10 @@
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1.0
 	* Fully functional version for lastest 3.x kernels
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1
 	* Initial public version.
--- a/15
+++ b/15
@ -1,8 +1,8 @@
 Installation Instructions
 *************************
-Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
+Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005,
-Inc.
+2006, 2007, 2008, 2009 Free Software Foundation, Inc.
   Copying and distribution of this file, with or without modification,
 are permitted in any medium without royalty provided the copyright
@ -226,11 +226,6 @@ order to use an ANSI C compiler:
 and if that doesn't work, install pre-built binaries of GCC for HP-UX.
   HP-UX `make' updates targets which have the same time stamps as
 their prerequisites, which makes it generally unusable when shipped
 generated files such as `configure' are involved.  Use GNU `make'
 instead.
   On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
 parse its `<wchar.h>' header file.  The option `-nodtk' can be used as
 a workaround.  If GNU CC is not installed, it is therefore recommended
@ -309,10 +304,9 @@ causes the specified `gcc' to be used as the C compiler (unless it is
 overridden in the site shell script).
 Unfortunately, this technique does not work for `CONFIG_SHELL' due to
-an Autoconf limitation.  Until the limitation is lifted, you can use
+an Autoconf bug.  Until the bug is fixed you can use this workaround:
 this workaround:
-     CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
+     CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
 `configure' Invocation
 ======================
@ -368,3 +362,4 @@ operates.
 `configure' also accepts some other, not widely useful, options.  Run
 `configure --help' for more details.
--- a/Makefile.am
+++ b/Makefile.am
@ -1,10 +1,6 @@
 SUBDIRS = src tests
 dist_man_MANS = evmctl.1
-doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+#EXTRA_DIST = LEGAL acinclude.m4 include
 EXTRA_DIST = autogen.sh $(doc_DATA)
 CLEANFILES = *.html *.xsl
 ACLOCAL_AMFLAGS = -I m4
@ -15,7 +11,8 @@ pkgname = $(PACKAGE_NAME)-$(PACKAGE_VERSION)
 tarname = $(pkgname).tar.gz
 $(tarname):
-	git archive --format=tar --prefix=$(pkgname)/ v$(PACKAGE_VERSION) $(FILES) | gzip >$@
+	git tag -f v$(PACKAGE_VERSION)
 	git archive --format=tar --prefix=$(pkgname)/ v$(PACKAGE_VERSION) $(FILES) | gzip >$@;
 tar: $(tarname)
@ -23,17 +20,4 @@ rpm: $(tarname)
 	cp $(tarname) $(SRCS)/
 	rpmbuild -ba --nodeps $(SPEC)
 evmctl.1.html: README
 	@asciidoc -o $@ $<
 evmctl.1:
 	asciidoc -d manpage -b docbook -o evmctl.1.xsl README
 	xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
 	rm -f evmctl.1.xsl
 rmman:
 	rm -f evmctl.1
 doc: evmctl.1.html rmman evmctl.1
 .PHONY: $(tarname)
--- a/193
+++ b/193
@ -1,193 +0,0 @@
 2020-08-11  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3.1:
 	* "--pcrs" support for per crypto algorithm
 	* Drop/rename "ima_measurement" options
 	* Moved this summary from "Changelog" to "NEWS", removing
 	  requirement for GNU empty files
 	* Distro build fixes
 2020-07-21  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3 new features:
 	* NEW ima-evm-utils regression test infrastructure with two initial
 	  tests:
 	  - ima_hash.test: calculate/verify different crypto hash algorithms
 	  - sign_verify.test: EVM and IMA sign/verify signature tests
 	* TPM 2.0 support
 	  - Calculate the new per TPM 2.0 bank template data digest
 	  - Support original padding the SHA1 template data digest
 	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
 	    TPM 2.0 bank PCR values
 	  - Calculate the per TPM bank "boot_aggregate" values, including
 	    PCRs 8 & 9 in calculation
 	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
 	  - boot_aggregate.test: compare the calculated "boot_aggregate"
 	    values with the "boot_aggregate" value included in the IMA
 	    measurement.
 	* TPM 1.2 support
 	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
 	    ("--pcrs" option)
 	* Based on original IMA LTP and standalone version support
 	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
 	    TPM 1.2 BIOS event log.
 	  - In addition to verifying the IMA measurement list against the
 	    the TPM PCRs, verify the IMA template data digest against the
 	    template data.  (Based on LTP "--verify" option.)
 	  - Ignore file measurement violations while verifying the IMA
 	    measurment list. (Based on LTP "--validate" option.)
 	  - Verify the file data signature included in the measurement list
 	    based on the file hash also included in the measurement list
 	    (--verify-sig)
 	  - Support original "ima" template (mixed templates not supported)
 	* Support "sm3" crypto name
 	Bug fixes and code cleanup:
 	* Don't exit with -1 on failure, exit with 125
 	* On signature verification failure, include pathname.
 	* Provide minimal hash_info.h file in case one doesn't exist, needed
 	  by the ima-evm-utils regression tests.
 	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
 	* Fix hash_algo type comparison mismatch
 	* Simplify/clean up code
 	* Address compiler complaints and failures
 	* Fix memory allocations and leaks
 	* Sanity check provided input files are regular files
 	* Revert making "tsspcrread" a compile build time decision.
 	* Limit additional messages based on log level (-v)
 2019-07-30  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2.1 Bug fixes:
 	* When verifying multiple file signatures, return correct status
 	* Don't automatically use keys from x509 certs if user supplied "--rsa"
 	* Fix verifying DIGSIG_VERSION_1 signatures
 	* autoconf, openssl fixes
 2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2 new features:
 	* Generate EVM signatures based on the specified hash algorithm
 	* include "security.apparmor" in EVM signature
 	* Add support for writing & verifying "user.xxxx" xattrs for testing
 	* Support Strebog/Gost hash functions
 	* Add OpenSSL engine support
 	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
 	* Support verifying multiple signatures at once
 	* Support new template "buf" field and warn about other unknown fields
 	* Improve OpenSSL error reporting
 	* Support reading TPM 2.0 PCRs using tsspcrread
 	Bug fixes and code cleanup:
 	* Update manpage stylesheet detection
 	* Fix xattr.h include file
 	* On error when reading TPM PCRs, don't log gargabe
 	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
 	  limiting keyid output to verbose mode
 	* Fix hash buffer overflow caused by EVM support for larger hashes,
 	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
 	* Linked with libcrypto instead of OpenSSL
 	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
 	* Include new "hash-info.gen" in tar
 	* Log the hash algorithm, not just the hash value
 	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
 	* Fixed other warnings/bugs discovered by clang, coverity
 	* Remove indirect calls in verify_hash() to improve code readability
 	* Don't fallback to using sha1
 	* Namespace some too generic object names
 	* Make functions/arrays static if possible
 2018-01-28  Mimi Zohar <zohar@us.ibm.com>
 	version 1.1
 	* Support the new openssl 1.1 api
 	* Support for validating multiple pcrs
 	* Verify the measurement list signature based on the list digest
 	* Verify the "ima-sig" measurement list using multiple keys
 	* Fixed parsing the measurement template data field length
 	* Portable & immutable EVM signatures (new format)
 	* Multiple fixes that have been lingering in the next branch. Some
 	  are for experimental features that are not yet supported in the
 	  kernel.
 2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 	version 1.0
 	* Recursive hashing
 	* Immutable EVM signatures (experimental)
 	* Command 'ima_clear' to remove xattrs
 	* Support for passing password to the library
 	* Support for asking password safely from the user
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.9
 	* Updated README
 	* man page generated and added to the package
 	* Use additional SMACK xattrs for EVM signature generation
 	* Signing functions moved to libimaevm for external use (RPM)
 	* Fixed setting of correct hash header
 2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.8
 	* Symbilic names for keyrings
 	* Hash list signing
 	* License text fix for using OpenSSL
 	* Help output fix
 2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.7
 	* Fix symbolic links related bugs
 	* Provide recursive fixing
 	* Provide recursive signing
 	* Move IMA verification to the library (first for LTP use)
 	* Support for target architecture data size
 	* Remove obsolete module signing code
 	* Code cleanup
 2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.6
 	* support for asymmetric crypto keys and new signature format (v2)
 	* fixes to set correct hash algo for digital signature v1
 	* uuid support for EVM
 	* signature verification support
 	* test scripts removed
 	* README updates
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.3
 	* llistxattr returns 0 if there are no xattrs and it is valid
 	* Added entry type to directory hash calculation
 	* inline block variable renamed
 	* Remove forced tag creation
 	* Use libexec for programs and scripts
 	* Some files updated
 	* Do not search for algorithm as it is known
 	* Refactored to remove redundant hash initialization code
 	* Added hash calculation for special files
 2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.2
 	* added RPM & TAR building makefile rules
 	* renamed evm-utils to ima-evm-utils
 	* added command options description
 	* updated error handling
 	* refactored redundant code
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1.0
 	* Fully functional version for lastest 3.x kernels
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1
 	* Initial public version.
--- a/455
+++ b/455
@ -1,445 +1,52 @@
 EVMCTL(1)
 =========
-NAME
+1. Generate private key
 ----
-evmctl - IMA/EVM signing utility
+# plain key
 openssl genrsa -out privkey_evm.pem 1024
 # encrypted key
 openssl genrsa -des3 -out privkey_evm.pem 1024
-SYNOPSIS
+# set password for the key
--------
+openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
 or
 openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
-evmctl [options] <command> [OPTIONS]
+2. Generate public key
 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
-DESCRIPTION
+3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys
 -----------
-The evmctl utility can be used for producing and verifying digital signatures,
+scp pubkey_evm.pem mad:/etc/keys
 which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
 used to import keys into the kernel keyring.
-COMMANDS
+4. Load keys and enable EVM
 --------
- --version
+evm_enable.sh
 help <command>
 import [--rsa] pubkey keyring
 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
 verify file
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
 ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
 This should be done at early phase, before mounting root filesystem.
-OPTIONS
+5. Sign EVM and use hash value for IMA - common case
 -------
-  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512
+evmctl sign --imahash test.txt
  -s, --imasig       make IMA signature
  -d, --imahash      make IMA hash
  -f, --sigfile      store IMA signature in .sig file instead of xattr
      --xattr-user   store xattrs in user namespace (for testing purposes)
      --rsa          use RSA key type and signing scheme v1
  -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
  -o, --portable     generate portable EVM signatures
  -p, --pass         password for encrypted signing key
  -r, --recursive    recurse into directories (sign)
  -t, --type         file types to fix 'fdsxm' (f: file, d: directory, s: block/char/symlink)
                     x - skip fixing if both ima and evm xattrs exist (use with caution)
                     m - stay on the same filesystem (like 'find -xdev')
  -n                 print result to stdout instead of setting xattr
  -u, --uuid         use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
      --smack        use extra SMACK xattrs for EVM
      --m32          force EVM hmac/signature for 32 bit target system
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
      --ignore-violations ignore ToMToU measurement violations
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level
  -h, --help         display this help and exit
 6. Sign IMA and EVM - for immutable files and modules
-INTRODUCTION
+evmctl sign --imasig test.txt
 ------------
-Linux kernel integrity subsystem is comprised of a number of different components
+7. Sign whole filesystem
 including the Integrity Measurement Architecture (IMA), Extended Verification Module
 (EVM), IMA-appraisal extension, digital signature verification extension and audit
 measurement log support.
-The evmctl utility is used for producing and verifying digital signatures, which
+evm_sign_all.sh
-are used by the Linux kernel integrity subsystem. It is also used for importing keys
+or
-into the kernel keyring.
+find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
 find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
 # security.ima needs to have signature for modules
 find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
-Linux integrity subsystem allows to use IMA and EVM signatures. EVM signature
+# generate signatures in .sig files
-protects file metadata, such as file attributes and extended attributes. IMA
+find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
 signature protects file content.
-For more detailed information about integrity subsystem it is recommended to follow
+8. Label filesystem in fix mode...
 resources in RESOURCES section.
-
+ima_fix_dir.sh <dir>
 EVM HMAC and signature metadata
 -------------------------------
 EVM protects file metadata by including following attributes into HMAC and signature
 calculation: inode number, inode generation, UID, GID, file mode, security.selinux,
 security.SMACK64, security.ima, security.capability.
 EVM HMAC and signature in may also include additional file and file system attributes.
 Currently supported additional attributes are filesystem UUID and extra SMACK
 extended attributes.
 Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
 filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
 fsuuid by default. Providing '--uuid' option without parameter allows to disable
 usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use
 custom UUID. Providing the '--portable' option will disable usage of the fs uuid
 and also the inode number and generation.
 Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
 include additional SMACK extended attributes into HMAC. They are following:
 security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP.
 evmctl '--smack' options enables that.
 Key and signature formats
 -------------------------
 Linux integrity subsystem supports two type of signature and respectively two
 key formats.
 First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
 format. It is now non-default format and requires to provide evmctl '--rsa' option
 for signing and importing the key.
 Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
 in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
 Integrity keyrings
 ----------------
 Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification
 keys - '_ima' and '_evm' respectively.
 Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only to load keys,
 signed by a key from the system keyring (.system). It means self-signed keys are not
 allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined.
 IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509
 public key certificates. Old version RSA public keys are not compatible with trusted
 keyring.
 Generate EVM encrypted keys
 ---------------------------
 EVM encrypted key is used for EVM HMAC calculation:
    # create and save the key kernel master key (user type)
    # LMK is used to encrypt encrypted keys
    keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
    keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
    # create the EVM encrypted key
    keyctl add encrypted evm-key "new user:kmk 64" @u
    keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
 Generate EVM trusted keys (TPM based)
 -------------------------------------
 Trusted EVM keys are keys which a generate with the help of TPM.
 They are not related to integrity trusted keys.
    # create and save the key kernel master key (user type)
    keyctl add trusted kmk "new 32" @u
    keyctl pipe `keyctl search @u trusted kmk` >kmk
    # create the EVM trusted key
    keyctl add encrypted evm-key "new trusted:kmk 32" @u
    keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
 Generate signing and verification keys
 --------------------------------------
 Generate private key in plain text format:
    openssl genrsa -out privkey_evm.pem 1024
 Generate encrypted private key:
    openssl genrsa -des3 -out privkey_evm.pem 1024
 Make encrypted private key from unencrypted:
    openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
 Generate self-signed X509 public key certificate and private key for using kernel
 asymmetric keys support:
    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
    	        -x509 -config x509_evm.genkey \
 	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
 Configuration file x509_evm.genkey:
 	# Begining of the file
 	[ req ]
 	default_bits = 1024
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
 	x509_extensions = myexts
 	[ req_distinguished_name ]
 	O = Magrathea
 	CN = Glacier signing key
 	emailAddress = slartibartfast@magrathea.h2g2
 	[ myexts ]
 	basicConstraints=critical,CA:FALSE
 	keyUsage=digitalSignature
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid
 	# EOF
 Generate public key for using RSA key format:
    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
 Copy keys to /etc/keys:
    cp pubkey_evm.pem /etc/keys
    scp pubkey_evm.pem target:/etc/keys
 or
    cp x509_evm.pem /etc/keys
    scp x509_evm.pem target:/etc/keys
 Generate trusted keys
 ---------------------
 Generation of trusted keys is a bit more complicated process and involves
 following steps:
 * Creation of local IMA certification authority (CA).
  It consist of private and public key certificate which are used
  to sign and verify other keys.
 * Build Linux kernel with embedded local IMA CA X509 certificate.
  It is used to verify other keys added to the '.ima' trusted keyring
 * Generate IMA private signing key and verification public key certificate,
  which is signed using local IMA CA private key.
 Configuration file ima-local-ca.genkey:
 	# Begining of the file
 	[ req ]
 	default_bits = 2048
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
 	x509_extensions = v3_ca
 	[ req_distinguished_name ]
 	O = IMA-CA
 	CN = IMA/EVM certificate signing key
 	emailAddress = ca@ima-ca
 	[ v3_ca ]
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
 	# keyUsage = cRLSign, keyCertSign
 	# EOF
 Generate private key and X509 public key certificate:
 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
             -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
 Produce X509 in DER format for using while building the kernel:
 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
 Configuration file ima.genkey:
 	# Begining of the file
 	[ req ]
 	default_bits = 1024
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
 	x509_extensions = v3_usr
 	[ req_distinguished_name ]
 	O = `hostname`
 	CN = `whoami` signing key
 	emailAddress = `whoami`@`hostname`
 	[ v3_usr ]
 	basicConstraints=critical,CA:FALSE
 	#basicConstraints=CA:FALSE
 	keyUsage=digitalSignature
 	#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid
 	#authorityKeyIdentifier=keyid,issuer
 	# EOF
 Generate private key and X509 public key certificate signing request:
 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
             -out csr_ima.pem -keyout privkey_ima.pem
 Sign X509 public key certificate signing request with local IMA CA private key:
 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
              -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
              -outform DER -out x509_ima.der
 Sign file data and metadata
 ---------------------------
 Default key locations:
 Private RSA key: /etc/keys/privkey_evm.pem
 Public RSA key: /etc/keys/pubkey_evm.pem
 X509 certificate: /etc/keys/x509_evm.der
 Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'.
 Sign file with EVM signature and calculate hash value for IMA:
    evmctl sign --imahash test.txt
 Sign file with both IMA and EVM signatures:
    evmctl sign --imasig test.txt:
 Sign file with IMA signature:
    evmctl ima_sign test.txt
 Sign recursively whole filesystem:
    evmctl -r sign --imahash /
 Fix recursively whole filesystem:
    evmctl -r ima_fix /
 Sign filesystem selectively using 'find' command:
    find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
 Fix filesystem selectively using 'find' command:
    find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
 Initialize IMA/EVM at early boot
 --------------------------------
 IMA/EVM initialization should be normally done from initial RAM file system
 before mounting root filesystem.
 Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh)
    # mount securityfs if not mounted
    SECFS=/sys/kernel/security
    grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
    # search for IMA trusted keyring, then for untrusted
    ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
    if [ -z "$ima_id" ]; then
        ima_id=`keyctl search @u keyring _ima 2>/dev/null`
        if [ -z "$ima_id" ]; then
 	    ima_id=`keyctl newring _ima @u`
        fi
    fi
    # import IMA X509 certificate
    evmctl import /etc/keys/x509_ima.der $ima_id
    # search for EVM keyring
    evm_id=`keyctl search @u keyring _evm 2>/dev/null`
    if [ -z "$evm_id" ]; then
        evm_id=`keyctl newring _evm @u`
    fi
    # import EVM X509 certificate
    evmctl import /etc/keys/x509_evm.der $evm_id
    # a) import EVM encrypted key
    cat /etc/keys/kmk | keyctl padd user kmk @u
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
    # OR
    # b) import EVM trusted key
    keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
    # enable EVM
    echo "1" > /sys/kernel/security/evm
 Optionally it is possible also to forbid adding, removing of new public keys
 and certificates into keyrings and revoking keys using 'keyctl setperm' command:
    # protect EVM keyring
    keyctl setperm $evm_id 0x0b0b0000
    # protect IMA keyring
    keyctl setperm $ima_id 0x0b0b0000
    # protecting IMA key from revoking (against DoS)
    ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
    keyctl setperm $ima_key 0x0b0b0000
 When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys:
    evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
 Latest version of keyctl allows to import X509 public key certificates:
    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
 FILES
 -----
 Examples of scripts to generate X509 public key certificates:
 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
 /usr/share/doc/ima-evm-utils/ima-genkey.sh
 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
 AUTHOR
 ------
 Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
 RESOURCES
 ---------
 http://sourceforge.net/p/linux-ima/wiki/Home
 http://sourceforge.net/p/linux-ima/ima-evm-utils
 COPYING
 -------
 Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under
 the terms of the GNU Public License (GPL).
--- a/build-static.sh
+++ b/build-static.sh
@ -1,4 +0,0 @@
 #!/bin/sh
 gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl
--- a/configure.ac
+++ b/configure.ac
@ -1,13 +1,12 @@
 # autoconf script
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 1.3.1, zohar@linux.ibm.com)
+AC_INIT(ima-evm-utils, 0.1.1, dmitry.kasatkin@intel.com)
-AM_INIT_AUTOMAKE([foreign])
+AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CANONICAL_HOST
 AC_USE_SYSTEM_EXTENSIONS
 # Checks for programs.
 AC_PROG_CC
@ -25,29 +24,12 @@ LT_INIT
 # Checks for header files.
 AC_HEADER_STDC
-PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
+PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
-AC_SUBST(KERNEL_HEADERS)
+AC_SUBST(OPENSSL_CFLAGS)
 AC_SUBST(OPENSSL_LIBS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 AC_CHECK_LIB([tss2-esys], [Esys_PCR_Read])
 AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode])
 AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_PCR_Read" = "xyes"])
 AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
 AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH],
 	    [specifies the Linux kernel-headers package location or kernel root directory you want to use])],
 	    [KERNEL_HEADERS="$withval"],
 	    [KERNEL_HEADERS=/lib/modules/$(uname -r)/source])
 AC_ARG_ENABLE([openssl_conf],
 	      [AS_HELP_STRING([--disable-openssl-conf], [disable loading of openssl config by evmctl])],
 	      [if test "$enable_openssl_conf" = "no"; then
 		AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.])
 	      fi], [enable_openssl_conf=yes])
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
@ -56,8 +38,6 @@ else
 	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
 fi
 EVMCTL_MANPAGE_DOCBOOK_XSL
 # for gcov
 #CFLAGS="$CFLAGS -Wall -fprofile-arcs -ftest-coverage"
 #CXXFLAGS="$CXXFLAGS -Wall -fprofile-arcs -ftest-coverage"
@ -67,7 +47,7 @@ EVMCTL_MANPAGE_DOCBOOK_XSL
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		tests/Makefile
-		packaging/ima-evm-utils.spec
+		ima-evm-utils.spec
 		])
 AC_OUTPUT
@ -75,8 +55,6 @@ AC_OUTPUT
 echo
 echo
 echo	"Configuration:"		
-echo	"          debug: $pkg_cv_enable_debug"
+echo	"	debug:	$pkg_cv_enable_debug"
 echo	"   openssl-conf: $enable_openssl_conf"
 echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_PCR_Read"
 echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
 echo
--- a/examples/ima-gen-local-ca.sh
+++ b/examples/ima-gen-local-ca.sh
@ -1,29 +0,0 @@
 #!/bin/sh
 GENKEY=ima-local-ca.genkey
 cat << __EOF__ >$GENKEY
 [ req ]
 default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
 x509_extensions = v3_ca
 [ req_distinguished_name ]
 O = IMA-CA
 CN = IMA/EVM certificate signing key
 emailAddress = ca@ima-ca
 [ v3_ca ]
 basicConstraints=CA:TRUE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
 # keyUsage = cRLSign, keyCertSign
 __EOF__
 openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
 		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
--- a/examples/ima-genkey-self.sh
+++ b/examples/ima-genkey-self.sh
@ -1,29 +0,0 @@
 #!/bin/sh
 GENKEY=x509_evm.genkey
 cat << __EOF__ >$GENKEY
 [ req ]
 default_bits = 1024
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
 x509_extensions = myexts
 [ req_distinguished_name ]
 O = `hostname`
 CN = `whoami` signing key
 emailAddress = `whoami`@`hostname`
 [ myexts ]
 basicConstraints=critical,CA:FALSE
 keyUsage=digitalSignature
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 __EOF__
 openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
 		-outform DER -out x509_evm.der -keyout privkey_evm.pem
 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
--- a/examples/ima-genkey.sh
+++ b/examples/ima-genkey.sh
@ -1,33 +0,0 @@
 #!/bin/sh
 GENKEY=ima.genkey
 cat << __EOF__ >$GENKEY
 [ req ]
 default_bits = 1024
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
 x509_extensions = v3_usr
 [ req_distinguished_name ]
 O = `hostname`
 CN = `whoami` signing key
 emailAddress = `whoami`@`hostname`
 [ v3_usr ]
 basicConstraints=critical,CA:FALSE
 #basicConstraints=CA:FALSE
 keyUsage=digitalSignature
 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer
 __EOF__
 openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
 		-out csr_ima.pem -keyout privkey_ima.pem
 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
 		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
 		-outform DER -out x509_ima.der
--- a/packaging/ima-evm-utils.spec.in
+++ b/packaging/ima-evm-utils.spec.in
@ -3,7 +3,7 @@ Version:	@PACKAGE_VERSION@
 Release:	1%{?dist}
 Summary:	@PACKAGE_NAME@ - IMA/EVM control utility
 Group:		System/Libraries
-License:	GPLv2
+License:	LGPLv2
 #URL:		
 Source0:	%{name}-%{version}.tar.gz
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
@ -11,6 +11,7 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires:    autoconf
 BuildRequires:    automake
 BuildRequires:    openssl-devel
 BuildRequires:    libattr-devel
 BuildRequires:    keyutils-libs-devel
 %description
@ -43,8 +44,7 @@ exit 0
 %files
 %defattr(-,root,root,-)
 %{_bindir}/*
-%{_libdir}/libimaevm.*
+%{_libdir}/*
 %{_includedir}/*
 %changelog
 * Thu Apr 05 2012 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
--- a/m4/manpage-docbook-xsl.m4
+++ b/m4/manpage-docbook-xsl.m4
@ -1,28 +0,0 @@
 dnl Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
 dnl Find docbook manpage stylesheet
 AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
 	AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
 	AC_ARG_WITH([xml-catalog],
 		AC_HELP_STRING([--with-xml-catalog=CATALOG],
 				[path to xml catalog to use]),,
 				[with_xml_catalog=/etc/xml/catalog])
 	XML_CATALOG_FILE="$with_xml_catalog"
 	AC_SUBST([XML_CATALOG_FILE])
 	AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
 	if test -f "$XML_CATALOG_FILE"; then
 		have_xmlcatalog_file=yes
 		AC_MSG_RESULT([found])
 	else
 		AC_MSG_RESULT([not found])
 	fi
 	if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
 		DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
 		DOCBOOK_XSL_PATH="manpages/docbook.xsl"
 		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q')
 	fi
 	if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
 		MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
 	fi
 	AC_SUBST(MANPAGE_DOCBOOK_XSL)
 ])
--- a/packaging/ima-evm-utils.spec
+++ b/packaging/ima-evm-utils.spec
@ -1,52 +0,0 @@
 Name:		ima-evm-utils
 Version:	1.3.1
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries
 License:	GPLv2
 #URL:		
 Source0:	%{name}-%{version}.tar.gz
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires:    autoconf
 BuildRequires:    automake
 BuildRequires:    openssl-devel
 BuildRequires:    keyutils-libs-devel
 %description
 This package provide IMA/EVM control utility
 %prep
 %setup -q
 %build
 ./autogen.sh
 %configure --prefix=/usr
 make
 %install
 rm -rf %{buildroot}
 make DESTDIR=%{buildroot} install
 %clean
 rm -rf %{buildroot}
 %post
 /sbin/ldconfig
 exit 0
 %preun -p /sbin/ldconfig
 %postun
 /sbin/ldconfig
 %files
 %defattr(-,root,root,-)
 %{_bindir}/*
 %{_libdir}/libimaevm.*
 %{_includedir}/*
 %changelog
 * Thu Apr 05 2012 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
 - Initial RPM spec file
--- a/src/.gitignore
+++ b/src/.gitignore
@ -1 +0,0 @@
 hash_info.h
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -1,34 +1,12 @@
 lib_LTLIBRARIES = libimaevm.la
 libimaevm_la_SOURCES = libimaevm.c
 libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 # current[:revision[:age]]
 # result: [current-age].age.revision
 libimaevm_la_LDFLAGS = -version-info 2:0:0
 libimaevm_la_LIBADD =  $(LIBCRYPTO_LIBS)
 include_HEADERS = imaevm.h
 nodist_libimaevm_la_SOURCES = hash_info.h
 BUILT_SOURCES = hash_info.h
 EXTRA_DIST = hash_info.gen
 hash_info.h: Makefile
 	$(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@
 bin_PROGRAMS = evmctl
-evmctl_SOURCES = evmctl.c utils.c
+evmctl_SOURCES = evmctl.c
-evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
+evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
 evmctl_LDFLAGS = $(LDFLAGS_READLINE)
-evmctl_LDADD =  $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils
-if USE_PCRTSS
+INCLUDES = -I$(top_srcdir) -include config.h
 evmctl_SOURCES += pcr_tss.c
 else
 evmctl_SOURCES += pcr_tsspcrread.c
 endif
 AM_CPPFLAGS = -I$(top_srcdir) -include config.h
 CLEANFILES = hash_info.h tmp_hash_info.h
 DISTCLEANFILES = @DISTCLEANFILES@
--- a/src/evmctl.c
+++ b/src/evmctl.c
--- a/src/hash_info.gen
+++ b/src/hash_info.gen
@ -1,92 +0,0 @@
 #!/bin/sh
 #
 # Generate hash_info.h from kernel headers
 #
 # Copyright (C) 2018 <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 KERNEL_HEADERS=$1
 HASH_INFO_H=uapi/linux/hash_info.h
 HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
 TMPHASHINFO="./tmp_hash_info.h"
 gen_hashinfo() {
 cat << __EOF__ >$TMPHASHINFO
 /* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
 /*
 * Hash Info: Hash algorithms information
 *
 * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 2 of the License, or (at your option)
 * any later version.
 *
 */
 enum hash_algo {
 	HASH_ALGO_MD4,
 	HASH_ALGO_MD5,
 	HASH_ALGO_SHA1,
 	HASH_ALGO_RIPE_MD_160,
 	HASH_ALGO_SHA256,
 	HASH_ALGO_SHA384,
 	HASH_ALGO_SHA512,
 	HASH_ALGO_SHA224,
 	HASH_ALGO_RIPE_MD_128,
 	HASH_ALGO_RIPE_MD_256,
 	HASH_ALGO_RIPE_MD_320,
 	HASH_ALGO_WP_256,
 	HASH_ALGO_WP_384,
 	HASH_ALGO_WP_512,
 	HASH_ALGO_TGR_128,
 	HASH_ALGO_TGR_160,
 	HASH_ALGO_TGR_192,
 	HASH_ALGO_SM3_256,
 	HASH_ALGO__LAST
 };
 __EOF__
 }
 # Allow to specify kernel-headers past include/
 if [ ! -e $HASH_INFO ]; then
  HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
  if [ -e $HASH_INFO2 ]; then
    HASH_INFO=$HASH_INFO2
  else
    gen_hashinfo
    HASH_INFO="$TMPHASHINFO"
  fi
 fi
 if [ ! -e $HASH_INFO ]; then
  echo "/* $HASH_INFO is not found */"
  HASH_INFO=/dev/null
 else
  echo "/* $HASH_INFO is found */"
 fi
 echo "enum hash_algo {"
 grep HASH_ALGO_.*, $HASH_INFO
 printf "\tHASH_ALGO__LAST\n"
 echo "};"
 echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
 sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
  while read a b; do
    # Normalize text hash name: if it contains underscore between
    # digits replace it with a dash, other underscores are removed.
    b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g")
    printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
  done
 echo "};"
--- a/src/imaevm.h
+++ b/src/imaevm.h
@ -1,229 +0,0 @@
 /*
 * ima-evm-utils - IMA/EVM support utilities
 *
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011,2012,2013 Intel Corporation
 * Copyright (C) 2013,2014 Samsung Electronics
 *
 * Authors:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *                 <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * As a special exception, the copyright holders give permission to link the
 * code of portions of this program with the OpenSSL library under certain
 * conditions as described in each individual source file and distribute
 * linked combinations including the program with the OpenSSL library. You
 * must comply with the GNU General Public License in all respects
 * for all of the code used other than as permitted herein. If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version. If you
 * delete this exception statement from all source files in the program,
 * then also delete it in the license file.
 *
 * File: imaevm.h
 *	 IMA/EVM header file
 */
 #ifndef _LIBIMAEVM_H
 #define _LIBIMAEVM_H
 #include <linux/fs.h>
 #include <stdint.h>
 #include <syslog.h>
 #include <stdbool.h>
 #include <errno.h>
 #include <sys/types.h>
 #include <openssl/rsa.h>
 #ifdef USE_FPRINTF
 #define do_log(level, fmt, args...)	\
 	({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
 #define do_log_dump(level, p, len, cr)	\
 	({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); })
 #else
 #define do_log(level, fmt, args...)	syslog(level, fmt, ##args)
 #define do_log_dump(level, p, len, cr)
 #endif
 #ifdef DEBUG
 #define log_debug(fmt, args...)		do_log(LOG_DEBUG, "%s:%d " fmt, __func__ , __LINE__ , ##args)
 #define log_debug_dump(p, len)		do_log_dump(LOG_DEBUG, p, len, true)
 #define log_debug_dump_n(p, len)	do_log_dump(LOG_DEBUG, p, len, false)
 #else
 #define log_debug(fmt, args...)
 #define log_debug_dump(p, len)
 #endif
 #define log_dump(p, len)		do_log_dump(LOG_INFO, p, len, true)
 #define log_dump_n(p, len)		do_log_dump(LOG_INFO, p, len, false)
 #define log_info(fmt, args...)		do_log(LOG_INFO, fmt, ##args)
 #define log_err(fmt, args...)		do_log(LOG_ERR, fmt, ##args)
 #define log_errno(fmt, args...)		do_log(LOG_ERR, fmt ": errno: %s (%d)\n", ##args, strerror(errno), errno)
 #define	DATA_SIZE	4096
 #define SHA1_HASH_LEN   20
 #define MAX_DIGEST_SIZE		64
 #define MAX_SIGNATURE_SIZE	1024
 #define __packed __attribute__((packed))
 enum evm_ima_xattr_type {
 	IMA_XATTR_DIGEST = 0x01,
 	EVM_XATTR_HMAC,
 	EVM_IMA_XATTR_DIGSIG,
 	IMA_XATTR_DIGEST_NG,
 	EVM_XATTR_PORTABLE_DIGSIG,
 };
 struct h_misc {
 	unsigned long ino;
 	uint32_t generation;
 	uid_t uid;
 	gid_t gid;
 	unsigned short mode;
 };
 struct h_misc_32 {
 	uint32_t ino;
 	uint32_t generation;
 	uid_t uid;
 	gid_t gid;
 	unsigned short mode;
 };
 struct h_misc_64 {
 	uint64_t ino;
 	uint32_t generation;
 	uid_t uid;
 	gid_t gid;
 	unsigned short mode;
 };
 struct h_misc_digsig {
 	uid_t uid;
 	gid_t gid;
 	unsigned short mode;
 };
 enum pubkey_algo {
 	PUBKEY_ALGO_RSA,
 	PUBKEY_ALGO_MAX,
 };
 enum digest_algo {
 	DIGEST_ALGO_SHA1,
 	DIGEST_ALGO_SHA256,
 	DIGEST_ALGO_MAX
 };
 enum digsig_version {
 	DIGSIG_VERSION_1 = 1,
 	DIGSIG_VERSION_2
 };
 struct pubkey_hdr {
 	uint8_t version;	/* key format version */
 	uint32_t timestamp;	/* key made, always 0 for now */
 	uint8_t algo;
 	uint8_t nmpi;
 	char mpi[0];
 } __packed;
 struct signature_hdr {
 	uint8_t version;	/* signature format version */
 	uint32_t timestamp;	/* signature made */
 	uint8_t algo;
 	uint8_t hash;
 	uint8_t keyid[8];
 	uint8_t nmpi;
 	char mpi[0];
 } __packed;
 /* reflect enum hash_algo from include/uapi/linux/hash_info.h */
 enum pkey_hash_algo {
 	PKEY_HASH_MD4,
 	PKEY_HASH_MD5,
 	PKEY_HASH_SHA1,
 	PKEY_HASH_RIPE_MD_160,
 	PKEY_HASH_SHA256,
 	PKEY_HASH_SHA384,
 	PKEY_HASH_SHA512,
 	PKEY_HASH_SHA224,
 	PKEY_HASH_RIPE_MD_128,
 	PKEY_HASH_RIPE_MD_256,
 	PKEY_HASH_RIPE_MD_320,
 	PKEY_HASH_WP_256,
 	PKEY_HASH_WP_384,
 	PKEY_HASH_WP_512,
 	PKEY_HASH_TGR_128,
 	PKEY_HASH_TGR_160,
 	PKEY_HASH_TGR_192,
 	PKEY_HASH_SM3_256,
 	PKEY_HASH_STREEBOG_256,
 	PKEY_HASH_STREEBOG_512,
 	PKEY_HASH__LAST
 };
 /*
 * signature format v2 - for using with asymmetric keys
 */
 struct signature_v2_hdr {
 	uint8_t version;	/* signature format version */
 	uint8_t	hash_algo;	/* Digest algorithm [enum pkey_hash_algo] */
 	uint32_t keyid;		/* IMA key identifier - not X509/PGP specific*/
 	uint16_t sig_size;	/* signature size */
 	uint8_t sig[0];		/* signature payload */
 } __packed;
 struct libimaevm_params {
 	int verbose;
 	int x509;
 	const char *hash_algo;
 	const char *keyfile;
 	const char *keypass;
 };
 struct RSA_ASN1_template {
 	const uint8_t *data;
 	size_t size;
 };
 #define	NUM_PCRS 24
 #define DEFAULT_PCR 10
 extern struct libimaevm_params imaevm_params;
 void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
 void imaevm_hexdump(const void *ptr, int len);
 int ima_calc_hash(const char *file, uint8_t *hash);
 int imaevm_get_hash_algo(const char *algo);
 RSA *read_pub_key(const char *keyfile, int x509);
 EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
 void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len);
 void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey);
 int key2bin(RSA *key, unsigned char *pub);
 int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
 void init_public_keys(const char *keyfiles);
 int imaevm_hash_algo_from_sig(unsigned char *sig);
 const char *imaevm_hash_algo_by_id(int algo);
 #endif
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -1,995 +0,0 @@
 /*
 * ima-evm-utils - IMA/EVM support utilities
 *
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011,2012,2013 Intel Corporation
 * Copyright (C) 2013,2014 Samsung Electronics
 *
 * Authors:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *                 <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * As a special exception, the copyright holders give permission to link the
 * code of portions of this program with the OpenSSL library under certain
 * conditions as described in each individual source file and distribute
 * linked combinations including the program with the OpenSSL library. You
 * must comply with the GNU General Public License in all respects
 * for all of the code used other than as permitted herein. If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version. If you
 * delete this exception statement from all source files in the program,
 * then also delete it in the license file.
 *
 * File: libimaevm.c
 *	 IMA/EVM library
 */
 /* should we use logger instead for library? */
 #define USE_FPRINTF
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <asm/byteorder.h>
 #include <unistd.h>
 #include <dirent.h>
 #include <string.h>
 #include <stdio.h>
 #include <assert.h>
 #include <ctype.h>
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/err.h>
 #include "imaevm.h"
 #include "hash_info.h"
 /* Names that are primary for OpenSSL. */
 static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_MD4]		= "md4",
 	[PKEY_HASH_MD5]		= "md5",
 	[PKEY_HASH_SHA1]	= "sha1",
 	[PKEY_HASH_RIPE_MD_160]	= "rmd160",
 	[PKEY_HASH_SHA256]	= "sha256",
 	[PKEY_HASH_SHA384]	= "sha384",
 	[PKEY_HASH_SHA512]	= "sha512",
 	[PKEY_HASH_SHA224]	= "sha224",
 	[PKEY_HASH_SM3_256]	= "sm3",
 	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
 	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
 };
 /* Names that are primary for the kernel. */
 static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
 	[PKEY_HASH_STREEBOG_256] = "streebog256",
 	[PKEY_HASH_STREEBOG_512] = "streebog512",
 };
 struct libimaevm_params imaevm_params = {
 	.verbose = LOG_INFO,
 	.x509 = 1,
 	.hash_algo = "sha1",
 };
 static void __attribute__ ((constructor)) libinit(void);
 void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
 {
 	int i;
 	uint8_t *data = (uint8_t *) ptr;
 	for (i = 0; i < len; i++)
 		fprintf(fp, "%02x", data[i]);
 	if (cr)
 		fprintf(fp, "\n");
 }
 void imaevm_hexdump(const void *ptr, int len)
 {
 	imaevm_do_hexdump(stdout, ptr, len, true);
 }
 const char *imaevm_hash_algo_by_id(int algo)
 {
 	if (algo < PKEY_HASH__LAST)
 		return pkey_hash_algo[algo];
 	if (algo < HASH_ALGO__LAST)
 		return hash_algo_name[algo];
 	log_err("digest %d not found\n", algo);
 	return NULL;
 }
 /* Output all remaining openssl error messages. */
 static void output_openssl_errors(void)
 {
 	while (ERR_peek_error()) {
 		char buf[256];
 		/* buf must be at least 256 bytes long according to man */
 		ERR_error_string(ERR_get_error(), buf);
 		log_err("openssl: %s\n", buf);
 	}
 }
 static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
 {
 	uint8_t *data;
 	int err = -1, bs = DATA_SIZE;
 	off_t size, len;
 	FILE *fp;
 	struct stat stats;
 	fp = fopen(file, "r");
 	if (!fp) {
 		log_err("Failed to open: %s\n", file);
 		return -1;
 	}
 	data = malloc(bs);
 	if (!data) {
 		log_err("malloc failed\n");
 		goto out;
 	}
 	if (fstat(fileno(fp), &stats) == -1) {
 		log_err("Failed to fstat: %s (%s)\n", file, strerror(errno));
 		goto out;
 	}
 	for (size = stats.st_size; size; size -= len) {
 		len = MIN(size, bs);
 		if (!fread(data, len, 1, fp)) {
 			if (ferror(fp)) {
 				log_err("fread() failed\n\n");
 				goto out;
 			}
 			break;
 		}
 		if (!EVP_DigestUpdate(ctx, data, len)) {
 			log_err("EVP_DigestUpdate() failed\n");
 			err = 1;
 			goto out;
 		}
 	}
 	err = 0;
 out:
 	fclose(fp);
 	free(data);
 	return err;
 }
 static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
 {
 	int err;
 	struct dirent *de;
 	DIR *dir;
 	unsigned long long ino, off;
 	unsigned int type;
 	int result = 0;
 	dir = opendir(file);
 	if (!dir) {
 		log_err("Failed to open: %s\n", file);
 		return -1;
 	}
 	while ((de = readdir(dir))) {
 		ino = de->d_ino;
 		off = de->d_off;
 		type = de->d_type;
 		log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n",
 			  de->d_name, ino, type, off, de->d_reclen);
 		err = EVP_DigestUpdate(ctx, de->d_name, strlen(de->d_name));
 		/*err |= EVP_DigestUpdate(ctx, &off, sizeof(off));*/
 		err |= EVP_DigestUpdate(ctx, &ino, sizeof(ino));
 		err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
 		if (!err) {
 			log_err("EVP_DigestUpdate() failed\n");
 			output_openssl_errors();
 			result = 1;
 			break;
 		}
 	}
 	closedir(dir);
 	return result;
 }
 static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
 {
 	int err;
 	char buf[1024];
 	err = readlink(path, buf, sizeof(buf));
 	if (err <= 0)
 		return -1;
 	log_info("link: %s -> %.*s\n", path, err, buf);
 	return !EVP_DigestUpdate(ctx, buf, err);
 }
 static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
 {
 	uint32_t dev = st->st_rdev;
 	unsigned major = (dev & 0xfff00) >> 8;
 	unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
 	log_info("device: %u:%u\n", major, minor);
 	return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
 }
 int ima_calc_hash(const char *file, uint8_t *hash)
 {
 	const EVP_MD *md;
 	struct stat st;
 	EVP_MD_CTX *pctx;
 	unsigned int mdlen;
 	int err;
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	EVP_MD_CTX ctx;
 	pctx = &ctx;
 #else
 	pctx = EVP_MD_CTX_new();
 #endif
 	/*  Need to know the file length */
 	err = lstat(file, &st);
 	if (err < 0) {
 		log_err("Failed to stat: %s\n", file);
 		goto err;
 	}
 	md = EVP_get_digestbyname(imaevm_params.hash_algo);
 	if (!md) {
 		log_err("EVP_get_digestbyname(%s) failed\n",
 			imaevm_params.hash_algo);
 		err = 1;
 		goto err;
 	}
 	err = EVP_DigestInit(pctx, md);
 	if (!err) {
 		log_err("EVP_DigestInit() failed\n");
 		err = 1;
 		goto err;
 	}
 	switch (st.st_mode & S_IFMT) {
 	case S_IFREG:
 		err = add_file_hash(file, pctx);
 		break;
 	case S_IFDIR:
 		err = add_dir_hash(file, pctx);
 		break;
 	case S_IFLNK:
 		err = add_link_hash(file, pctx);
 		break;
 	case S_IFIFO: case S_IFSOCK:
 	case S_IFCHR: case S_IFBLK:
 		err = add_dev_hash(&st, pctx);
 		break;
 	default:
 		log_errno("Unsupported file type");
 		err = -1;
 		goto err;
 	}
 	if (err)
 		goto err;
 	err = EVP_DigestFinal(pctx, hash, &mdlen);
 	if (!err) {
 		log_err("EVP_DigestFinal() failed\n");
 		err = 1;
 		goto err;
 	}
 	err = mdlen;
 err:
 	if (err == 1)
 		output_openssl_errors();
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
 	EVP_MD_CTX_free(pctx);
 #endif
 	return err;
 }
 EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 {
 	FILE *fp;
 	EVP_PKEY *pkey = NULL;
 	if (!keyfile)
 		return NULL;
 	fp = fopen(keyfile, "r");
 	if (!fp) {
 		if (imaevm_params.verbose > LOG_INFO)
 			log_info("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
 	if (x509) {
 		X509 *crt = d2i_X509_fp(fp, NULL);
 		if (!crt) {
 			log_err("Failed to d2i_X509_fp key file: %s\n",
 				keyfile);
 			goto out;
 		}
 		pkey = X509_extract_key(crt);
 		X509_free(crt);
 		if (!pkey) {
 			log_err("Failed to X509_extract_key key file: %s\n",
 				keyfile);
 			goto out;
 		}
 	} else {
 		pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
 		if (!pkey)
 			log_err("Failed to PEM_read_PUBKEY key file: %s\n",
 				keyfile);
 	}
 out:
 	if (!pkey)
 		output_openssl_errors();
 	fclose(fp);
 	return pkey;
 }
 RSA *read_pub_key(const char *keyfile, int x509)
 {
 	EVP_PKEY *pkey;
 	RSA *key;
 	pkey = read_pub_pkey(keyfile, x509);
 	if (!pkey)
 		return NULL;
 	key = EVP_PKEY_get1_RSA(pkey);
 	EVP_PKEY_free(pkey);
 	if (!key) {
 		log_err("read_pub_key: unsupported key type\n");
 		output_openssl_errors();
 		return NULL;
 	}
 	return key;
 }
 static int verify_hash_v1(const char *file, const unsigned char *hash, int size,
 			  unsigned char *sig, int siglen, const char *keyfile)
 {
 	int err, len;
 	SHA_CTX ctx;
 	unsigned char out[1024];
 	RSA *key;
 	unsigned char sighash[20];
 	struct signature_hdr *hdr = (struct signature_hdr *)sig;
 	log_info("hash-v1: ");
 	log_dump(hash, size);
 	key = read_pub_key(keyfile, 0);
 	if (!key)
 		return 1;
 	SHA1_Init(&ctx);
 	SHA1_Update(&ctx, hash, size);
 	SHA1_Update(&ctx, hdr, sizeof(*hdr));
 	SHA1_Final(sighash, &ctx);
 	log_info("sighash: ");
 	log_dump(sighash, sizeof(sighash));
 	err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
 	RSA_free(key);
 	if (err < 0) {
 		log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
 		output_openssl_errors();
 		return 1;
 	}
 	len = err;
 	if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
 		log_err("%s: verification failed: %d\n", file, err);
 		return -1;
 	}
 	return 0;
 }
 struct public_key_entry {
 	struct public_key_entry *next;
 	uint32_t keyid;
 	char name[9];
 	EVP_PKEY *key;
 };
 static struct public_key_entry *public_keys = NULL;
 static EVP_PKEY *find_keyid(uint32_t keyid)
 {
 	struct public_key_entry *entry, *tail = public_keys;
 	int i = 1;
 	for (entry = public_keys; entry != NULL; entry = entry->next) {
 		if (entry->keyid == keyid)
 			return entry->key;
 		i++;
 		tail = entry;
 	}
 	/* add unknown keys to list */
 	entry = calloc(1, sizeof(struct public_key_entry));
 	if (!entry) {
 		perror("calloc");
 		return 0;
 	}
 	entry->keyid = keyid;
 	if (tail)
 		tail->next = entry;
 	else
 		public_keys = entry;
 	log_err("key %d: %x (unknown keyid)\n", i, __be32_to_cpup(&keyid));
 	return 0;
 }
 void init_public_keys(const char *keyfiles)
 {
 	struct public_key_entry *entry;
 	char *tmp_keyfiles, *keyfiles_free;
 	char *keyfile;
 	int i = 1;
 	tmp_keyfiles = strdup(keyfiles);
 	keyfiles_free = tmp_keyfiles;
 	while ((keyfile = strsep(&tmp_keyfiles, ", \t")) != NULL) {
 		if (!keyfile)
 			break;
 		if ((*keyfile == '\0') || (*keyfile == ' ') ||
 		    (*keyfile == '\t'))
 			continue;
 		entry = malloc(sizeof(struct public_key_entry));
 		if (!entry) {
 			perror("malloc");
 			break;
 		}
 		entry->key = read_pub_pkey(keyfile, 1);
 		if (!entry->key) {
 			free(entry);
 			continue;
 		}
 		calc_keyid_v2(&entry->keyid, entry->name, entry->key);
 		sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid));
 		log_info("key %d: %s %s\n", i++, entry->name, keyfile);
 		entry->next = public_keys;
 		public_keys = entry;
 	}
 	free(keyfiles_free);
 }
 /*
 * Return: 0 verification good, 1 verification bad, -1 error.
 */
 static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 			  unsigned char *sig, int siglen)
 {
 	int ret = -1;
 	EVP_PKEY *pkey, *pkey_free = NULL;
 	struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
 	EVP_PKEY_CTX *ctx;
 	const EVP_MD *md;
 	const char *st;
 	if (imaevm_params.verbose > LOG_INFO) {
 		log_info("hash(%s): ", imaevm_params.hash_algo);
 		log_dump(hash, size);
 	}
 	pkey = find_keyid(hdr->keyid);
 	if (!pkey) {
 		uint32_t keyid = hdr->keyid;
 		if (imaevm_params.verbose > LOG_INFO)
 			log_info("%s: verification failed: unknown keyid %x\n",
 				 file, __be32_to_cpup(&keyid));
 		return -1;
 	}
 	st = "EVP_PKEY_CTX_new";
 	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
 		goto err;
 	st = "EVP_PKEY_verify_init";
 	if (!EVP_PKEY_verify_init(ctx))
 		goto err;
 	st = "EVP_get_digestbyname";
 	if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
 		goto err;
 	st = "EVP_PKEY_CTX_set_signature_md";
 	if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
 		goto err;
 	st = "EVP_PKEY_verify";
 	ret = EVP_PKEY_verify(ctx, sig + sizeof(*hdr),
 			      siglen - sizeof(*hdr), hash, size);
 	if (ret == 1)
 		ret = 0;
 	else if (ret == 0) {
 		log_err("%s: verification failed: %d (%s)\n",
 			file, ret, ERR_reason_error_string(ERR_get_error()));
 		output_openssl_errors();
 		ret = 1;
 	}
 err:
 	if (ret < 0 || ret > 1) {
 		log_err("%s: verification failed: %d (%s) in %s\n",
 			file, ret, ERR_reason_error_string(ERR_peek_error()),
 			st);
 		output_openssl_errors();
 		ret = -1;
 	}
 	EVP_PKEY_CTX_free(ctx);
 	EVP_PKEY_free(pkey_free);
 	return ret;
 }
 int imaevm_get_hash_algo(const char *algo)
 {
 	int i;
 	/* first iterate over builtin algorithms */
 	for (i = 0; i < PKEY_HASH__LAST; i++)
 		if (pkey_hash_algo[i] &&
 		    !strcmp(algo, pkey_hash_algo[i]))
 			return i;
 	for (i = 0; i < PKEY_HASH__LAST; i++)
 		if (pkey_hash_algo_kern[i] &&
 		    !strcmp(algo, pkey_hash_algo_kern[i]))
 			return i;
 	/* iterate over algorithms provided by kernel-headers */
 	for (i = 0; i < HASH_ALGO__LAST; i++)
 		if (hash_algo_name[i] &&
 		    !strcmp(algo, hash_algo_name[i]))
 			return i;
 	return -1;
 }
 int imaevm_hash_algo_from_sig(unsigned char *sig)
 {
 	uint8_t hashalgo;
 	if (sig[0] == DIGSIG_VERSION_1) {
 		hashalgo = ((struct signature_hdr *)sig)->hash;
 		if (hashalgo >= DIGEST_ALGO_MAX)
 			return -1;
 		switch (hashalgo) {
 		case DIGEST_ALGO_SHA1:
 			return PKEY_HASH_SHA1;
 		case DIGEST_ALGO_SHA256:
 			return PKEY_HASH_SHA256;
 		default:
 			return -1;
 		}
 	} else if (sig[0] == DIGSIG_VERSION_2) {
 		hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
 		if (hashalgo >= PKEY_HASH__LAST)
 			return -1;
 		return hashalgo;
 	} else
 		return -1;
 }
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
 		int siglen)
 {
 	/* Get signature type from sig header */
 	if (sig[0] == DIGSIG_VERSION_1) {
 		const char *key = NULL;
 		/* Read pubkey from RSA key */
 		if (!imaevm_params.keyfile)
 			key = "/etc/keys/pubkey_evm.pem";
 		else
 			key = imaevm_params.keyfile;
 		return verify_hash_v1(file, hash, size, sig, siglen, key);
 	} else if (sig[0] == DIGSIG_VERSION_2) {
 		return verify_hash_v2(file, hash, size, sig, siglen);
 	} else
 		return -1;
 }
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 			 unsigned char *digest, int digestlen)
 {
 	unsigned char hash[MAX_DIGEST_SIZE];
 	int hashlen, sig_hash_algo;
 	if (sig[0] != EVM_IMA_XATTR_DIGSIG) {
 		log_err("%s: xattr ima has no signature\n", file);
 		return -1;
 	}
 	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
 	if (sig_hash_algo < 0) {
 		log_err("%s: Invalid signature\n", file);
 		return -1;
 	}
 	/* Use hash algorithm as retrieved from signature */
 	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
 	/*
 	 * Validate the signature based on the digest included in the
 	 * measurement list, not by calculating the local file digest.
 	 */
 	if (digestlen > 0)
 	    return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
 	hashlen = ima_calc_hash(file, hash);
 	if (hashlen <= 1)
 		return hashlen;
 	assert(hashlen <= sizeof(hash));
 	return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
 }
 /*
 * Create binary key representation suitable for kernel
 */
 int key2bin(RSA *key, unsigned char *pub)
 {
 	int len, b, offset = 0;
 	struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
 	const BIGNUM *n, *e;
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	n = key->n;
 	e = key->e;
 #else
 	RSA_get0_key(key, &n, &e, NULL);
 #endif
 	/* add key header */
 	pkh->version = 1;
 	pkh->timestamp = 0;	/* PEM has no timestamp?? */
 	pkh->algo = PUBKEY_ALGO_RSA;
 	pkh->nmpi = 2;
 	offset += sizeof(*pkh);
 	len = BN_num_bytes(n);
 	b = BN_num_bits(n);
 	pub[offset++] = b >> 8;
 	pub[offset++] = b & 0xff;
 	BN_bn2bin(n, &pub[offset]);
 	offset += len;
 	len = BN_num_bytes(e);
 	b = BN_num_bits(e);
 	pub[offset++] = b >> 8;
 	pub[offset++] = b & 0xff;
 	BN_bn2bin(e, &pub[offset]);
 	offset += len;
 	return offset;
 }
 void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len)
 {
 	uint8_t sha1[SHA_DIGEST_LENGTH];
 	uint64_t id;
 	SHA1(pkey, len, sha1);
 	/* sha1[12 - 19] is exactly keyid from gpg file */
 	memcpy(keyid, sha1 + 12, 8);
 	log_debug("keyid: ");
 	log_debug_dump(keyid, 8);
 	id = __be64_to_cpup((__be64 *) keyid);
 	sprintf(str, "%llX", (unsigned long long)id);
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("keyid-v1: %s\n", str);
 }
 /*
 * Calculate keyid of the public_key part of EVP_PKEY
 */
 void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
 {
 	X509_PUBKEY *pk = NULL;
 	const unsigned char *public_key = NULL;
 	int len;
 	/* This is more generic than i2d_PublicKey() */
 	if (X509_PUBKEY_set(&pk, pkey) &&
 	    X509_PUBKEY_get0_param(NULL, &public_key, &len, NULL, pk)) {
 		uint8_t sha1[SHA_DIGEST_LENGTH];
 		SHA1(public_key, len, sha1);
 		/* sha1[12 - 19] is exactly keyid from gpg file */
 		memcpy(keyid, sha1 + 16, 4);
 	} else
 		*keyid = 0;
 	log_debug("keyid: ");
 	log_debug_dump(keyid, 4);
 	sprintf(str, "%x", __be32_to_cpup(keyid));
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("keyid: %s\n", str);
 	X509_PUBKEY_free(pk);
 }
 static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
 {
 	FILE *fp;
 	EVP_PKEY *pkey;
 	fp = fopen(keyfile, "r");
 	if (!fp) {
 		log_err("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
 	pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
 	if (!pkey) {
 		log_err("Failed to PEM_read_PrivateKey key file: %s\n",
 			keyfile);
 		output_openssl_errors();
 	}
 	fclose(fp);
 	return pkey;
 }
 static RSA *read_priv_key(const char *keyfile, const char *keypass)
 {
 	EVP_PKEY *pkey;
 	RSA *key;
 	pkey = read_priv_pkey(keyfile, keypass);
 	if (!pkey)
 		return NULL;
 	key = EVP_PKEY_get1_RSA(pkey);
 	EVP_PKEY_free(pkey);
 	if (!key) {
 		log_err("read_priv_key: unsupported key type\n");
 		output_openssl_errors();
 		return NULL;
 	}
 	return key;
 }
 static int get_hash_algo_v1(const char *algo)
 {
 	if (!strcmp(algo, "sha1"))
 		return DIGEST_ALGO_SHA1;
 	else if (!strcmp(algo, "sha256"))
 		return DIGEST_ALGO_SHA256;
 	return -1;
 }
 static int sign_hash_v1(const char *hashalgo, const unsigned char *hash,
 			int size, const char *keyfile, unsigned char *sig)
 {
 	int len = -1, hashalgo_idx;
 	SHA_CTX ctx;
 	unsigned char pub[1024];
 	RSA *key;
 	char name[20];
 	unsigned char sighash[20];
 	struct signature_hdr *hdr;
 	uint16_t *blen;
 	if (!hash) {
 		log_err("sign_hash_v1: hash is null\n");
 		return -1;
 	}
 	if (size < 0) {
 		log_err("sign_hash_v1: size is negative: %d\n", size);
 		return -1;
 	}
 	if (!hashalgo) {
 		log_err("sign_hash_v1: hashalgo is null\n");
 		return -1;
 	}
 	if (!sig) {
 		log_err("sign_hash_v1: sig is null\n");
 		return -1;
 	}
 	log_info("hash(%s): ", hashalgo);
 	log_dump(hash, size);
 	key = read_priv_key(keyfile, imaevm_params.keypass);
 	if (!key)
 		return -1;
 	hdr = (struct signature_hdr *)sig;
 	/* now create a new hash */
 	hdr->version = (uint8_t) DIGSIG_VERSION_1;
 	hdr->timestamp = time(NULL);
 	hdr->algo = PUBKEY_ALGO_RSA;
 	hashalgo_idx = get_hash_algo_v1(hashalgo);
 	if (hashalgo_idx < 0) {
 		log_err("Signature version 1 does not support hash algo %s\n",
 			hashalgo);
 		goto out;
 	}
 	hdr->hash = (uint8_t) hashalgo_idx;
 	len = key2bin(key, pub);
 	calc_keyid_v1(hdr->keyid, name, pub, len);
 	hdr->nmpi = 1;
 	SHA1_Init(&ctx);
 	SHA1_Update(&ctx, hash, size);
 	SHA1_Update(&ctx, hdr, sizeof(*hdr));
 	SHA1_Final(sighash, &ctx);
 	log_info("sighash: ");
 	log_dump(sighash, sizeof(sighash));
 	len = RSA_private_encrypt(sizeof(sighash), sighash, sig + sizeof(*hdr) + 2, key, RSA_PKCS1_PADDING);
 	if (len < 0) {
 		log_err("RSA_private_encrypt() failed: %d\n", len);
 		output_openssl_errors();
 		goto out;
 	}
 	/* we add bit length of the signature to make it gnupg compatible */
 	blen = (uint16_t *) (sig + sizeof(*hdr));
 	*blen = __cpu_to_be16(len << 3);
 	len += sizeof(*hdr) + 2;
 	log_info("evm/ima signature-v1: %d bytes\n", len);
 out:
 	RSA_free(key);
 	return len;
 }
 /*
 * @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size
 * Return: -1 signing error, >0 length of signature
 */
 static int sign_hash_v2(const char *algo, const unsigned char *hash,
 			int size, const char *keyfile, unsigned char *sig)
 {
 	struct signature_v2_hdr *hdr;
 	int len = -1;
 	EVP_PKEY *pkey;
 	char name[20];
 	EVP_PKEY_CTX *ctx = NULL;
 	const EVP_MD *md;
 	size_t sigsize;
 	const char *st;
 	uint32_t keyid;
 	if (!hash) {
 		log_err("sign_hash_v2: hash is null\n");
 		return -1;
 	}
 	if (size < 0) {
 		log_err("sign_hash_v2: size is negative: %d\n", size);
 		return -1;
 	}
 	if (!sig) {
 		log_err("sign_hash_v2: sig is null\n");
 		return -1;
 	}
 	if (!algo) {
 		log_err("sign_hash_v2: algo is null\n");
 		return -1;
 	}
 	log_info("hash(%s): ", imaevm_params.hash_algo);
 	log_dump(hash, size);
 	pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
 	if (!pkey)
 		return -1;
 	hdr = (struct signature_v2_hdr *)sig;
 	hdr->version = (uint8_t) DIGSIG_VERSION_2;
 	hdr->hash_algo = imaevm_get_hash_algo(algo);
 	if (hdr->hash_algo == (uint8_t)-1) {
 		log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
 		return -1;
 	}
 	calc_keyid_v2(&keyid, name, pkey);
 	hdr->keyid = keyid;
 	st = "EVP_PKEY_CTX_new";
 	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
 		goto err;
 	st = "EVP_PKEY_sign_init";
 	if (!EVP_PKEY_sign_init(ctx))
 		goto err;
 	st = "EVP_get_digestbyname";
 	if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
 		goto err;
 	st = "EVP_PKEY_CTX_set_signature_md";
 	if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
 		goto err;
 	st = "EVP_PKEY_sign";
 	sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1;
 	if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
 		goto err;
 	len = (int)sigsize;
 	/* we add bit length of the signature to make it gnupg compatible */
 	hdr->sig_size = __cpu_to_be16(len);
 	len += sizeof(*hdr);
 	log_info("evm/ima signature: %d bytes\n", len);
 err:
 	if (len == -1) {
 		log_err("sign_hash_v2: signing failed: (%s) in %s\n",
 			ERR_reason_error_string(ERR_peek_error()), st);
 		output_openssl_errors();
 	}
 	EVP_PKEY_CTX_free(ctx);
 	EVP_PKEY_free(pkey);
 	return len;
 }
 int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
 {
 	if (keypass)
 		imaevm_params.keypass = keypass;
 	return imaevm_params.x509 ?
 		sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
 		sign_hash_v1(hashalgo, hash, size, keyfile, sig);
 }
 static void libinit()
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	OpenSSL_add_all_algorithms();
 	OPENSSL_add_all_algorithms_conf();
 #else
 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
 			    OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
 	ERR_load_crypto_strings();
 #endif
 }
--- a/src/pcr.h
+++ b/src/pcr.h
@ -1,3 +0,0 @@
 int tpm2_pcr_supported(void);
 int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr,
 		 int len, char **errmsg);
--- a/src/pcr_tss.c
+++ b/src/pcr_tss.c
@ -1,191 +0,0 @@
 /*
 * ima-evm-utils - IMA/EVM support utilities
 *
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011,2012,2013 Intel Corporation
 * Copyright (C) 2013,2014 Samsung Electronics
 *
 * Authors:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *                 <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * As a special exception, the copyright holders give permission to link the
 * code of portions of this program with the OpenSSL library under certain
 * conditions as described in each individual source file and distribute
 * linked combinations including the program with the OpenSSL library. You
 * must comply with the GNU General Public License in all respects
 * for all of the code used other than as permitted herein. If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version. If you
 * delete this exception statement from all source files in the program,
 * then also delete it in the license file.
 *
 * File: pcr_tss.c
 *	 PCR reading implementation based on Intel TSS2
 */
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
 #ifdef HAVE_LIBTSS2_ESYS
 # include <tss2/tss2_esys.h>
 # ifdef HAVE_LIBTSS2_RC
 #  include <tss2/tss2_rc.h>
 #  define LIB "tss2-rc-decode"
 # else
 #  define LIB "tss2-esys"
 # endif
 #endif /* HAVE_LIBTSS2_ESYS */
 #define USE_FPRINTF
 #include "imaevm.h"
 int tpm2_pcr_supported(void)
 {
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("Using %s to read PCRs.\n", LIB);
 	return 1;
 }
 static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
 {
 	int i, j;
 	if (a->count != b->count)
 		return 0;
 	for (i = 0; i < a->count; i++) {
 		if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
 			return 0;
 		if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
 			return 0;
 		for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
 			if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
 				return 0;
 		}
 	}
 	return 1;
 }
 static inline int tpm2_set_errmsg(char **errmsg, const char *message, TSS2_RC ret)
 {
 #ifdef HAVE_LIBTSS2_RC
 		return asprintf(errmsg, "%s: %s", message, Tss2_RC_Decode(ret));
 #else
 		return asprintf(errmsg, "%s: #%d", message, ret);
 #endif
 }
 static TPM2_ALG_ID algo_to_tss2(const char *algo_name)
 {
 	if (!strcmp(algo_name, "sha1"))
 		return TPM2_ALG_SHA1;
 	else if (!strcmp(algo_name, "sha256"))
 		return TPM2_ALG_SHA256;
 	return TPM2_ALG_ERROR;
 }
 int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr,
 		 int len, char **errmsg)
 {
 	TSS2_ABI_VERSION abi_version = {
 		.tssCreator = 1,
 		.tssFamily = 2,
 		.tssLevel = 1,
 		.tssVersion = 108,
 	};
 	ESYS_CONTEXT *ctx = NULL;
 	TSS2_RC ret = 0;
 	TPML_PCR_SELECTION *pcr_select_out;
 	TPML_DIGEST *pcr_digests;
 	UINT32 pcr_update_counter;
 	TPM2_ALG_ID algid = algo_to_tss2(algo_name);
 	if (algid == TPM2_ALG_ERROR) {
 		ret = asprintf(errmsg, "unsupported tss2 algorithm");
 		if (ret == -1)	/* the contents of errmsg are undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	TPML_PCR_SELECTION pcr_select_in = {
 		.count = 1,
 		.pcrSelections = {
 			{
 				.hash = algid,
 				.sizeofSelect = 3,
 				.pcrSelect = { 0x00, 0x00, 0x00 },
 			}
 		}
 	};
 	pcr_select_in.pcrSelections[0].pcrSelect[idx / 8] = (1 << (idx % 8));
 	ret = Esys_Initialize(&ctx, NULL, &abi_version);
 	if (ret != TPM2_RC_SUCCESS) {
 		ret = tpm2_set_errmsg(errmsg, "esys initialize failed", ret);
 		if (ret == -1)	/* the contents of errmsg are undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	ret = Esys_PCR_Read(ctx,
 			    ESYS_TR_NONE,
 			    ESYS_TR_NONE,
 			    ESYS_TR_NONE,
 			    &pcr_select_in,
 			    &pcr_update_counter,
 			    &pcr_select_out,
 			    &pcr_digests);
 	Esys_Finalize(&ctx);
 	if (ret != TPM2_RC_SUCCESS) {
 		ret = tpm2_set_errmsg(errmsg, "esys PCR reading failed", ret);
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	if (!pcr_selections_match(&pcr_select_in, pcr_select_out)) {
 		Esys_Free(pcr_select_out);
 		Esys_Free(pcr_digests);
 		ret = asprintf(errmsg, "TPM returned incorrect PCRs");
 		if (ret == -1)	/* the contents of errmsg are undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	Esys_Free(pcr_select_out);
 	if (pcr_digests->count != 1 || pcr_digests->digests[0].size != len) {
 		Esys_Free(pcr_digests);
 		ret = asprintf(errmsg, "TPM returned incorrect digests");
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	memcpy(hwpcr, pcr_digests->digests[0].buffer, len);
 	Esys_Free(pcr_digests);
 	return 0;
 }
--- a/src/pcr_tsspcrread.c
+++ b/src/pcr_tsspcrread.c
@ -1,111 +0,0 @@
 /*
 * ima-evm-utils - IMA/EVM support utilities
 *
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011,2012,2013 Intel Corporation
 * Copyright (C) 2013,2014 Samsung Electronics
 *
 * Authors:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *                 <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * As a special exception, the copyright holders give permission to link the
 * code of portions of this program with the OpenSSL library under certain
 * conditions as described in each individual source file and distribute
 * linked combinations including the program with the OpenSSL library. You
 * must comply with the GNU General Public License in all respects
 * for all of the code used other than as permitted herein. If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version. If you
 * delete this exception statement from all source files in the program,
 * then also delete it in the license file.
 *
 * File: pcr_tsspcrread.c
 *	 PCR reading implementation based on IBM TSS2
 */
 #include <errno.h>
 #include <limits.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdint.h>
 #include <openssl/sha.h>
 #define USE_FPRINTF
 #include "utils.h"
 #include "imaevm.h"
 #define CMD "tsspcrread"
 static char path[PATH_MAX];
 int tpm2_pcr_supported(void)
 {
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("Using %s to read PCRs.\n", CMD);
 	if (get_cmd_path(CMD, path, sizeof(path))) {
 		log_debug("Couldn't find '%s' in $PATH", CMD);
 		return 0;
 	}
 	log_debug("Found '%s' in $PATH", CMD);
 	return 1;
 }
 int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr,
 		 int len, char **errmsg)
 {
 	FILE *fp;
 	char pcr[100];	/* may contain an error */
 	char cmd[PATH_MAX + 50];
 	int ret;
 	sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null",
 		path, algo_name, idx);
 	fp = popen(cmd, "r");
 	if (!fp) {
 		ret = asprintf(errmsg, "popen failed: %s", strerror(errno));
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	if (fgets(pcr, sizeof(pcr), fp) == NULL) {
 		ret = asprintf(errmsg, "tsspcrread failed: %s",
 			       strerror(errno));
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		ret = pclose(fp);
 		return -1;
 	}
 	/* get the popen "cmd" return code */
 	ret = pclose(fp);
 	/* Treat an unallocated bank as an error */
 	if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH))
 		ret = -1;
 	if (!ret)
 		hex2bin(hwpcr, pcr, len);
 	else
 		*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */
 	return ret;
 }
--- a/src/utils.c
+++ b/src/utils.c
@ -1,114 +0,0 @@
 // SPDX-License-Identifier: GPL-2.0
 /*
 * utils: set of common functions
 *
 * Copyright (C) 2020 Patrick Uiterwijk <patrick@puiterwijk.org>
 * Copyright (C) 2010 Cyril Hrubis <chrubis@suse.cz>
 */
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include "utils.h"
 #ifndef MIN
 # define MIN(a, b) ({ \
 	typeof(a) _a = (a); \
 	typeof(b) _b = (b); \
 	_a < _b ? _a : _b; \
 })
 #endif /* MIN */
 static int file_exist(const char *path)
 {
 	struct stat st;
 	if (!access(path, R_OK) && !stat(path, &st) && S_ISREG(st.st_mode))
 		return 1;
 	return 0;
 }
 int get_cmd_path(const char *prog_name, char *buf, size_t buf_len)
 {
 	const char *path = (const char *)getenv("PATH");
 	const char *start = path;
 	const char *end;
 	size_t size, ret;
 	if (path == NULL)
 		return -1;
 	do {
 		end = strchr(start, ':');
 		if (end != NULL)
 			snprintf(buf, MIN(buf_len, (size_t) (end - start + 1)),
 				 "%s", start);
 		else
 			snprintf(buf, buf_len, "%s", start);
 		size = strlen(buf);
 		/*
 		 * "::" inside $PATH, $PATH ending with ':' or $PATH starting
 		 * with ':' should be expanded into current working directory.
 		 */
 		if (size == 0) {
 			snprintf(buf, buf_len, ".");
 			size = strlen(buf);
 		}
 		/*
 		 * If there is no '/' ad the end of path from $PATH add it.
 		 */
 		if (buf[size - 1] != '/')
 			ret =
 			    snprintf(buf + size, buf_len - size, "/%s",
 				     prog_name);
 		else
 			ret =
 			    snprintf(buf + size, buf_len - size, "%s",
 				     prog_name);
 		if (buf_len - size > ret && file_exist(buf))
 			return 0;
 		start = end + 1;
 	} while (end != NULL);
 	return -1;
 }
 int hex_to_bin(char ch)
 {
 	if ((ch >= '0') && (ch <= '9'))
 		return ch - '0';
 	ch = tolower(ch);
 	if ((ch >= 'a') && (ch <= 'f'))
 		return ch - 'a' + 10;
 	return -1;
 }
 int hex2bin(void *dst, const char *src, size_t count)
 {
 	int hi, lo;
 	while (count--) {
 		if (*src == ' ')
 			src++;
 		hi = hex_to_bin(*src++);
 		lo = hex_to_bin(*src++);
 		if ((hi < 0) || (lo < 0))
 			return -1;
 		*(uint8_t *)dst++ = (hi << 4) | lo;
 	}
 	return 0;
 }
--- a/src/utils.h
+++ b/src/utils.h
@ -1,6 +0,0 @@
 #include <ctype.h>
 #include <sys/types.h>
 int get_cmd_path(const char *prog_name, char *buf, size_t buf_len);
 int hex_to_bin(char ch);
 int hex2bin(void *dst, const char *src, size_t count);
--- a/tests/.gitignore
+++ b/tests/.gitignore
@ -1,16 +0,0 @@
 # Generated by test driver
 *.log
 *.trs
 # Generated by tests
 *.txt
 *.out
 *.sig
 *.sig2
 # Generated certs and keys (by gen-keys.sh)
 *.cer
 *.pub
 *.key
 *.conf
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -1,12 +1,7 @@
-check_SCRIPTS =
+pkglib_PROGRAMS = openclose
 TESTS = $(check_SCRIPTS)
-check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test
+openclose_SOURCES = openclose.c
-clean-local:
+dist_pkglib_SCRIPTS = evm_enable.sh evm_genkey.sh evm_sign_all.sh evm_sign_modules.sh ima_fix_dir.sh \
-	-rm -f *.txt *.out *.sig *.sig2
+			evm_hmac_all.sh evm_hmac_modules.sh
 distclean: distclean-keys
 .PHONY: distclean-keys
 distclean-keys:
 	./gen-keys.sh clean
--- a/tests/boot_aggregate.test
+++ b/tests/boot_aggregate.test
@ -1,162 +0,0 @@
 #!/bin/bash
 #
 # Calculate the boot_aggregate for each TPM bank, verifying that the
 # boot_aggregate in the IMA measurement list matches one of them.
 #
 # A software TPM may be used to verify the boot_aggregate.  If a
 # software TPM is not already running on the system, this test
 # starts one and initializes the TPM PCR banks by walking the sample
 # binary_bios_measurements event log, included in this directory, and
 # extending the TPM PCRs.  The associated ascii_runtime_measurements
 # for verifying the calculated boot_aggregate is included in this
 # directory as well.
 trap cleanup SIGINT SIGTERM EXIT
 # Base VERBOSE on the environment variable, if set.
 VERBOSE="${VERBOSE:-0}"
 cd "$(dirname "$0")"
 export PATH=../src:$PATH
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
 . ./functions.sh
 _require evmctl
 TSSDIR="$(dirname -- "$(which tssstartup)")"
 PCRFILE="/sys/class/tpm/tpm0/device/pcrs"
 MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs"
 if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
 	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
 else
 	BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
 	ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
 	export TPM_INTERFACE_TYPE="socsim"
 	export TPM_COMMAND_PORT=2321
 fi
 # Only stop this test's software TPM.  Preferred method: "tsstpmcmd -stop"
 cleanup() {
 	if [ ! -z "${SWTPM_PPID}" ]; then
 		if [ -f "${TSSDIR}/tsstpmcmd" ]; then
 			"${TSSDIR}/tsstpmcmd" -stop
 		else
 			pkill -P "${SWTPM_PPID}"
 		fi
 	fi
 }
 # Try to start a software TPM if needed.
 swtpm_start() {
 	local swtpm
 	swtpm="$(which tpm_server)"
 	if [ -z "${swtpm}" ]; then
 		echo "${CYAN}SKIP: Softare TPM (tpm_server) not found${NORM}"
 		return "$SKIP"
 	fi
 	pgrep tpm_server
 	if [ $? -eq 0 ]; then
 		echo "INFO: Software TPM (tpm_server) already running"
 		return 114
 	else
 		echo "INFO: Starting software TPM: ${swtpm}"
 		${swtpm} > /dev/null 2>&1 &
 		SWTPM_PPID=$!
 	fi
 	return 0
 }
 # Initialize the software TPM using the sample binary_bios_measurements log.
 swtpm_init() {
 	if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then
 		echo "${CYAN}SKIP: tssstartup and tsseventextend needed for test${NORM}"
 		return "$SKIP"
 	fi
 	echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM"
 	"${TSSDIR}/tssstartup"
 #	$(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null
 	"${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1
 }
 # In VERBOSE mode, display the calculated TPM PCRs for the different banks.
 display_pcrs() {
 	local PCRMAX=9
 	local banks=("sha1" "sha256")
 	local i;
 	for bank in "${banks[@]}"; do
 		echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 9)"
 		for i in $(seq 0 $PCRMAX); do
 			rc=0
 			pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns)
 			if [ $rc -ne 0 ]; then
 				echo "INFO: tsspcrread failed: $pcr"
 				break
 			fi
 			echo "$i: $pcr"
 		done
 	done
 }
 # The first entry in the IMA measuremnet list is the "boot_aggregate".
 # For each kexec, an additional "boot_aggregate" will appear in the
 # measurement list, assuming the previous measurement list is carried
 # across the kexec.
 #
 # Verify that the last "boot_aggregate" record in the IMA measurement
 # list matches.
 check() {
 	echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
 	bootaggr=$(evmctl ima_boot_aggregate)
 	if [ $? -ne 0 ]; then
 		echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
 		exit "$SKIP"
 	fi
 	boot_aggr=( $bootaggr )
 	echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}"
 	for hash in "${boot_aggr[@]}"; do
 		if [ "$VERBOSE" != "0" ]; then
 			echo "$hash"
 		fi
 		if grep -e " boot_aggregate$" -e " boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
 			echo "${GREEN}SUCCESS: boot_aggregate ${hash} found${NORM}"
 			return "$OK"
 		fi
 	done
 	echo "${RED}FAILURE: boot_aggregate not found${NORM}"
 	echo "$bootaggr"
 	return "$FAIL"
 }
 # Start and initialize a software TPM as needed
 if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
 	if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then
 		echo "${CYAN}SKIP: system has discrete TPM 1.2, sample TPM 2.0 event log test not supported.${NORM}"
 		exit "$SKIP"
 	fi
 	swtpm_start
 	error=$?
 	if [ $error -eq "$SKIP" ]; then
 		echo "skip: swtpm not installed"
 		exit "$SKIP"
 	fi
 	if [ $error -eq 0 ]; then
 		swtpm_init
 		if [ $? -eq "$SKIP" ]; then
 			echo "testing boot_aggregate without entries"
 			exit "$SKIP"
 		fi
 	fi
 	if [ "$VERBOSE" != "0" ]; then
 		display_pcrs
 	fi
 fi
 expect_pass check
--- a/tests/evm_enable.sh
+++ b/tests/evm_enable.sh
@ -0,0 +1,25 @@
 #!/bin/sh
 # import EVM HMAC key
 keyctl clear @u
 keyctl add user kmk "testing123" @u
 keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
 # import Moule public key
 mod_id=`keyctl newring _module @u`
 evmctl import /etc/keys/pubkey_evm.pem $mod_id
 # import IMA public key
 ima_id=`keyctl newring _ima @u`
 evmctl import /etc/keys/pubkey_evm.pem $ima_id
 # import EVM public key
 evm_id=`keyctl newring _evm @u`
 evmctl import /etc/keys/pubkey_evm.pem $evm_id
 # enable EVM
 echo "1" > /sys/kernel/security/evm
 # enable module checking
 echo "1" > /sys/kernel/security/ima/module_check
--- a/tests/evm_genkey.sh
+++ b/tests/evm_genkey.sh
@ -0,0 +1,8 @@
 #!/bin/sh
 keyctl add user kmk "testing123" @u
 key=`keyctl add encrypted evm-key "new user:kmk 32" @u`
 keyctl print $key >/etc/keys/evm-key
 keyctl list @u
--- a/tests/evm_hmac_all.sh
+++ b/tests/evm_hmac_all.sh
@ -0,0 +1,14 @@
 #!/bin/sh
 verbose=""
 if [ "$1" = "-v" ] ; then
 	verbose="-v"
 	shift 1
 fi
 dir=${1:-/}
 echo "Label: $dir"
 find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) \( -type f -o -type d \) -exec evmctl hmac --imahash $verbose '{}' \;
--- a/tests/evm_hmac_modules.sh
+++ b/tests/evm_hmac_modules.sh
@ -0,0 +1,14 @@
 #!/bin/sh
 verbose=""
 if [ "$1" = "-v" ] ; then
 	verbose="-v"
 	shift 1
 fi
 dir=${1:-/lib/modules}
 echo "HMAC modules: $dir"
 find $dir -name "*.ko" -type f -exec evmctl hmac --imasig $verbose '{}' \;
--- a/tests/evm_sign_all.sh
+++ b/tests/evm_sign_all.sh
@ -0,0 +1,14 @@
 #!/bin/sh
 verbose=""
 if [ "$1" = "-v" ] ; then
 	verbose="-v"
 	shift 1
 fi
 dir=${1:-/}
 echo "Label: $dir"
 find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec evmctl sign --imahash $verbose '{}' \;
--- a/tests/evm_sign_modules.sh
+++ b/tests/evm_sign_modules.sh
@ -0,0 +1,14 @@
 #!/bin/sh
 verbose=""
 if [ "$1" = "-v" ] ; then
 	verbose="-v"
 	shift 1
 fi
 dir=${1:-/lib/modules}
 echo "Signing modules: $dir"
 find $dir -name "*.ko" -type f -exec evmctl sign --imasig $verbose '{}' \;
--- a/tests/functions.sh
+++ b/tests/functions.sh
@ -1,274 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # ima-evm-utils tests bash functions
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 # Tests accounting
 declare -i testspass=0 testsfail=0 testsskip=0
 # Exit codes (compatible with automake)
 declare -r OK=0
 declare -r FAIL=1
 declare -r HARDFAIL=99 # hard failure no matter testing mode
 declare -r SKIP=77
 # You can set env VERBOSE=1 to see more output from evmctl
 VERBOSE=${VERBOSE:-0}
 V=vvvv
 V=${V:0:$VERBOSE}
 V=${V:+-$V}
 # Exit if env FAILEARLY is defined.
 # Used in expect_{pass,fail}.
 exit_early() {
  if [ "$FAILEARLY" ]; then
    exit "$1"
  fi
 }
 # Require particular executables to be present
 _require() {
  ret=
  for i; do
    if ! type $i; then
      echo "$i is required for test"
      ret=1
    fi
  done
  [ $ret ] && exit "$HARDFAIL"
 }
 # Non-TTY output is never colored
 if [ -t 1 ]; then
     RED=$'\e[1;31m'
   GREEN=$'\e[1;32m'
  YELLOW=$'\e[1;33m'
    BLUE=$'\e[1;34m'
    CYAN=$'\e[1;36m'
    NORM=$'\e[m'
  export RED GREEN YELLOW BLUE CYAN NORM
 fi
 # Test mode determined by TFAIL variable:
 #   undefined: to success testing
 #   defined: failure testing
 TFAIL=
 TMODE=+ # mode character to prepend running command in log
 declare -i TNESTED=0 # just for sanity checking
 # Run positive test (one that should pass) and account its result
 expect_pass() {
  local -i ret
  if [ $TNESTED -gt 0 ]; then
    echo $RED"expect_pass should not be run nested"$NORM
    testsfail+=1
    exit "$HARDFAIL"
  fi
  TFAIL=
  TMODE=+
  TNESTED+=1
  [ "$VERBOSE" -gt 1 ] && echo "____ START positive test: $*"
  "$@"
  ret=$?
  [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) positive test: $*"
  TNESTED+=-1
  case $ret in
    0)  testspass+=1 ;;
    77) testsskip+=1 ;;
    99) testsfail+=1; exit_early 1 ;;
    *)  testsfail+=1; exit_early 2 ;;
  esac
  return $ret
 }
 # Eval negative test (one that should fail) and account its result
 expect_fail() {
  local ret
  if [ $TNESTED -gt 0 ]; then
    echo $RED"expect_fail should not be run nested"$NORM
    testsfail+=1
    exit "$HARDFAIL"
  fi
  TFAIL=yes
  TMODE=-
  TNESTED+=1
  [ "$VERBOSE" -gt 1 ] && echo "____ START negative test: $*"
  "$@"
  ret=$?
  [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) negative test: $*"
  TNESTED+=-1
  case $ret in
    0)  testsfail+=1; exit_early 3 ;;
    77) testsskip+=1 ;;
    99) testsfail+=1; exit_early 4 ;;
    *)  testspass+=1 ;;
  esac
  # Restore defaults (as in positive tests)
  # for tests to run without wrappers
  TFAIL=
  TMODE=+
  return $ret
 }
 # return true if current test is positive
 _test_expected_to_pass() {
  [ ! $TFAIL ]
 }
 # return true if current test is negative
 _test_expected_to_fail() {
  [ $TFAIL ]
 }
 # Show blank line and color following text to red
 # if it's real error (ie we are in expect_pass mode).
 color_red_on_failure() {
  if _test_expected_to_pass; then
    echo "$RED"
    COLOR_RESTORE=true
  fi
 }
 # For hard errors
 color_red() {
  echo "$RED"
  COLOR_RESTORE=true
 }
 color_restore() {
  [ $COLOR_RESTORE ] && echo "$NORM"
  COLOR_RESTORE=
 }
 ADD_DEL=
 ADD_TEXT_FOR=
 # _evmctl_run should be run as `_evmctl_run ... || return'
 _evmctl_run() {
  local op=$1 out=$1-$$.out
  local text_for=${FOR:+for $ADD_TEXT_FOR}
  # Additional parameters:
  # ADD_DEL: additional files to rm on failure
  # ADD_TEXT_FOR: append to text as 'for $ADD_TEXT_FOR'
  cmd="evmctl $V $EVMCTL_ENGINE $*"
  echo $YELLOW$TMODE "$cmd"$NORM
  $cmd >"$out" 2>&1
  ret=$?
  # Shell special and signal exit codes (except 255)
  if [ $ret -ge 126 ] && [ $ret -lt 255 ]; then
    color_red
    echo "evmctl $op failed hard with ($ret) $text_for"
    sed 's/^/  /' "$out"
    color_restore
    rm "$out" $ADD_DEL
    ADD_DEL=
    ADD_TEXT_FOR=
    return "$HARDFAIL"
  elif [ $ret -gt 0 ]; then
    color_red_on_failure
    echo "evmctl $op failed" ${TFAIL:+properly} "with ($ret) $text_for"
    # Show evmctl output only in verbose mode or if real failure.
    if _test_expected_to_pass || [ "$VERBOSE" ]; then
      sed 's/^/  /' "$out"
    fi
    color_restore
    rm "$out" $ADD_DEL
    ADD_DEL=
    ADD_TEXT_FOR=
    return "$FAIL"
  elif _test_expected_to_fail; then
    color_red
    echo "evmctl $op wrongly succeeded $text_for"
    sed 's/^/  /' "$out"
    color_restore
  else
    [ "$VERBOSE" ] && sed 's/^/  /' "$out"
  fi
  rm "$out"
  ADD_DEL=
  ADD_TEXT_FOR=
  return "$OK"
 }
 # Extract xattr $attr from $file into $out file skipping $pref'ix
 _extract_xattr() {
  local file=$1 attr=$2 out=$3 pref=$4
  getfattr -n "$attr" -e hex "$file" \
    | grep "^$attr=" \
    | sed "s/^$attr=$pref//" \
    | xxd -r -p > "$out"
 }
 # Test if xattr $attr in $file matches $prefix
 # Show error and fail otherwise.
 _test_xattr() {
  local file=$1 attr=$2 prefix=$3
  local text_for=${ADD_TEXT_FOR:+ for $ADD_TEXT_FOR}
  if ! getfattr -n "$attr" -e hex "$file" | egrep -qx "$attr=$prefix"; then
    color_red_on_failure
    echo "Did not find expected hash$text_for:"
    echo "    $attr=$prefix"
    echo ""
    echo "Actual output below:"
    getfattr -n "$attr" -e hex "$file" | sed 's/^/    /'
    color_restore
    rm "$file"
    ADD_TEXT_FOR=
    return "$FAIL"
  fi
  ADD_TEXT_FOR=
 }
 # Try to enable gost-engine if needed.
 _enable_gost_engine() {
  # Do not enable if it's already working (enabled by user)
  if ! openssl md_gost12_256 /dev/null >/dev/null 2>&1 \
    && openssl engine gost >/dev/null 2>&1; then
    export EVMCTL_ENGINE="--engine gost"
    export OPENSSL_ENGINE="-engine gost"
  fi
 }
 # Show test stats and exit into automake test system
 # with proper exit code (same as ours).
 _report_exit() {
  if [ $testsfail -gt 0 ]; then
    echo "================================="
    echo " Run with FAILEARLY=1 $0 $*"
    echo " To stop after first failure"
    echo "================================="
  fi
  [ $testspass -gt 0 ] && echo -n "$GREEN" || echo -n "$NORM"
  echo -n "PASS: $testspass"
  [ $testsskip -gt 0 ] && echo -n "$YELLOW" || echo -n "$NORM"
  echo -n " SKIP: $testsskip"
  [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
  echo " FAIL: $testsfail"
  echo "$NORM"
  if [ $testsfail -gt 0 ]; then
    exit "$FAIL"
  elif [ $testspass -gt 0 ]; then
    exit "$OK"
  else
    exit "$SKIP"
  fi
 }
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@ -1,97 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # Generate keys for the tests
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 type openssl
 log() {
  echo - "$*"
  eval "$@"
 }
 if [ "$1" = clean ]; then
  rm -f test-ca.conf
 elif [ "$1" = force ] || [ ! -e test-ca.conf ]; then
 cat > test-ca.conf <<- EOF
 	[ req ]
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
 	x509_extensions = v3_ca
 	[ req_distinguished_name ]
 	O = IMA-CA
 	CN = IMA/EVM certificate signing key
 	emailAddress = ca@ima-ca
 	[ v3_ca ]
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
 EOF
 fi
 # RSA
 # Second key will be used for wrong key tests.
 for m in 1024 2048; do
  if [ "$1" = clean ] || [ "$1" = force ]; then
    rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
  fi
  if [ "$1" = clean ]; then
    continue
  fi
  if [ ! -e test-rsa$m.key ]; then
    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
      -config test-ca.conf \
      -newkey rsa:$m \
      -out test-rsa$m.cer -outform DER \
      -keyout test-rsa$m.key
    # for v1 signatures
    log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
  fi
 done
 # EC-RDSA
 for m in \
  gost2012_256:A \
  gost2012_256:B \
  gost2012_256:C \
  gost2012_512:A \
  gost2012_512:B; do
    IFS=':' read -r algo param <<< "$m"
    if [ "$1" = clean ] || [ "$1" = force ]; then
      rm -f "test-$algo-$param.key" "test-$algo-$param.cer" "test-$algo-$param.pub"
    fi
    if [ "$1" = clean ]; then
      continue
    fi
    [ -e "test-$algo-$param.key" ] && continue
    log openssl req -nodes -x509 -utf8 -days 10000 -batch \
      -config test-ca.conf \
      -newkey "$algo" \
      -pkeyopt "paramset:$param" \
      -out    "test-$algo-$param.cer" -outform DER \
      -keyout "test-$algo-$param.key"
    if [ -s "test-$algo-$param.key" ]; then
      log openssl pkey -in "test-$algo-$param.key" -out "test-$algo-$param.pub" -pubout
    fi
 done
 # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
 # They are never deleted except by `make distclean'.
--- a/tests/ima_fix_dir.sh
+++ b/tests/ima_fix_dir.sh
@ -0,0 +1,8 @@
 #!/bin/sh
 dir=${1:-/}
 echo "Fixing dir: $dir"
 find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec openclose '{}' \;
--- a/tests/ima_hash.test
+++ b/tests/ima_hash.test
@ -1,80 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # evmctl ima_hash tests
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 source ./functions.sh
 _require evmctl openssl getfattr
 trap _report_exit EXIT
 set -f # disable globbing
 check() {
  local alg=$1 prefix=$2 chash=$3 hash
  local file=$alg-hash.txt
  rm -f "$file"
  touch "$file"
  # Generate hash with openssl, if it failed skip test,
  # unless it's negative test, then pass to evmctl
  cmd="openssl dgst $OPENSSL_ENGINE -$alg $file"
  echo - "$cmd"
  hash=$(set -o pipefail; $cmd 2>/dev/null | cut -d' ' -f2)
  if [ $? -ne 0 ] && _test_expected_to_pass; then
    echo "${CYAN}$alg test is skipped$NORM"
    rm "$file"
    return "$SKIP"
  fi
  if [ "$chash" ] && [ "$chash" != "$hash" ]; then
    color_red
    echo "Invalid hash for $alg from openssl"
    echo "Expected: $chash"
    echo "Returned: $hash"
    color_restore
    rm "$file"
    return "$HARDFAIL"
  fi
  ADD_TEXT_FOR=$alg ADD_DEL=$file \
    _evmctl_run ima_hash --hashalgo "$alg" --xattr-user "$file" || return
  ADD_TEXT_FOR=$alg \
    _test_xattr "$file" user.ima "$prefix$hash" || return
  rm "$file"
  return "$OK"
 }
 # check args: algo hdr-prefix canonic-hash
 expect_pass check  md4        0x01 31d6cfe0d16ae931b73c59d7e0c089c0
 expect_pass check  md5        0x01 d41d8cd98f00b204e9800998ecf8427e
 expect_pass check  sha1       0x01 da39a3ee5e6b4b0d3255bfef95601890afd80709
 expect_fail check  SHA1       0x01 # uppercase
 expect_fail check  sha512-224 0x01 # valid for pkcs1
 expect_fail check  sha512-256 0x01 # valid for pkcs1
 expect_fail check  unknown    0x01 # nonexistent
 expect_pass check  sha224     0x0407 d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
 expect_pass check  sha256     0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 expect_pass check  sha384     0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
 expect_pass check  sha512     0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
 expect_pass check  rmd160     0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
 expect_fail check  sm3        0x01
 expect_fail check  sm3-256    0x01
 _enable_gost_engine
 expect_pass check  md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
 expect_pass check  streebog256   0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
 expect_pass check  md_gost12_512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
 expect_pass check  streebog512   0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
--- a/tests/openclose.c
+++ b/tests/openclose.c
@ -0,0 +1,20 @@
 #include <unistd.h>
 #include <stdio.h>
 #include <fcntl.h>
 #include <stdlib.h>
 int main(int argc, char *argv[])
 {
 	int fd;
 	fd = open(argv[1], O_RDONLY);
 	if (fd < 0) {
 		perror("open()");
 		exit(1);
 	}
 	close(fd);
 	return 0;
 }
--- a/tests/sample-ascii_runtime_measurements-pcrs-8-9
+++ b/tests/sample-ascii_runtime_measurements-pcrs-8-9
@ -1 +0,0 @@
 10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate
--- a/tests/sample-binary_bios_measurements-pcrs-8-9
+++ b/tests/sample-binary_bios_measurements-pcrs-8-9
--- a/tests/sample-tpm-2.0-pcrs-8-9
+++ b/tests/sample-tpm-2.0-pcrs-8-9
@ -1,25 +0,0 @@
 pcrread: tsspcrread -halg sha1
 0: 92c1850372e9493929aa9a2e9ea953e21ff1be45
 1: 41c54039ca2750ea60d8ab7c48b142b10aba5667
 2: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
 3: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
 4: 4c1a19aad90f770956ff5ee00334a2d548b1a350
 5: a1444a8a9904666165730168b3ae489447d3cef7
 6: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
 7: 5c6327a67ff36f138e0b7bb1d2eafbf8a6e52ebf
 8: fed489d2e5f9f85136e5ff53553d5f8b978dbe1a
 9: a2fa191f2622bb014702013bfebfca9fe210d9e5
 10: 3134641a3e8a1f5f75fa850bb21c3104d6ab863b
 11: 0000000000000000000000000000000000000000
 12: 0000000000000000000000000000000000000000
 13: 0000000000000000000000000000000000000000
 14: 71161a5707051fa7d6f584d812240b2e80f61942
 15: 0000000000000000000000000000000000000000
 16: 0000000000000000000000000000000000000000
 17: ffffffffffffffffffffffffffffffffffffffff
 18: ffffffffffffffffffffffffffffffffffffffff
 19: ffffffffffffffffffffffffffffffffffffffff
 20: ffffffffffffffffffffffffffffffffffffffff
 21: ffffffffffffffffffffffffffffffffffffffff
 22: ffffffffffffffffffffffffffffffffffffffff
 23: 0000000000000000000000000000000000000000
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@ -1,370 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # evmctl {,ima_}{sign,verify} tests
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 source ./functions.sh
 _require evmctl openssl xxd getfattr
 ./gen-keys.sh >/dev/null 2>&1
 trap _report_exit EXIT
 set -f # disable globbing
 # Determine keyid from a cert
 _keyid_from_cert() {
  local cer=${1%.*}.cer cmd
  local tmp
  cer=test-${cer#test-}
  # shellcheck disable=SC2086
  cmd="openssl x509 $OPENSSL_ENGINE \
          -in $cer -inform DER -pubkey -noout"
  id=$($cmd 2>/dev/null \
    | openssl asn1parse \
    | grep BIT.STRING \
    | cut -d: -f1)
  if [ -z "$id" ]; then
    echo - "$cmd" >&2
    echo "Cannot asn1parse $cer to determine keyid" >&2
    exit 1
  fi
  tmp=$(mktemp)
  # shellcheck disable=SC2086
  openssl x509 $OPENSSL_ENGINE \
      -in "$cer" -inform DER -pubkey -noout 2>/dev/null \
    | openssl asn1parse -strparse "$id" -out "$tmp" -noout
  # shellcheck disable=SC2002
  cat "$tmp" \
    | openssl dgst -c -sha1 \
    | cut -d' ' -f2 \
    | grep -o ":..:..:..:..$" \
    | tr -d :
  rm -f "$tmp"
 }
 # Convert test $type into evmctl op prefix
 _op() {
  if [ "$1" = ima ]; then
    echo ima_
  fi
 }
 # Convert test $type into xattr name
 _xattr() {
  if [ "$1" = ima ]; then
    echo user.ima
  else
    echo user.evm
  fi
 }
 # Check that detached signature matches xattr signature
 _test_sigfile() {
  local file=$1 attr=$2 file_sig=$3 file_sig2=$4
  if [ ! -e "$file_sig" ]; then
    color_red
    echo "evmctl ima_sign: no detached signature $file_sig"
    color_restore
    rm "$file"
    return "$FAIL"
  fi
  _extract_xattr "$file" "$attr" "$file_sig2"
  if ! cmp -bl "$file_sig" "$file_sig2"; then
    color_red
    echo "evmctl ima_sign: xattr signature on $file differ from detached $file_sig"
    color_restore
    rm "$file" "$file_sig" "$file_sig2"
    return "$FAIL"
  fi
  rm "$file_sig" "$file_sig2"
 }
 # Run single sign command
 _evmctl_sign() {
  local type=$1 key=$2 alg=$3 file=$4 opts=$5
  # Can check --sigfile for ima_sign
  [ "$type" = ima ] && opts+=" --sigfile"
  # shellcheck disable=SC2086
  ADD_TEXT_FOR="$alg ($key)" ADD_DEL=$file \
    _evmctl_run "$(_op "$type")sign" $opts \
    --hashalgo "$alg" --key "$key" --xattr-user "$file" || return
  if [ "$type" = ima ]; then
    _test_sigfile "$file" "$(_xattr "$type")" "$file.sig" "$file.sig2"
  fi
 }
 # Run and test {ima_,}sign operation
 check_sign() {
  # Arguments are passed via global vars:
  # TYPE (ima or evm),
  # KEY,
  # ALG (hash algo),
  # PREFIX (signature header prefix in hex),
  # OPTS (additional options for evmctl),
  # FILE (working file to sign).
  local "$@"
  local KEY=${KEY%.*}.key
  local FILE=${FILE:-$ALG.txt}
  # Normalize key filename
  KEY=test-${KEY#test-}
  # Append suffix to files for negative tests, because we may
  # leave only good files for verify tests.
  _test_expected_to_fail && FILE+='~'
  rm -f $FILE
  if ! touch $FILE; then
    color_red
    echo "Can't create test file: $FILE"
    color_restore
    return "$HARDFAIL"
  fi
  if _test_expected_to_pass; then
    # Can openssl work with this digest?
    cmd="openssl dgst $OPENSSL_ENGINE -$ALG $FILE"
    echo - "$cmd"
    if ! $cmd >/dev/null; then
      echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to digest)$NORM"
      return "$SKIP"
    fi
    if [ ! -e "$KEY" ]; then
      echo "${CYAN}$ALG ($KEY) test is skipped (key file not found)$NORM"
      return "$SKIP"
    fi
    # Can openssl sign with this digest and key?
    cmd="openssl dgst $OPENSSL_ENGINE -$ALG -sign $KEY -hex $FILE"
    echo - "$cmd"
    if ! $cmd >/dev/null; then
      echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to sign)$NORM"
      return "$SKIP"
    fi
  fi
  # Insert keyid from cert into PREFIX in-place of marker `:K:'
  if [[ $PREFIX =~ :K: ]]; then
    keyid=$(_keyid_from_cert "$KEY")
    if [ $? -ne 0 ]; then
      color_red
      echo "Unable to determine keyid for $KEY"
      color_restore
      return "$HARDFAIL"
    fi
    [ "$VERBOSE" -gt 2 ] && echo "  Expected keyid: $keyid"
    PREFIX=${PREFIX/:K:/$keyid}
  fi
  # Perform signing by evmctl
  _evmctl_sign "$TYPE" "$KEY" "$ALG" "$FILE" "$OPTS" || return
  # First simple pattern match the signature.
  ADD_TEXT_FOR=$ALG \
    _test_xattr "$FILE" "$(_xattr "$TYPE")" "$PREFIX.*" || return
  # This is all we can do for v1 signatures.
  [[ "$OPTS" =~ --rsa ]] && return "$OK"
  # This is all we can do for evm.
  [[ "$TYPE" =~ evm ]] && return "$OK"
  # Extract signature to a file
  _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
  # Verify extracted signature with openssl
  cmd="openssl dgst $OPENSSL_ENGINE -$ALG -verify ${KEY%.*}.pub \
 	-signature $FILE.sig2 $FILE"
  echo - "$cmd"
  if ! $cmd; then
    color_red_on_failure
    echo "Signature v2 verification with openssl is failed."
    color_restore
    rm "$FILE.sig2"
    return "$FAIL"
  fi
  rm "$FILE.sig2"
  return "$OK"
 }
 # Test verify operation
 check_verify() {
  # Arguments are passed via global vars:
  # TYPE (ima or evm),
  # KEY,
  # ALG (hash algo),
  # OPTS (additional options for evmctl),
  # FILE (filename to verify).
  local "$@"
  # shellcheck disable=SC2086
  if ! openssl dgst $OPENSSL_ENGINE -"$ALG" /dev/null >/dev/null 2>&1; then
    echo $CYAN"$ALG ($KEY) test is skipped (openssl does not support $ALG)"$NORM
    return $SKIP
  fi
  # shellcheck disable=SC2086
  ADD_TEXT_FOR="$FILE ($KEY)" \
    _evmctl_run "$(_op "$TYPE")verify" --key "$KEY" --xattr-user $OPTS "$FILE"
 }
 # Test runners
 # Perform sign and verify ima and evm testing
 sign_verify() {
  local key=$1 alg=$2 prefix="$3" opts="$4"
  local file=$alg.txt
  # Set defaults:
  # Public key is different for v1 and v2 (where x509 cert is used).
  if [[ $opts =~ --rsa ]]; then
    KEY=test-$key.pub
  else
    KEY=test-$key.cer
  fi
  ALG=$alg
  PREFIX=$prefix
  OPTS=$opts
  FILE=$file
  TYPE=ima
  if expect_pass check_sign; then
    # Normal verify with proper key should pass
    expect_pass check_verify
    # Multiple files and some don't verify
    expect_fail check_verify FILE="/dev/null $file"
  fi
  TYPE=evm
  # Avoid running blkid for evm tests which may require root
  # No generation on overlayfs:
  # ioctl(3, FS_IOC_GETVERSION, 0x7ffd8e0bd628) = -1 ENOTTY (Inappropriate ioctl for device)
  OPTS="$opts --uuid --generation 0"
  if expect_pass check_sign; then
    # Normal verify with proper key
    expect_pass check_verify
    # Verify with wrong key
    expect_fail check_verify KEY=rsa2048
  fi
  # Note: Leaving TYPE=evm and file is evm signed
 }
 # Test --keys
 try_different_keys() {
  # This run after sign_verify which leaves
  # TYPE=evm and file is evm signed
  # v2 signing can work with multiple keys in --key option
  if [[ ! $OPTS =~ --rsa ]]; then
    # Have correct key in the key list
    expect_pass check_verify KEY="test-rsa2048.cer,$KEY"
    expect_pass check_verify KEY="/dev/null,$KEY,"
  fi
  # Try key that is not used for signing
  expect_fail check_verify KEY=rsa2048
  # Try completely wrong key files
  expect_fail check_verify KEY=/dev/null
  expect_fail check_verify KEY=/dev/zero
 }
 try_different_sigs() {
  # TYPE=evm and file is evm signed
  # Test --imasig
  if expect_pass check_sign OPTS="$OPTS --imasig"; then
    # Verify both evm and ima sigs
    expect_pass check_verify
    expect_pass check_verify TYPE=ima
  fi
  # Test --imahash
  if expect_pass check_sign OPTS="$OPTS --imahash"; then
    expect_pass check_verify
    # IMA hash is not verifiable by ima_verify
    expect_fail check_verify TYPE=ima
  fi
  # Test --portable
  expect_pass check_sign OPTS="$OPTS --portable" PREFIX=0x05
  # Cannot be verified for now, until that support is added to evmctl
  # Test -i (immutable)
  expect_pass check_sign OPTS="$OPTS -i" PREFIX=0x0303
  # Cannot be verified for now
 }
 # Single test args: type key hash signature-prefix "evmctl-options"
 # sign_verify args:      key hash signature-prefix "evmctl-options"
 # Only single test can be prefixed with expect_{fail,pass}
 # `sign_verify' can not be prefixed with expect_{fail,pass} because
 # it runs multiple tests inside. See more tests there.
 # signature-prefix can contain `:K:' which will be resolved to keyid (v2 only)
 ## Test v1 signatures
 # Signature v1 only supports sha1 and sha256 so any other should fail
 expect_fail \
  check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
 sign_verify  rsa1024  sha1    0x0301 --rsa
 sign_verify  rsa1024  sha256  0x0301 --rsa
  try_different_keys
  try_different_sigs
 ## Test v2 signatures with RSA PKCS#1
 # List of allowed hashes much greater but not all are supported.
 sign_verify  rsa1024  md5     0x030201:K:0080
 sign_verify  rsa1024  sha1    0x030202:K:0080
 sign_verify  rsa1024  sha224  0x030207:K:0080
 sign_verify  rsa1024  sha256  0x030204:K:0080
  try_different_keys
  try_different_sigs
 sign_verify  rsa1024  sha384  0x030205:K:0080
 sign_verify  rsa1024  sha512  0x030206:K:0080
 sign_verify  rsa1024  rmd160  0x030203:K:0080
 # Test v2 signatures with EC-RDSA
 _enable_gost_engine
 sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
 sign_verify  gost2012_256-B md_gost12_256 0x030212:K:0040
 sign_verify  gost2012_256-C md_gost12_256 0x030212:K:0040
 sign_verify  gost2012_512-A md_gost12_512 0x030213:K:0080
 sign_verify  gost2012_512-B md_gost12_512 0x030213:K:0080
 # Test if signing with wrong key length does not work.
 expect_fail \
  check_sign TYPE=ima KEY=gost2012_512-B ALG=md_gost12_256 PREFIX=0x0302 OPTS=
 expect_fail \
  check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS=
--- a/tests/test_ascii_runtime_measurements
+++ b/tests/test_ascii_runtime_measurements
@ -1,3 +0,0 @@
 10 cf41b43c4031672fcc2bd358b309ad33b977424f ima-ng sha256:f1b4c7c9b27e94569f4c2b64051c452bc609c3cb891dd7fae06b758f8bc83d14 boot_aggregate
 10 983dcd8e6f7c84a1a5f10e762d1850623966ceab ima-ng sha256:ae06e032a65fed8102aff5f8f31c678dcf2eb25b826f77ecb699faa0411f89e0 /init
 10 b6e4d01c73f6e4b698eaf48e7d76a2bae0c02514 ima-ng sha256:4b1764ee112aa8b2a6ae9a3a2f1e272b6601681f610708497673cd49e5bd2f5c /bin/sh
--- a/tests/test_binary_bios_measurements
+++ b/tests/test_binary_bios_measurements
Author	SHA1	Message	Date
Dmitry Kasatkin	510061c2b8	Added RPM and TAR building rules Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-05 15:24:01 +03:00
Dmitry Kasatkin	7b0cbf5e53	evm-utils renamed to ima-evm-utils Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-05 14:54:28 +03:00
Dmitry Kasatkin	776183a642	added command options description Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-05 14:32:28 +03:00
Dmitry Kasatkin	c3d090abba	removed unused parameter Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-05 13:48:39 +03:00
Dmitry Kasatkin	bb79f7aaf2	import functions combined Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-05 13:48:08 +03:00
Dmitry Kasatkin	a3c7609b80	updated error handling Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-05 12:23:45 +03:00
Dmitry Kasatkin	d70816cbf1	read list of existing extended attributes getxattr() might return runtime value which does not really exist on file system. It happens for SMACK LSM. Reading the list of existing attributes allows to prevent such to happen. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-04 16:48:38 +03:00
Dmitry Kasatkin	c6c8cccb83	added HMAC API error handling Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-04-04 16:48:16 +03:00
Dmitry Kasatkin	94de24e5ad	version 0.1.0	2012-04-02 15:52:30 +03:00
Dmitry Kasatkin	3f2f98aef8	remove unused parameter Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-03-15 11:52:36 +02:00
Dmitry Kasatkin	ae47101134	Changed time_t timestamp type to uint32_t time_t is actually long and is different on 32 and 64 bit architectures. Format of the signatures should not depend on the architecture and should be the same. Changed timestamp to uint32_t like in GPG. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-02 10:12:34 +02:00
Dmitry Kasatkin	d98e4a9bed	Added missing CFLAGS Added missing CFLAGS Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-01 15:24:07 +02:00
Dmitry Kasatkin	179664d7e9	Added signature write to .sig file To enable module signature verification working on file systems without extended attributes, or to be able to copy modules by methods, which does not support extended attribute copying, it is necessary to store signature in the file. This patch provides command line parameter for storing signature in .sig file. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-01 15:24:02 +02:00
Dmitry Kasatkin	c440d2d95f	Change set_xattr to xattr. set_xattr changed to xattr. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-01 11:10:15 +02:00
Dmitry Kasatkin	fed7fb6933	Changed to conform Linux kernel coding style Changed to conform Linux kernel coding style, except 80 characters line length limit. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-01 11:04:36 +02:00
Dmitry Kasatkin	78494ab370	added password parameter for using encrypted keys Added password parameter for using encrypted keys. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-01 10:35:43 +02:00
Dmitry Kasatkin	192f897b8e	added openssl initialization and error reporting Added openssl initialization and error reporting. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-02-01 10:35:38 +02:00
Dmitry Kasatkin	0799e24820	minor fixes - error message - command info Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-01-30 13:23:28 +02:00
Dmitry Kasatkin	c94a0b9262	Merge branch 'master' of ssh://linux-ima.git.sourceforge.net/gitroot/linux-ima/evm-utils	2011-12-02 14:39:56 +02:00
Dmitry Kasatkin	e2da6956c4	evmctl - IMA/EVM control tool evmctl provides signing support for IMA/EVM. Functionality includes signing of file content (IMA), file metadata (EVM), importing public keys into kernel keyring. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2011-10-14 16:53:34 +03:00
		`@ -1,4 +0,0 @@`
			`#!/bin/sh`

			`gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl`
		`@ -1 +0,0 @@`
			`10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate`