Release version 1.4

Updated both the release and library (ABI change) versions.  See the
NEWS file for a short summary and the git history for details.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

.github/workflows/ci.yml

@@ -0,0 +1,137 @@
+# Copyright (c) 2021 Petr Vorel <pvorel@suse.cz>
+name: "distros"
+on: [push, pull_request]
+
+jobs:
+  job:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # 32bit build
+          - container: "debian:stable"
+            env:
+              CC: gcc
+              ARCH: i386
+              TSS: tpm2-tss
+              VARIANT: i386
+              COMPILE_SSL: openssl-3.0.0-beta1
+
+          # cross compilation builds
+          - container: "debian:stable"
+            env:
+              ARCH: ppc64el
+              CC: powerpc64le-linux-gnu-gcc
+              TSS: ibmtss
+              VARIANT: cross-compile
+
+          - container: "debian:stable"
+            env:
+              ARCH: arm64
+              CC: aarch64-linux-gnu-gcc
+              TSS: tpm2-tss
+              VARIANT: cross-compile
+
+          - container: "debian:stable"
+            env:
+              ARCH: s390x
+              CC: s390x-linux-gnu-gcc
+              TSS: ibmtss
+              VARIANT: cross-compile
+
+          # musl (native)
+          - container: "alpine:latest"
+            env:
+              CC: gcc
+              TSS: tpm2-tss
+
+          # glibc (gcc/clang)
+          - container: "opensuse/tumbleweed"
+            env:
+              CC: clang
+              TSS: ibmtss
+              COMPILE_SSL: openssl-3.0.0-beta1
+
+          - container: "opensuse/leap"
+            env:
+              CC: gcc
+              TSS: tpm2-tss
+
+          - container: "ubuntu:groovy"
+            env:
+              CC: gcc
+              TSS: ibmtss
+              COMPILE_SSL: openssl-3.0.0-beta1
+
+          - container: "ubuntu:xenial"
+            env:
+              CC: clang
+              TSS: tpm2-tss
+
+          - container: "fedora:latest"
+            env:
+              CC: clang
+              TSS: ibmtss
+
+          - container: "centos:7"
+            env:
+              CC: gcc
+              TSS: tpm2-tss
+
+          - container: "centos:latest"
+            env:
+              CC: gcc
+              TSS: tpm2-tss
+
+          - container: "debian:testing"
+            env:
+              CC: clang
+              TSS: tpm2-tss
+
+          - container: "debian:stable"
+            env:
+              CC: clang
+              TSS: ibmtss
+
+          - container: "alt:sisyphus"
+            env:
+              CC: gcc
+              TSS: libtpm2-tss-devel
+
+    container:
+      image: ${{ matrix.container }}
+      env: ${{ matrix.env }}
+      options: --security-opt seccomp=unconfined
+
+    steps:
+    - name: Show OS
+      run: cat /etc/os-release
+
+    - name: Git checkout
+      uses: actions/checkout@v1
+
+    - name: Install additional packages
+      run: |
+        INSTALL=${{ matrix.container }}
+        INSTALL="${INSTALL%%:*}"
+        INSTALL="${INSTALL%%/*}"
+        if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
+        ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh
+        if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi
+
+    - name: Build swtpm
+      run: |
+        if [ ! "$VARIANT" ]; then
+          which tpm_server || which swtpm || \
+            if which tssstartup; then
+              ./tests/install-swtpm.sh;
+            fi
+        fi
+
+    - name: Compiler version
+      run: $CC --version
+
+    - name: Compile
+      run: CC="$CC" VARIANT="$VARIANT" ./build.sh

.gitignore

@@ -2,6 +2,8 @@
 *~
 
 # Generated by autotools
+.libs
+m4
 .deps
 aclocal.m4
 autom4te.cache
@@ -19,10 +21,13 @@ missing
 compile
 libtool
 ltmain.sh
+test-driver
 
 # Compiled executables
 *.o
 *.a
+*.lo
+*.la
 src/evmctl
 tests/openclose
 config.h
@@ -40,6 +45,7 @@ cscope.*
 ncscope.*
 
 # Generated documentation
+*.1
 *.8
 *.5
 manpage.links

.travis.yml

@@ -0,0 +1,98 @@
+# Copyright (c) 2017-2021 Petr Vorel <pvorel@suse.cz>
+
+dist: bionic
+language: C
+services:
+    - docker
+
+matrix:
+    include:
+        # 32 bit build
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1
+          compiler: gcc
+
+        # cross compilation builds
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss
+          compiler: powerpc64le-linux-gnu-gcc
+
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss
+          compiler: aarch64-linux-gnu-gcc
+
+        - os: linux
+          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss
+          compiler: s390x-linux-gnu-gcc
+
+        # musl
+        - os: linux
+          env: DISTRO=alpine:latest TSS=tpm2-tss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
+          compiler: gcc
+
+        # glibc (gcc/clang)
+        - os: linux
+          env: DISTRO=opensuse/tumbleweed TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host" COMPILE_SSL=openssl-3.0.0-beta1
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=opensuse/leap TSS=tpm2-tss
+          compiler: gcc
+
+        - os: linux
+          env: DISTRO=ubuntu:groovy TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1
+          compiler: gcc
+
+        - os: linux
+          env: DISTRO=ubuntu:xenial TSS=tpm2-tss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=fedora:latest TSS=ibmtss CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=centos:7 TSS=tpm2-tss
+          compiler: gcc
+
+        - os: linux
+          env: DISTRO=centos:latest TSS=tpm2-tss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=debian:testing TSS=tpm2-tss
+          compiler: clang
+
+        - os: linux
+          env: DISTRO=debian:stable TSS=ibmtss
+          compiler: gcc
+
+        - os: linux
+          env: REPO="docker.io/library/" DISTRO=${REPO}alt:sisyphus TSS=libtpm2-tss-devel CONTAINER=podman CONTAINER_ARGS="--runtime=/usr/bin/crun --network=host"
+          compiler: gcc
+
+before_install:
+    # Tumbleweed requires podman due docker incompatible with glibc 2.33
+    # (faccessat2) and crun (for clone3).
+    - CONTAINER="${CONTAINER:-docker}"
+    - >
+        if [ "$CONTAINER" = "podman" ]; then
+            # podman
+            . /etc/os-release
+            sudo sh -c "echo 'deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /' > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list"
+            wget -nv https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_${VERSION_ID}/Release.key -O- | sudo apt-key add -
+            sudo apt update
+            sudo apt -y install podman slirp4netns crun
+        fi
+    - $CONTAINER info
+
+    - DIR="/usr/src/ima-evm-utils"
+    - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile
+    - cat Dockerfile
+    - $CONTAINER build $CONTAINER_ARGS -t ima-evm-utils .
+
+script:
+    - INSTALL="${DISTRO#${REPO}}"
+    - INSTALL="${INSTALL%%:*}"
+    - INSTALL="${INSTALL%%/*}"
+    - $CONTAINER run $CONTAINER_ARGS -t ima-evm-utils /bin/sh -c "if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./ci/$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./ci/$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || if which tssstartup; then ./tests/install-swtpm.sh; fi; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ./build.sh"

AUTHORS

@@ -2,4 +2,5 @@ Dmitry Kasatkin <d.kasatkin@samsung.com>
 
 CONTRIBUTORS:
 Vivek Goyal <vgoyal@redhat.com>
+Mimi Zohar <zohar@linux.vnet.ibm.com>
 

COPYING

@@ -1,12 +1,12 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
 
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-     59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-			    Preamble
+                            Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -15,7 +15,7 @@ software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
+the GNU Lesser General Public License instead.)  You can apply it to
 your programs, too.
 
   When we speak of free software, we are referring to freedom, not
@@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
+
+                    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-			    NO WARRANTY
+                            NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,9 +277,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -303,17 +303,16 @@ the "copyright" line and a pointer to where the full notice is found.
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
 Also add information on how to contact you by electronic and paper mail.
 
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
 
-    Gnomovision version 69, Copyright (C) year  name of author
+    Gnomovision version 69, Copyright (C) year name of author
     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.
@@ -336,5 +335,5 @@ necessary.  Here is a sample; alter the names:
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
+library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.

ChangeLog

@@ -1,42 +0,0 @@
-2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
-
-	version 0.6
-	* support for asymmetric crypto keys and new signature format (v2)
-	* fixes to set correct hash algo for digital signature v1
-	* uuid support for EVM
-	* signature verification support
-	* test scripts removed
-	* README updates
-
-2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
-
-	version 0.3
-	* llistxattr returns 0 if there are no xattrs and it is valid
-	* Added entry type to directory hash calculation
-	* inline block variable renamed
-	* Remove forced tag creation
-	* Use libexec for programs and scripts
-	* Some files updated
-	* Do not search for algorithm as it is known
-	* Refactored to remove redundant hash initialization code
-	* Added hash calculation for special files
-
-2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
-
-	version 0.2
-	* added RPM & TAR building makefile rules
-	* renamed evm-utils to ima-evm-utils
-	* added command options description
-	* updated error handling
-	* refactored redundant code
-
-2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
-
-	version 0.1.0
-	* Fully functional version for lastest 3.x kernels
-
-2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
-
-	version 0.1
-	* Initial public version.
-

INSTALL

@@ -1,7 +1,7 @@
 Installation Instructions
 *************************
 
-Copyright (C) 1994-1996, 1999-2002, 2004-2011 Free Software Foundation,
+Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
 Inc.
 
    Copying and distribution of this file, with or without modification,
@@ -9,10 +9,33 @@ are permitted in any medium without royalty provided the copyright
 notice and this notice are preserved.  This file is offered as-is,
 without warranty of any kind.
 
+Prerequisites
+=============
+
+This project has the following prerequisites:
+
+(Ubuntu package names)
+	libkeyutils-dev
+	libtasn1-dev
+	libgmp-dev
+	libnspr4-dev
+	libnss3-dev
+
+These software TPMs are supported:
+      https://sourceforge.net/projects/ibmswtpm2/
+      https://github.com/stefanberger/swtpm
+
+      swtpm depends upon
+      https://github.com/stefanberger/libtpms
+
+Supported TSSes include these.  Both are included in some distros.
+	  IBM TSS https://sourceforge.net/projects/ibmtpm20tss/
+	  Intel TSS
+
 Basic Installation
 ==================
 
-   Briefly, the shell commands `./configure; make; make install' should
+   Briefly, the shell commands `autoreconf -i; ./configure; make; make install' should
 configure, build, and install this package.  The following
 more-detailed instructions are generic; see the `README' file for
 instructions specific to this package.  Some packages provide this
@@ -51,7 +74,7 @@ of `autoconf'.
    The simplest way to compile this package is:
 
   1. `cd' to the directory containing the package's source code and type
-     `./configure' to configure the package for your system.
+     `autoreconf -i' and then `./configure' to configure the package for your system.
 
      Running `configure' might take a while.  While running, it prints
      some messages telling which features it is checking for.
@@ -309,9 +332,10 @@ causes the specified `gcc' to be used as the C compiler (unless it is
 overridden in the site shell script).
 
 Unfortunately, this technique does not work for `CONFIG_SHELL' due to
-an Autoconf bug.  Until the bug is fixed you can use this workaround:
+an Autoconf limitation.  Until the limitation is lifted, you can use
+this workaround:
 
-     CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
+     CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
 
 `configure' Invocation
 ======================
@@ -367,4 +391,3 @@ operates.
 
 `configure' also accepts some other, not widely useful, options.  Run
 `configure --help' for more details.
-

Makefile.am

@@ -1,6 +1,12 @@
-SUBDIRS = src
+SUBDIRS = src tests
+if MANPAGE_DOCBOOK_XSL
+dist_man_MANS = evmctl.1
+endif
 
-EXTRA_DIST = autogen.sh
+doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+EXTRA_DIST = autogen.sh $(doc_DATA)
+
+CLEANFILES = *.html *.xsl
 
 ACLOCAL_AMFLAGS = -I m4
 
@@ -19,4 +25,19 @@ rpm: $(tarname)
 	cp $(tarname) $(SRCS)/
 	rpmbuild -ba --nodeps $(SPEC)
 
+if MANPAGE_DOCBOOK_XSL
+evmctl.1.html: README
+	@asciidoc -o $@ $<
+
+evmctl.1:
+	asciidoc -d manpage -b docbook -o evmctl.1.xsl README
+	xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
+	rm -f evmctl.1.xsl
+
+rmman:
+	rm -f evmctl.1
+
+doc: evmctl.1.html rmman evmctl.1
+endif
+
 .PHONY: $(tarname)

NEWS

@@ -0,0 +1,222 @@
+2021-10-22  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.4:
+	* Elliptic curve support and tests
+	* PKCS11 support and tests
+	* Ability to manually specify the keyid included in the IMA xattr
+	* Improve IMA measurement list per TPM bank verification
+	* Linking with IBM TSS
+	* Set default hash algorithm in package configuration
+	* (Minimal) support and test EVM portable signatures
+	* CI testing:
+	  * Refresh and include new distros
+	  * Podman support
+	  * GitHub Actions
+	  * Limit "sudo" usage
+	* Misc bug fixes and code cleanup
+	  * Fix static analysis bug reports, memory leaks
+	  * Remove experimental code that was never upstreamed in the kernel
+	  * Use unsigned variable, remove unused variables, etc
+
+2020-10-28  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.3.2:
+	* Bugfixes: importing keys
+	* NEW: Docker based travis distro testing
+	* Travis bugfixes, code cleanup, software version update,
+	  and script removal
+	* Initial travis testing
+
+2020-08-11  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.3.1:
+	* "--pcrs" support for per crypto algorithm
+	* Drop/rename "ima_measurement" options
+	* Moved this summary from "Changelog" to "NEWS", removing
+	  requirement for GNU empty files
+	* Distro build fixes
+
+2020-07-21  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.3 new features:
+	* NEW ima-evm-utils regression test infrastructure with two initial
+	  tests:
+	  - ima_hash.test: calculate/verify different crypto hash algorithms
+	  - sign_verify.test: EVM and IMA sign/verify signature tests
+	* TPM 2.0 support
+	  - Calculate the new per TPM 2.0 bank template data digest
+	  - Support original padding the SHA1 template data digest
+	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
+	    TPM 2.0 bank PCR values
+	  - Calculate the per TPM bank "boot_aggregate" values, including
+	    PCRs 8 & 9 in calculation
+	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
+	  - boot_aggregate.test: compare the calculated "boot_aggregate"
+	    values with the "boot_aggregate" value included in the IMA
+	    measurement.
+	* TPM 1.2 support
+	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
+	    ("--pcrs" option)
+	* Based on original IMA LTP and standalone version support
+	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
+	    TPM 1.2 BIOS event log.
+	  - In addition to verifying the IMA measurement list against the
+	    the TPM PCRs, verify the IMA template data digest against the
+	    template data.  (Based on LTP "--verify" option.)
+	  - Ignore file measurement violations while verifying the IMA
+	    measurment list. (Based on LTP "--validate" option.)
+	  - Verify the file data signature included in the measurement list
+	    based on the file hash also included in the measurement list
+	    (--verify-sig)
+	  - Support original "ima" template (mixed templates not supported)
+	* Support "sm3" crypto name
+
+	Bug fixes and code cleanup:
+	* Don't exit with -1 on failure, exit with 125
+	* On signature verification failure, include pathname.
+	* Provide minimal hash_info.h file in case one doesn't exist, needed
+	  by the ima-evm-utils regression tests.
+	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
+	* Fix hash_algo type comparison mismatch
+	* Simplify/clean up code
+	* Address compiler complaints and failures
+	* Fix memory allocations and leaks
+	* Sanity check provided input files are regular files
+	* Revert making "tsspcrread" a compile build time decision.
+	* Limit additional messages based on log level (-v)
+
+2019-07-30  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.2.1 Bug fixes:
+	* When verifying multiple file signatures, return correct status
+	* Don't automatically use keys from x509 certs if user supplied "--rsa"
+	* Fix verifying DIGSIG_VERSION_1 signatures
+	* autoconf, openssl fixes
+
+
+2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
+
+	version 1.2 new features:
+	* Generate EVM signatures based on the specified hash algorithm
+	* include "security.apparmor" in EVM signature
+	* Add support for writing & verifying "user.xxxx" xattrs for testing
+	* Support Strebog/Gost hash functions
+	* Add OpenSSL engine support
+	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
+	* Support verifying multiple signatures at once
+	* Support new template "buf" field and warn about other unknown fields
+	* Improve OpenSSL error reporting
+	* Support reading TPM 2.0 PCRs using tsspcrread
+
+	Bug fixes and code cleanup:
+	* Update manpage stylesheet detection
+	* Fix xattr.h include file
+	* On error when reading TPM PCRs, don't log gargabe
+	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
+	  limiting keyid output to verbose mode
+	* Fix hash buffer overflow caused by EVM support for larger hashes,
+	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
+	* Linked with libcrypto instead of OpenSSL
+	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
+	* Include new "hash-info.gen" in tar
+	* Log the hash algorithm, not just the hash value
+	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
+	* Fixed other warnings/bugs discovered by clang, coverity
+	* Remove indirect calls in verify_hash() to improve code readability
+	* Don't fallback to using sha1
+	* Namespace some too generic object names
+	* Make functions/arrays static if possible
+
+
+2018-01-28  Mimi Zohar <zohar@us.ibm.com>
+
+	version 1.1
+	* Support the new openssl 1.1 api
+	* Support for validating multiple pcrs
+	* Verify the measurement list signature based on the list digest
+	* Verify the "ima-sig" measurement list using multiple keys
+	* Fixed parsing the measurement template data field length
+	* Portable & immutable EVM signatures (new format)
+	* Multiple fixes that have been lingering in the next branch. Some
+	  are for experimental features that are not yet supported in the
+	  kernel.
+
+2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
+
+	version 1.0
+	* Recursive hashing
+	* Immutable EVM signatures (experimental)
+	* Command 'ima_clear' to remove xattrs
+	* Support for passing password to the library
+	* Support for asking password safely from the user
+
+2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.9
+	* Updated README
+	* man page generated and added to the package
+	* Use additional SMACK xattrs for EVM signature generation
+	* Signing functions moved to libimaevm for external use (RPM)
+	* Fixed setting of correct hash header
+
+2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.8
+	* Symbilic names for keyrings
+	* Hash list signing
+	* License text fix for using OpenSSL
+	* Help output fix
+
+2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.7
+	* Fix symbolic links related bugs
+	* Provide recursive fixing
+	* Provide recursive signing
+	* Move IMA verification to the library (first for LTP use)
+	* Support for target architecture data size
+	* Remove obsolete module signing code
+	* Code cleanup
+
+2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.6
+	* support for asymmetric crypto keys and new signature format (v2)
+	* fixes to set correct hash algo for digital signature v1
+	* uuid support for EVM
+	* signature verification support
+	* test scripts removed
+	* README updates
+
+2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
+
+	version 0.3
+	* llistxattr returns 0 if there are no xattrs and it is valid
+	* Added entry type to directory hash calculation
+	* inline block variable renamed
+	* Remove forced tag creation
+	* Use libexec for programs and scripts
+	* Some files updated
+	* Do not search for algorithm as it is known
+	* Refactored to remove redundant hash initialization code
+	* Added hash calculation for special files
+
+2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
+
+	version 0.2
+	* added RPM & TAR building makefile rules
+	* renamed evm-utils to ima-evm-utils
+	* added command options description
+	* updated error handling
+	* refactored redundant code
+
+2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
+
+	version 0.1.0
+	* Fully functional version for lastest 3.x kernels
+
+2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
+
+	version 0.1
+	* Initial public version.
+

README

@@ -1,50 +1,207 @@
-ima-evm-utils - IMA/EVM signing utility
-=========================================
+EVMCTL(1)
+=========
 
-Contents:
+NAME
+----
 
-   1. Key and signature formats
-   2. Key generation
-   3. Initialization
-   4. Signing
+evmctl - IMA/EVM signing utility
+
+
+SYNOPSIS
+--------
+
+evmctl [options] <command> [OPTIONS]
+
+
+DESCRIPTION
+-----------
+
+The evmctl utility can be used for producing and verifying digital signatures,
+which are used by Linux kernel integrity subsystem (IMA/EVM). It can be also
+used to import keys into the kernel keyring.
+
+COMMANDS
+--------
+
+ --version
+ help <command>
+ import [--rsa] pubkey keyring
+ sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
+ verify file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
+ ima_sign [--sigfile] [--key key] [--pass password] file
+ ima_verify file
+ ima_hash file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_fix [-t fdsxm] path
+ sign_hash [--key key] [--pass password]
+ hmac [--imahash | --imasig ] file
+
+
+OPTIONS
+-------
+
+  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512
+  -s, --imasig       make IMA signature
+  -d, --imahash      make IMA hash
+  -f, --sigfile      store IMA signature in .sig file instead of xattr
+      --xattr-user   store xattrs in user namespace (for testing purposes)
+      --rsa          use RSA key type and signing scheme v1
+  -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
+                     or a pkcs11 URI
+      --keyid n      overwrite signature keyid with a 32-bit value in hex (for signing)
+      --keyid-from-cert file
+                     read keyid value from SKID of a x509 cert file
+  -o, --portable     generate portable EVM signatures
+  -p, --pass         password for encrypted signing key
+  -r, --recursive    recurse into directories (sign)
+  -t, --type         file types to fix 'fxm' (f: file)
+                     x - skip fixing if both ima and evm xattrs exist (use with caution)
+                     m - stay on the same filesystem (like 'find -xdev')
+  -n                 print result to stdout instead of setting xattr
+  -u, --uuid         use custom FS UUID for EVM (unspecified: from FS, empty: do not use)
+      --smack        use extra SMACK xattrs for EVM
+      --m32          force EVM hmac/signature for 32 bit target system
+      --m64          force EVM hmac/signature for 64 bit target system
+      --engine e     preload OpenSSL engine e (such as: gost)
+      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
+      --ignore-violations ignore ToMToU measurement violations
+      --verify-sig   verify the file signature based on the file hash, both
+                     stored in the template data.
+  -v                 increase verbosity level
+  -h, --help         display this help and exit
+
+Environment variables:
+
+EVMCTL_KEY_PASSWORD  : Private key password to use; do not use --pass option
+
+
+INTRODUCTION
+------------
+
+Linux kernel integrity subsystem is comprised of a number of different components
+including the Integrity Measurement Architecture (IMA), Extended Verification Module
+(EVM), IMA-appraisal extension, digital signature verification extension and audit
+measurement log support.
+
+The evmctl utility is used for producing and verifying digital signatures, which
+are used by the Linux kernel integrity subsystem. It is also used for importing keys
+into the kernel keyring.
+
+Linux integrity subsystem allows to use IMA and EVM signatures. EVM signature
+protects file metadata, such as file attributes and extended attributes. IMA
+signature protects file content.
+
+For more detailed information about integrity subsystem it is recommended to follow
+resources in RESOURCES section.
+
+
+EVM HMAC and signature metadata
+-------------------------------
+
+EVM protects file metadata by including following attributes into HMAC and signature
+calculation: inode number, inode generation, UID, GID, file mode, security.selinux,
+security.SMACK64, security.ima, security.capability.
+
+EVM HMAC and signature in may also include additional file and file system attributes.
+Currently supported additional attributes are filesystem UUID and extra SMACK
+extended attributes.
+
+Kernel configuration option CONFIG_EVM_ATTR_FSUUID controls whether to include
+filesystem UUID into HMAC and enabled by default. Therefore evmctl also includes
+fsuuid by default. Providing '--uuid' option without parameter allows to disable
+usage of fs uuid. Providing '--uuid=UUID' option with parameter allows to use
+custom UUID. Providing the '--portable' option will disable usage of the fs uuid
+and also the inode number and generation.
+
+Kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS controls whether to
+include additional SMACK extended attributes into HMAC. They are following:
+security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP.
+evmctl '--smack' options enables that.
 
 
 Key and signature formats
 -------------------------
 
-EVM support (v2) in latest version of the kernel adds the file system UUID to
-the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
-version 2 is enabled by default. To include the UUID to the signature calculation,
-it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command.
-UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
+Linux integrity subsystem supports two type of signature and respectively two
+key formats.
 
-Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
-support for verifying digital signatures. The new command line parameter
-'-x' or '--x509' was added to the evmctl to enable using of X509 certificates
-and new signature format.
+First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
+format. It is now non-default format and requires to provide evmctl '--rsa' option
+for signing and importing the key.
+
+Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
+in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
+
+For v2 signatures x509 certificate (containing the public key) could be appended to the
+private key (they both are in PEM format) to automatically extract keyid from its Subject
+Key Identifier (SKID).
+
+Integrity keyrings
+----------------
+
+Integrity subsystem uses dedicated IMA/EVM keyrings to search for signature verification
+keys - '_ima' and '_evm' respectively.
+
+Since 3.13 IMA allows to declare IMA keyring as trusted. It allows only to load keys,
+signed by a key from the system keyring (.system). It means self-signed keys are not
+allowed. This is a default behavior unless CONFIG_IMA_TRUSTED_KEYRING is undefined.
+IMA trusted keyring is has different name '.ima'. Trusted keyring requires X509
+public key certificates. Old version RSA public keys are not compatible with trusted
+keyring.
 
 
-Key generation
---------------
+Generate EVM encrypted keys
+---------------------------
 
-Generate private key in plain text format
+EVM encrypted key is used for EVM HMAC calculation:
 
-    $ openssl genrsa -out privkey_evm.pem 1024
+    # create and save the key kernel master key (user type)
+    # LMK is used to encrypt encrypted keys
+    keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
+    keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
 
-Generate encrypted private key
+    # create the EVM encrypted key
+    keyctl add encrypted evm-key "new user:kmk 64" @u
+    keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
 
-    $ openssl genrsa -des3 -out privkey_evm.pem 1024
 
-Make encrypted private key from unencrypted
+Generate EVM trusted keys (TPM based)
+-------------------------------------
 
-    $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+Trusted EVM keys are keys which a generate with the help of TPM.
+They are not related to integrity trusted keys.
 
-Generate self-signed X509 certificate and private key for using kernel asymmetric
-keys support
+    # create and save the key kernel master key (user type)
+    keyctl add trusted kmk "new 32" @u
+    keyctl pipe `keyctl search @u trusted kmk` >kmk
 
-	$ openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
-	      -x509 -config x509_evm.genkey \
-	      -outform DER -out x509_evm.der -keyout privkey_evm.pem
+    # create the EVM trusted key
+    keyctl add encrypted evm-key "new trusted:kmk 32" @u
+    keyctl pipe `keyctl search @u encrypted evm-key` >evm-key
+
+
+Generate signing and verification keys
+--------------------------------------
+
+Generate private key in plain text format:
+
+    openssl genrsa -out privkey_evm.pem 1024
+
+Generate encrypted private key:
+
+    openssl genrsa -des3 -out privkey_evm.pem 1024
+
+Make encrypted private key from unencrypted:
+
+    openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+
+Generate self-signed X509 public key certificate and private key for using kernel
+asymmetric keys support:
+
+    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+    	        -x509 -config x509_evm.genkey \
+	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
 
 Configuration file x509_evm.genkey:
 
@@ -69,78 +226,232 @@ Configuration file x509_evm.genkey:
 	# EOF
 
 
-Get public key
+Generate public key for using RSA key format:
 
-    $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
-
-Copy keys to /etc/keys
-
-    $ cp pubkey_evm.pem /etc/keys
-    $ scp pubkey_evm.pem target:/etc/keys
-
-or
-    $ cp x509_evm.pem /etc/keys
-    $ scp x509_evm.pem target:/etc/keys
+    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
 
 
-Initialization
---------------
+Copy keys to /etc/keys:
+
+    cp pubkey_evm.pem /etc/keys
+    scp pubkey_evm.pem target:/etc/keys
+ or
+    cp x509_evm.pem /etc/keys
+    scp x509_evm.pem target:/etc/keys
+
+
+Generate trusted keys
+---------------------
+
+Generation of trusted keys is a bit more complicated process and involves
+following steps:
+
+* Creation of local IMA certification authority (CA).
+  It consist of private and public key certificate which are used
+  to sign and verify other keys.
+* Build Linux kernel with embedded local IMA CA X509 certificate.
+  It is used to verify other keys added to the '.ima' trusted keyring
+* Generate IMA private signing key and verification public key certificate,
+  which is signed using local IMA CA private key.
+
+Configuration file ima-local-ca.genkey:
+
+	# Begining of the file
+	[ req ]
+	default_bits = 2048
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = v3_ca
+
+	[ req_distinguished_name ]
+	O = IMA-CA
+	CN = IMA/EVM certificate signing key
+	emailAddress = ca@ima-ca
+
+	[ v3_ca ]
+	basicConstraints=CA:TRUE
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid:always,issuer
+	# keyUsage = cRLSign, keyCertSign
+	# EOF
+
+Generate private key and X509 public key certificate:
+
+ openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+             -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
+
+Produce X509 in DER format for using while building the kernel:
+
+ openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+
+Configuration file ima.genkey:
+
+	# Begining of the file
+	[ req ]
+	default_bits = 1024
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = v3_usr
+
+	[ req_distinguished_name ]
+	O = `hostname`
+	CN = `whoami` signing key
+	emailAddress = `whoami`@`hostname`
+
+	[ v3_usr ]
+	basicConstraints=critical,CA:FALSE
+	#basicConstraints=CA:FALSE
+	keyUsage=digitalSignature
+	#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid
+	#authorityKeyIdentifier=keyid,issuer
+	# EOF
+
+
+Generate private key and X509 public key certificate signing request:
+
+ openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+             -out csr_ima.pem -keyout privkey_ima.pem
+
+Sign X509 public key certificate signing request with local IMA CA private key:
+
+ openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+              -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+              -outform DER -out x509_ima.der
+
+
+Sign file data and metadata
+---------------------------
+
+Default key locations:
+
+ Private RSA key: /etc/keys/privkey_evm.pem
+ Public RSA key: /etc/keys/pubkey_evm.pem
+ X509 certificate: /etc/keys/x509_evm.der
+
+Options to remember: '-k', '-r', '--rsa', '--uuid', '--smack'.
+
+Sign file with EVM signature and calculate hash value for IMA:
+
+    evmctl sign --imahash test.txt
+
+Sign file with both IMA and EVM signatures:
+
+    evmctl sign --imasig test.txt:
+
+Sign file with IMA signature:
+
+    evmctl ima_sign test.txt
+
+Sign recursively whole filesystem:
+
+    evmctl -r sign --imahash /
+
+Fix recursively whole filesystem:
+
+    evmctl -r ima_fix /
+
+Sign filesystem selectively using 'find' command:
+
+    find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign --imahash '{}' \;
+
+Fix filesystem selectively using 'find' command:
+
+    find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
+
+
+Initialize IMA/EVM at early boot
+--------------------------------
 
 IMA/EVM initialization should be normally done from initial RAM file system
 before mounting root filesystem.
 
-Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
+Here is Ubuntu initramfs example script (/etc/initramfs-tools/scripts/local-top/ima.sh)
 
-    # import EVM HMAC key
-    keyctl clear @u
-    keyctl add user kmk "testing123" @u
+    # mount securityfs if not mounted
+    SECFS=/sys/kernel/security
+    grep -q  $SECFS /proc/mounts || mount -n -t securityfs securityfs $SECFS
+
+    # search for IMA trusted keyring, then for untrusted
+    ima_id="`awk '/\.ima/ { printf "%d", "0x"$1; }' /proc/keys`"
+    if [ -z "$ima_id" ]; then
+        ima_id=`keyctl search @u keyring _ima 2>/dev/null`
+        if [ -z "$ima_id" ]; then
+	    ima_id=`keyctl newring _ima @u`
+        fi
+    fi
+    # import IMA X509 certificate
+    evmctl import /etc/keys/x509_ima.der $ima_id
+
+    # search for EVM keyring
+    evm_id=`keyctl search @u keyring _evm 2>/dev/null`
+    if [ -z "$evm_id" ]; then
+        evm_id=`keyctl newring _evm @u`
+    fi
+    # import EVM X509 certificate
+    evmctl import /etc/keys/x509_evm.der $evm_id
+
+    # a) import EVM encrypted key
+    cat /etc/keys/kmk | keyctl padd user kmk @u
+    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
+    # OR
+    # b) import EVM trusted key
+    keyctl add trusted kmk "load `cat /etc/keys/kmk`" @u
     keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
-
-    # import IMA public key
-    ima_id=`keyctl newring _ima @u`
-    evmctl import /etc/keys/pubkey_evm.pem $ima_id
-
-    # import EVM public key
-    evm_id=`keyctl newring _evm @u`
-    evmctl import /etc/keys/pubkey_evm.pem $evm_id
 
     # enable EVM
     echo "1" > /sys/kernel/security/evm
 
+Optionally it is possible also to forbid adding, removing of new public keys
+and certificates into keyrings and revoking keys using 'keyctl setperm' command:
 
-Import X509 certificate into the kernel keyring (since kernel 3.9?)
-
-    $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
-    $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
+    # protect EVM keyring
+    keyctl setperm $evm_id 0x0b0b0000
+    # protect IMA keyring
+    keyctl setperm $ima_id 0x0b0b0000
+    # protecting IMA key from revoking (against DoS)
+    ima_key=`evmctl import /etc/keys/x509_ima.der $ima_id`
+    keyctl setperm $ima_key 0x0b0b0000
 
 
-Signing
+When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for importing keys:
+
+    evmctl import --rsa /etc/keys/pubkey_evm.pem $evm_id
+
+Latest version of keyctl allows to import X509 public key certificates:
+
+    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
+
+
+FILES
+-----
+
+Examples of scripts to generate X509 public key certificates:
+
+ /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey.sh
+ /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
+
+
+AUTHOR
+------
+
+Written by Dmitry Kasatkin, <dmitry.kasatkin at gmail.com> and others.
+
+
+RESOURCES
+---------
+
+ http://sourceforge.net/p/linux-ima/wiki/Home
+ http://sourceforge.net/p/linux-ima/ima-evm-utils
+
+
+COPYING
 -------
 
-Default public key: /etc/keys/pubkey_evm.pem
-Default private key: /etc/keys/privkey_evm.pem
-Default X509 certificate: /etc/keys/x509_evm.der
-
-Signing for using X509 certificates is done using '-x' or '--x509' parameter.
-Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
-
-Sign file with EVM signature and use hash value for IMA - common case
-
-    $ evmctl sign [-u] [-x] --imahash test.txt
-
-Sign file with both IMA and EVM signatures - for immutable files
-
-    $ evmctl sign [-u] [-x] --imasig test.txt
-
-Sign file with IMA signature - for immutable files
-
-    $ evmctl ima_sign [-x] test.txt
-
-Label whole filesystem with EVM signatures
-
-    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-x] --imahash '{}' \;
-
-Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
-
-    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
+Copyright \(C) 2012 - 2014 Linux Integrity Project. Free use of this software is granted under
+the terms of the GNU Public License (GPL).
 

autogen.sh

@@ -1,16 +1,4 @@
 #! /bin/sh
-
 set -e
 
-# new way
-# strange, but need this for Makefile.am, because it has -I m4
-test -d m4 || mkdir m4
-autoreconf -f -i
-
-# old way
-#libtoolize --automake --copy --force
-#aclocal
-#autoconf --force
-#autoheader --force
-#automake --add-missing --copy --force-missing --gnu
-
+autoreconf -i

build-static.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl
+

build.sh

@@ -0,0 +1,105 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+
+set -e
+
+CC="${CC:-gcc}"
+CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
+PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}"
+
+export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
+export PATH="$PREFIX/bin:/usr/local/bin:$PATH"
+
+title()
+{
+	echo "===== $1 ====="
+}
+
+log_exit()
+{
+	local ret="${3:-$?}"
+	local log="$1"
+	local msg="$2"
+	local prefix
+
+	echo "=== $log ==="
+	[ $ret -eq 0 ] || prefix="FAIL: "
+	cat $log
+	echo
+	echo "$prefix$msg, see output of $log above"
+	exit $ret
+}
+
+cd `dirname $0`
+
+case "$VARIANT" in
+	i386)
+		echo "32-bit compilation"
+		export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS"
+		export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig
+		;;
+	cross-compile)
+		host="${CC%-gcc}"
+		export CROSS_COMPILE="${host}-"
+		host="--host=$host"
+		echo "cross compilation: $host"
+		echo "CROSS_COMPILE: '$CROSS_COMPILE'"
+		;;
+	*)
+		if [ "$VARIANT" ]; then
+			echo "Wrong VARIANT: '$VARIANT'" >&2
+			exit 1
+		fi
+		echo "native build"
+		;;
+esac
+
+title "compiler version"
+$CC --version
+echo "CFLAGS: '$CFLAGS'"
+echo "LDFLAGS: '$LDFLAGS'"
+echo "PREFIX: '$PREFIX'"
+
+title "configure"
+./autogen.sh
+./configure --prefix=$PREFIX $host || log_exit config.log "configure failed"
+
+title "make"
+make -j$(nproc)
+make install
+
+title "test"
+if [ "$VARIANT" = "cross-compile" ]; then
+	echo "skip make check on cross compilation"
+	exit 0
+fi
+
+ret=0
+VERBOSE=1 make check || ret=$?
+
+title "logs"
+if [ $ret -eq 0 ]; then
+	if [ -f tests/ima_hash.log ]; then
+		tail -3 tests/ima_hash.log
+		grep "skipped" tests/ima_hash.log  && \
+		   grep "skipped" tests/ima_hash.log | wc -l
+	fi
+	if [ -f tests/sign_verify.log ]; then
+		tail -3 tests/sign_verify.log
+		grep "skipped" tests/sign_verify.log  && \
+		   grep "skipped" tests/sign_verify.log | wc -l
+	fi
+	tail -20 tests/boot_aggregate.log
+	exit 0
+fi
+
+cat tests/test-suite.log
+
+if [ $ret -eq 77 ]; then
+	msg="WARN: some tests skipped"
+	ret=0
+else
+	msg="FAIL: tests exited: $ret"
+fi
+
+log_exit tests/test-suite.log "$msg" $ret

ci/alpine.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+case "$TSS" in
+ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;;
+tpm2-tss) TSS="tpm2-tss-dev";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+apk update
+
+apk add \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	attr-dev \
+	autoconf \
+	automake \
+	diffutils \
+	docbook-xml \
+	docbook-xsl \
+	keyutils-dev \
+	libtool \
+	libxslt \
+	linux-headers \
+	make \
+	musl-dev \
+	openssl \
+	openssl-dev \
+	pkgconfig \
+	procps \
+	sudo \
+	wget \
+	which \
+	xxd
+
+if [ ! "$TSS" ]; then
+	apk add git
+	../tests/install-tss.sh
+fi

ci/alt.sh

@@ -0,0 +1,27 @@
+#!/bin/sh -ex
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Install build env for ALT Linux
+
+apt-get update -y
+
+# rpm-build brings basic build environment with gcc, make, autotools, etc.
+apt-get install -y \
+		$CC \
+		$TSS \
+		asciidoc \
+		attr \
+		docbook-style-xsl \
+		gnutls-utils \
+		libattr-devel \
+		libkeyutils-devel \
+		libp11 \
+		libssl-devel \
+		openssl \
+		openssl-gost-engine \
+		rpm-build \
+		softhsm \
+		wget \
+		xsltproc \
+		xxd \
+	&& control openssl-gost enabled

ci/centos.sh

@@ -0,0 +1 @@
+fedora.sh

ci/debian.cross-compile.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$ARCH" ]; then
+	echo "missing \$ARCH!" >&2
+	exit 1
+fi
+
+case "$ARCH" in
+arm64) gcc_arch="aarch64";;
+ppc64el) gcc_arch="powerpc64le";;
+s390x) gcc_arch="$ARCH";;
+*) echo "unsupported arch: '$ARCH'!" >&2; exit 1;;
+esac
+
+dpkg --add-architecture $ARCH
+apt update
+
+apt install -y --no-install-recommends \
+	dpkg-dev \
+	gcc-${gcc_arch}-linux-gnu \
+	libc6-dev-${ARCH}-cross

ci/debian.i386.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+dpkg --add-architecture i386
+apt update
+
+apt install -y --no-install-recommends \
+	linux-libc-dev:i386 \
+	gcc-multilib \
+	pkg-config:i386

ci/debian.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+# debian.*.sh must be run first
+if [ "$ARCH" ]; then
+	ARCH=":$ARCH"
+	unset CC
+else
+	apt update
+fi
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+case "$TSS" in
+ibmtss) TSS="libtss-dev";;
+tpm2-tss) TSS="libtss2-dev";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+apt="apt install -y --no-install-recommends"
+
+$apt \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	debianutils \
+	docbook-xml \
+	docbook-xsl \
+	gzip \
+	libattr1-dev$ARCH \
+	libkeyutils-dev$ARCH \
+	libssl-dev$ARCH \
+	libtool \
+	make \
+	openssl \
+	pkg-config \
+	procps \
+	sudo \
+	wget \
+	xsltproc
+
+$apt xxd || $apt vim-common
+$apt libengine-gost-openssl1.1$ARCH || true
+$apt softhsm gnutls-bin libengine-pkcs11-openssl1.1$ARCH || true

ci/fedora.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -e
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+case "$TSS" in
+ibmtss) TSS="tss2-devel";;
+tpm2-tss) TSS="tpm2-tss-devel";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+# ibmswtpm2 requires gcc
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+yum -y install \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	docbook-xsl \
+	gnutls-utils \
+	gzip \
+	keyutils-libs-devel \
+	libattr-devel \
+	libtool \
+	libxslt \
+	make \
+	openssl \
+	openssl-devel \
+	openssl-pkcs11 \
+	pkg-config \
+	procps \
+	sudo \
+	vim-common \
+	wget \
+	which
+
+yum -y install docbook5-style-xsl || true
+yum -y install swtpm || true
+
+# SoftHSM is available via EPEL on CentOS
+if [ -f /etc/centos-release ]; then
+	yum -y install epel-release
+fi
+yum -y install softhsm || true

ci/opensuse.sh

@@ -0,0 +1 @@
+tumbleweed.sh

ci/tumbleweed.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
+set -ex
+
+if [ -z "$CC" ]; then
+	echo "missing \$CC!" >&2
+	exit 1
+fi
+
+case "$TSS" in
+ibmtss) TSS="ibmtss-devel";;
+tpm2-tss) TSS="tpm2-0-tss-devel";;
+'') echo "Missing TSS!" >&2; exit 1;;
+*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
+esac
+
+# clang has some gcc dependency
+[ "$CC" = "gcc" ] || CC="gcc $CC"
+
+zypper --non-interactive install --force-resolution --no-recommends \
+	$CC $TSS \
+	asciidoc \
+	attr \
+	autoconf \
+	automake \
+	diffutils \
+	docbook_5 \
+	docbook5-xsl-stylesheets \
+	gzip \
+	ibmswtpm2 \
+	keyutils-devel \
+	libattr-devel \
+	libopenssl-devel \
+	libtool \
+	make \
+	openssl \
+	pkg-config \
+	procps \
+	sudo \
+	vim \
+	wget \
+	which \
+	xsltproc
+
+zypper --non-interactive install --force-resolution --no-recommends \
+	gnutls openssl-engine-libp11 softhsm || true
+
+if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then
+	ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin
+fi

ci/ubuntu.sh

@@ -0,0 +1 @@
+debian.sh

configure.ac

@@ -1,12 +1,13 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 0.6, d.kasatkin@samsung.com)
-AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
+AC_INIT(ima-evm-utils, 1.4, zohar@linux.ibm.com)
+AM_INIT_AUTOMAKE([foreign])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
- 
+
 AC_CANONICAL_HOST
+AC_USE_SYSTEM_EXTENSIONS
 
 # Checks for programs.
 AC_PROG_CC
@@ -24,15 +25,34 @@ LT_INIT
 # Checks for header files.
 AC_HEADER_STDC
 
-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
-AC_SUBST(OPENSSL_CFLAGS)
-AC_SUBST(OPENSSL_LIBS)
+PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
+AC_SUBST(KERNEL_HEADERS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 
-AC_CHECK_HEADERS(attr/xattr.h, , [AC_MSG_ERROR([attr/xattr.h header not found. You need the libattr development package.])])
+# Intel TSS
+AC_CHECK_LIB([tss2-esys], [Esys_Free])
+AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode])
+AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"])
+
+# IBM TSS include files
+AC_CHECK_HEADER(ibmtss/tss.h, [], [], [[#define TPM_POSIX]])
+AM_CONDITIONAL([USE_IBMTSS], [test "x$ac_cv_header_ibmtss_tss_h" = "xyes"])
+
+AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
 
+AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH],
+	    [specifies the Linux kernel-headers package location or kernel root directory you want to use])],
+	    [KERNEL_HEADERS="$withval"],
+	    [KERNEL_HEADERS=/lib/modules/$(uname -r)/source])
+
+AC_ARG_ENABLE([openssl_conf],
+	      [AS_HELP_STRING([--disable-openssl-conf], [disable loading of openssl config by evmctl])],
+	      [if test "$enable_openssl_conf" = "no"; then
+		AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by evmctl.])
+	      fi], [enable_openssl_conf=yes])
+
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
@@ -41,6 +61,9 @@ else
 	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
 fi
 
+EVMCTL_MANPAGE_DOCBOOK_XSL
+AX_DEFAULT_HASH_ALGO([$KERNEL_HEADERS])
+
 # for gcov
 #CFLAGS="$CFLAGS -Wall -fprofile-arcs -ftest-coverage"
 #CXXFLAGS="$CXXFLAGS -Wall -fprofile-arcs -ftest-coverage"
@@ -49,14 +72,20 @@ fi
 
 AC_CONFIG_FILES([Makefile
 		src/Makefile
-		ima-evm-utils.spec
+		tests/Makefile
+		packaging/ima-evm-utils.spec
 		])
 AC_OUTPUT
 
 # Give some feedback
 echo
 echo
-echo	"Configuration:"		
-echo	"	debug:	$pkg_cv_enable_debug"
+echo	"Configuration:"
+echo	"          debug: $pkg_cv_enable_debug"
+echo	"   default-hash: $HASH_ALGO"
+echo	"   openssl-conf: $enable_openssl_conf"
+echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
+echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
+echo    "         ibmtss: $ac_cv_header_ibmtss_tss_h"
+echo	"            doc: $have_doc"
 echo
-

examples/ima-gen-local-ca.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+

examples/ima-genkey-self.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=x509_evm.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem
+
+openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+

examples/ima-genkey.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
+

m4/default-hash-algo.m4

@@ -0,0 +1,36 @@
+dnl Copyright (c) 2021 Bruno Meneguele <bmeneg@redhat.com>
+dnl Check hash algorithm availability in the kernel
+dnl
+dnl $1 - $KERNEL_HEADERS
+
+AC_DEFUN([AX_DEFAULT_HASH_ALGO], [
+	HASH_INFO_HEADER="$1/include/uapi/linux/hash_info.h"
+
+	AC_ARG_WITH([default_hash],
+		AS_HELP_STRING([--with-default-hash=ALGORITHM], [specifies the default hash algorithm to be used]),
+		[HASH_ALGO=$withval],
+		[HASH_ALGO=sha256])
+
+	AC_PROG_SED()
+	HASH_ALGO="$(echo $HASH_ALGO | $SED 's/\(.*\)/\L\1\E/')"
+
+	AC_CHECK_HEADER([$HASH_INFO_HEADER],
+		[HAVE_HASH_INFO_HEADER=yes],
+		[AC_MSG_WARN([$HASH_INFO_HEADER not found.])])
+
+	if test "x$HAVE_HASH_INFO_HEADER" = "x"; then
+		AC_MSG_RESULT([using $HASH_ALGO algorithm as default hash algorith])
+		AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm])
+	else
+		AC_PROG_GREP()
+		$SED -n 's/HASH_ALGO_\(.*\),/\L\1\E/p' $HASH_INFO_HEADER | $GREP -w $HASH_ALGO > /dev/null
+		have_hash=$?
+
+		if test $have_hash -ne 0; then
+			AC_MSG_ERROR([$HASH_ALGO algorithm specified, but not provided by the kernel], 1)
+		else
+			AC_MSG_NOTICE([using $HASH_ALGO as default hash algorithm])
+			AC_DEFINE_UNQUOTED(DEFAULT_HASH_ALGO, "$HASH_ALGO", [Define default hash algorithm])
+		fi
+	fi
+])

m4/manpage-docbook-xsl.m4

@@ -0,0 +1,48 @@
+dnl Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+dnl Find docbook manpage stylesheet
+
+AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
+	DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
+	DOCBOOK_XSL_PATH="manpages/docbook.xsl"
+
+	AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
+	AC_ARG_WITH([xml-catalog],
+		AC_HELP_STRING([--with-xml-catalog=CATALOG],
+				[path to xml catalog to use]),,
+				[with_xml_catalog=/etc/xml/catalog])
+	XML_CATALOG_FILE="$with_xml_catalog"
+	AC_SUBST([XML_CATALOG_FILE])
+
+	if test "x${XMLCATALOG}" = "x"; then
+		AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH])
+	else
+		AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
+		if test -f "$XML_CATALOG_FILE"; then
+			have_xmlcatalog_file=yes
+			AC_MSG_RESULT([found])
+		else
+			AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH])
+		fi
+	fi
+
+	if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
+		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|')
+	fi
+
+	if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
+		MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
+		AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH])
+	fi
+
+	if test -f "$MANPAGE_DOCBOOK_XSL"; then
+		have_doc=yes
+		AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc])
+	else
+		AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped])
+		MANPAGE_DOCBOOK_XSL=
+		have_doc=no
+	fi
+	AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes)
+
+	AC_SUBST(MANPAGE_DOCBOOK_XSL)
+])

packaging/ima-evm-utils.spec

@@ -0,0 +1,52 @@
+Name:		ima-evm-utils
+Version:	1.4
+Release:	1%{?dist}
+Summary:	ima-evm-utils - IMA/EVM control utility
+Group:		System/Libraries
+License:	GPLv2
+#URL:		
+Source0:	%{name}-%{version}.tar.gz
+BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
+
+BuildRequires:    autoconf
+BuildRequires:    automake
+BuildRequires:    openssl-devel
+BuildRequires:    keyutils-libs-devel
+
+%description
+This package provide IMA/EVM control utility
+
+%prep
+%setup -q
+
+%build
+./autogen.sh
+%configure --prefix=/usr
+make
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+
+%clean
+rm -rf %{buildroot}
+
+%post
+/sbin/ldconfig
+exit 0
+
+%preun -p /sbin/ldconfig
+
+%postun
+/sbin/ldconfig
+
+%files
+%defattr(-,root,root,-)
+%{_bindir}/*
+%{_libdir}/libimaevm.*
+%{_includedir}/*
+
+%changelog
+* Thu Apr 05 2012 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+- Initial RPM spec file
+

packaging/ima-evm-utils.spec.in

@@ -11,7 +11,6 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires:    autoconf
 BuildRequires:    automake
 BuildRequires:    openssl-devel
-BuildRequires:    libattr-devel
 BuildRequires:    keyutils-libs-devel
 
 %description
@@ -44,7 +43,8 @@ exit 0
 %files
 %defattr(-,root,root,-)
 %{_bindir}/*
-%{_libdir}/*
+%{_libdir}/libimaevm.*
+%{_includedir}/*
 
 %changelog
 * Thu Apr 05 2012 Dmitry Kasatkin <dmitry.kasatkin@intel.com>

src/.gitignore

@@ -0,0 +1,2 @@
+hash_info.h
+tmp_hash_info.h

src/Makefile.am

@@ -1,12 +1,45 @@
+lib_LTLIBRARIES = libimaevm.la
+
+libimaevm_la_SOURCES = libimaevm.c
+libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
+# current[:revision[:age]]
+# result: [current-age].age.revision
+libimaevm_la_LDFLAGS = -version-info 3:0:0
+libimaevm_la_LIBADD =  $(LIBCRYPTO_LIBS)
+
+include_HEADERS = imaevm.h
+
+nodist_libimaevm_la_SOURCES = hash_info.h
+BUILT_SOURCES = hash_info.h
+EXTRA_DIST = hash_info.gen
+hash_info.h: Makefile
+	$(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@
 
 bin_PROGRAMS = evmctl
 
-evmctl_SOURCES = evmctl.c
-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
+evmctl_SOURCES = evmctl.c utils.c
+evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 evmctl_LDFLAGS = $(LDFLAGS_READLINE)
-evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils
+evmctl_LDADD =  $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
 
-INCLUDES = -I$(top_srcdir) -include config.h
+# USE_PCRTSS uses the Intel TSS
+if USE_PCRTSS
+ evmctl_SOURCES += pcr_tss.c
 
+# USE_IBMTSS uses the IBM TSS
+else
+if USE_IBMTSS
+ evmctl_SOURCES += pcr_ibmtss.c
+ evmctl_LDADD += -libmtss
+
+# uses the IBM TSS command line utilities
+else
+ evmctl_SOURCES += pcr_tsspcrread.c
+
+endif
+endif
+
+AM_CPPFLAGS = -I$(top_srcdir) -include config.h
+
+CLEANFILES = hash_info.h tmp_hash_info.h
 DISTCLEANFILES = @DISTCLEANFILES@
-

src/hash_info.gen

@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+# Generate hash_info.h from kernel headers
+#
+# Copyright (C) 2018 <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+KERNEL_HEADERS=$1
+HASH_INFO_H=uapi/linux/hash_info.h
+HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
+
+TMPHASHINFO="./tmp_hash_info.h"
+gen_hashinfo() {
+cat << __EOF__ >$TMPHASHINFO
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * Hash Info: Hash algorithms information
+ *
+ * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+
+enum hash_algo {
+	HASH_ALGO_MD4,
+	HASH_ALGO_MD5,
+	HASH_ALGO_SHA1,
+	HASH_ALGO_RIPE_MD_160,
+	HASH_ALGO_SHA256,
+	HASH_ALGO_SHA384,
+	HASH_ALGO_SHA512,
+	HASH_ALGO_SHA224,
+	HASH_ALGO_RIPE_MD_128,
+	HASH_ALGO_RIPE_MD_256,
+	HASH_ALGO_RIPE_MD_320,
+	HASH_ALGO_WP_256,
+	HASH_ALGO_WP_384,
+	HASH_ALGO_WP_512,
+	HASH_ALGO_TGR_128,
+	HASH_ALGO_TGR_160,
+	HASH_ALGO_TGR_192,
+	HASH_ALGO_SM3_256,
+	HASH_ALGO__LAST
+};
+__EOF__
+}
+
+# Allow to specify kernel-headers past include/
+if [ ! -e $HASH_INFO ]; then
+  HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
+  if [ -e $HASH_INFO2 ]; then
+    HASH_INFO=$HASH_INFO2
+  else
+    gen_hashinfo
+    HASH_INFO="$TMPHASHINFO"
+  fi
+fi
+
+if [ ! -e $HASH_INFO ]; then
+  echo "/* $HASH_INFO is not found */"
+  HASH_INFO=/dev/null
+else
+  echo "/* $HASH_INFO is found */"
+fi
+
+echo "enum hash_algo {"
+grep HASH_ALGO_.*, $HASH_INFO
+printf "\tHASH_ALGO__LAST\n"
+echo "};"
+
+echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
+sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
+  while read a b; do
+    # Normalize text hash name: sm3 algorithm name is different from
+    # the macro definition, which is also the only special case of an
+    # underscore between digits. Remove all other underscores.
+    b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g")
+    printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
+  done
+echo "};"

src/imaevm.h

@@ -0,0 +1,237 @@
+/*
+ * ima-evm-utils - IMA/EVM support utilities
+ *
+ * Copyright (C) 2011 Nokia Corporation
+ * Copyright (C) 2011,2012,2013 Intel Corporation
+ * Copyright (C) 2013,2014 Samsung Electronics
+ *
+ * Authors:
+ * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
+ *                 <dmitry.kasatkin@intel.com>
+ *                 <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ *
+ * File: imaevm.h
+ *	 IMA/EVM header file
+ */
+
+#ifndef _LIBIMAEVM_H
+#define _LIBIMAEVM_H
+
+#include <linux/fs.h>
+#include <stdint.h>
+#include <syslog.h>
+#include <stdbool.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <openssl/rsa.h>
+#include <openssl/engine.h>
+
+#ifdef USE_FPRINTF
+#define do_log(level, fmt, args...)	\
+	({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
+#define do_log_dump(level, p, len, cr)	\
+	({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); })
+#else
+#define do_log(level, fmt, args...)	syslog(level, fmt, ##args)
+#define do_log_dump(level, p, len, cr)
+#endif
+
+#ifdef DEBUG
+#define log_debug(fmt, args...)		do_log(LOG_DEBUG, "%s:%d " fmt, __func__ , __LINE__ , ##args)
+#define log_debug_dump(p, len)		do_log_dump(LOG_DEBUG, p, len, true)
+#define log_debug_dump_n(p, len)	do_log_dump(LOG_DEBUG, p, len, false)
+#else
+#define log_debug(fmt, args...)
+#define log_debug_dump(p, len)
+#endif
+
+#define log_dump(p, len)		do_log_dump(LOG_INFO, p, len, true)
+#define log_dump_n(p, len)		do_log_dump(LOG_INFO, p, len, false)
+#define log_info(fmt, args...)		do_log(LOG_INFO, fmt, ##args)
+#define log_err(fmt, args...)		do_log(LOG_ERR, fmt, ##args)
+#define log_errno(fmt, args...)		do_log(LOG_ERR, fmt ": errno: %s (%d)\n", ##args, strerror(errno), errno)
+
+#ifndef DEFAULT_HASH_ALGO
+#define DEFAULT_HASH_ALGO "sha256"
+#endif
+
+#define	DATA_SIZE	4096
+#define SHA1_HASH_LEN   20
+
+#define MAX_DIGEST_SIZE		64
+#define MAX_SIGNATURE_SIZE	1024
+
+#define __packed __attribute__((packed))
+
+enum evm_ima_xattr_type {
+	IMA_XATTR_DIGEST = 0x01,
+	EVM_XATTR_HMAC,
+	EVM_IMA_XATTR_DIGSIG,
+	IMA_XATTR_DIGEST_NG,
+	EVM_XATTR_PORTABLE_DIGSIG,
+};
+
+struct h_misc {
+	unsigned long ino;
+	uint32_t generation;
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+struct h_misc_32 {
+	uint32_t ino;
+	uint32_t generation;
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+struct h_misc_64 {
+	uint64_t ino;
+	uint32_t generation;
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+struct h_misc_digsig {
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+enum pubkey_algo {
+	PUBKEY_ALGO_RSA,
+	PUBKEY_ALGO_MAX,
+};
+
+enum digest_algo {
+	DIGEST_ALGO_SHA1,
+	DIGEST_ALGO_SHA256,
+	DIGEST_ALGO_MAX
+};
+
+enum digsig_version {
+	DIGSIG_VERSION_1 = 1,
+	DIGSIG_VERSION_2
+};
+
+struct pubkey_hdr {
+	uint8_t version;	/* key format version */
+	uint32_t timestamp;	/* key made, always 0 for now */
+	uint8_t algo;
+	uint8_t nmpi;
+	char mpi[0];
+} __packed;
+
+struct signature_hdr {
+	uint8_t version;	/* signature format version */
+	uint32_t timestamp;	/* signature made */
+	uint8_t algo;
+	uint8_t hash;
+	uint8_t keyid[8];
+	uint8_t nmpi;
+	char mpi[0];
+} __packed;
+
+/* reflect enum hash_algo from include/uapi/linux/hash_info.h */
+enum pkey_hash_algo {
+	PKEY_HASH_MD4,
+	PKEY_HASH_MD5,
+	PKEY_HASH_SHA1,
+	PKEY_HASH_RIPE_MD_160,
+	PKEY_HASH_SHA256,
+	PKEY_HASH_SHA384,
+	PKEY_HASH_SHA512,
+	PKEY_HASH_SHA224,
+	PKEY_HASH_RIPE_MD_128,
+	PKEY_HASH_RIPE_MD_256,
+	PKEY_HASH_RIPE_MD_320,
+	PKEY_HASH_WP_256,
+	PKEY_HASH_WP_384,
+	PKEY_HASH_WP_512,
+	PKEY_HASH_TGR_128,
+	PKEY_HASH_TGR_160,
+	PKEY_HASH_TGR_192,
+	PKEY_HASH_SM3_256,
+	PKEY_HASH_STREEBOG_256,
+	PKEY_HASH_STREEBOG_512,
+	PKEY_HASH__LAST
+};
+
+/*
+ * signature format v2 - for using with asymmetric keys
+ */
+struct signature_v2_hdr {
+	uint8_t version;	/* signature format version */
+	uint8_t	hash_algo;	/* Digest algorithm [enum pkey_hash_algo] */
+	uint32_t keyid;		/* IMA key identifier - not X509/PGP specific*/
+	uint16_t sig_size;	/* signature size */
+	uint8_t sig[0];		/* signature payload */
+} __packed;
+
+struct libimaevm_params {
+	int verbose;
+	int x509;
+	const char *hash_algo;
+	const char *keyfile;
+	const char *keypass;
+	uint32_t keyid;		/* keyid overriding value, unless 0. (Host order.) */
+	ENGINE *eng;
+};
+
+struct RSA_ASN1_template {
+	const uint8_t *data;
+	size_t size;
+};
+
+#define	NUM_PCRS 24
+#define DEFAULT_PCR 10
+
+extern struct libimaevm_params imaevm_params;
+
+void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
+void imaevm_hexdump(const void *ptr, int len);
+int ima_calc_hash(const char *file, uint8_t *hash);
+int imaevm_get_hash_algo(const char *algo);
+RSA *read_pub_key(const char *keyfile, int x509);
+EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
+
+void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len);
+void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey);
+int key2bin(RSA *key, unsigned char *pub);
+uint32_t imaevm_read_keyid(const char *certfile);
+
+int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
+int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
+int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
+void init_public_keys(const char *keyfiles);
+int imaevm_hash_algo_from_sig(unsigned char *sig);
+const char *imaevm_hash_algo_by_id(int algo);
+
+#endif

src/pcr.h

@@ -0,0 +1,3 @@
+int tpm2_pcr_supported(void);
+int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
+		 int len, char **errmsg);

src/pcr_ibmtss.c

@@ -0,0 +1,164 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Support PCR reading implementation based on IBM TSS2
+ *
+ * Copyright (C) 2021 IBM Ken Goldman <kgoldman@us.ibm.com>
+ */
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <openssl/sha.h>
+
+#define USE_FPRINTF
+#include "utils.h"
+#include "imaevm.h"
+
+#define TPM_POSIX	/* use Posix, not Windows constructs in TSS */
+#undef MAX_DIGEST_SIZE	/* imaevm uses a different value than the TSS */
+#include <ibmtss/tss.h>
+
+#define CMD "tsspcrread"
+
+static char path[PATH_MAX];
+
+int tpm2_pcr_supported(void)
+{
+	if (imaevm_params.verbose > LOG_INFO)
+		log_info("Using %s to read PCRs.\n", CMD);
+
+	if (get_cmd_path(CMD, path, sizeof(path))) {
+		log_debug("Couldn't find '%s' in $PATH\n", CMD);
+		return 0;
+	}
+
+	log_debug("Found '%s' in $PATH\n", CMD);
+	return 1;
+}
+
+/* Table mapping C strings to TCG algorithm identifiers */
+typedef struct tdAlgorithm_Map {
+	const char *algorithm_string;
+	TPMI_ALG_HASH algid;
+} Algorithm_Map;
+
+Algorithm_Map algorithm_map[] = {
+				 { "sha1", TPM_ALG_SHA1},
+				 { "sha256", TPM_ALG_SHA256},
+#if 0	/* uncomment as these digest algorithms are supported */
+				 { "", TPM_ALG_SHA384},
+				 { "", TPM_ALG_SHA512},
+				 { "", TPM_ALG_SM3_256},
+				 { "", TPM_ALG_SHA3_256},
+				 { "", TPM_ALG_SHA3_384},
+				 { "", TPM_ALG_SHA3_512},
+#endif
+};
+
+/*
+ * algorithm_string_to_algid() converts a digest algorithm from a C string to a
+ * TCG algorithm identifier as defined in the TCG Algorithm Regisrty..
+ *
+ *  Returns TPM_ALG_ERROR if the string has an unsupported value.
+ */
+static TPMI_ALG_HASH algorithm_string_to_algid(const char *algorithm_string)
+{
+	size_t 	i;
+
+	for (i=0 ; i < sizeof(algorithm_map)/sizeof(Algorithm_Map) ; i++) {
+		if (strcmp(algorithm_string, algorithm_map[i].algorithm_string)
+		    == 0) {
+			return algorithm_map[i].algid; 		/* if match */
+		}
+	}
+	return TPM_ALG_ERROR;
+}
+
+/*
+ * tpm2_pcr_read - read the PCR
+ *
+ * algo_name: PCR digest algorithm (the PCR bank) as a C string
+ * pcr_handle: PCR number to read
+ * hwpcr: buffer for the PCR output in binary
+ * len: allocated size of hwpcr and should match the digest algorithm
+ */
+int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
+		  int len, char **errmsg)
+{
+        int 			ret = 0;	/* function return code */
+	TPM_RC			rc = 0;		/* TCG return code */
+	TPM_RC 			rc1 = 0;	/* secondary return code */
+	PCR_Read_In 		pcr_read_in;	/* command input */
+	PCR_Read_Out 		pcr_read_out;	/* response output */
+	TSS_CONTEXT		*tss_context = NULL;
+	TPMI_ALG_HASH 		alg_id;		/* PCR algorithm */
+
+	alg_id = algorithm_string_to_algid(algo_name);
+	if (alg_id == TPM_ALG_ERROR) {
+		ret = asprintf(errmsg, "tpm2_pcr_read: unknown algorithm %s",
+			       algo_name);
+		if (ret == -1) 	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		rc = 1;
+		goto end;
+	}
+
+	rc = TSS_Create(&tss_context);
+	if (rc != 0)
+		goto end;
+
+	/* call TSS to execute the command */
+	pcr_read_in.pcrSelectionIn.count = 1;
+	pcr_read_in.pcrSelectionIn.pcrSelections[0].hash = alg_id;
+	pcr_read_in.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3;
+	pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0;
+	pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0;
+	pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0;
+	pcr_read_in.pcrSelectionIn.pcrSelections[0].pcrSelect[pcr_handle / 8] =
+		1 << (pcr_handle % 8);
+	rc = TSS_Execute(tss_context,
+			 (RESPONSE_PARAMETERS *)&pcr_read_out,
+			 (COMMAND_PARAMETERS *)&pcr_read_in,
+			 NULL,
+			 TPM_CC_PCR_Read,
+			 TPM_RH_NULL, NULL, 0);
+	if (rc != 0)
+		goto end;
+
+	/* nothing read, bank missing */
+	if (pcr_read_out.pcrValues.count == 0) {
+		ret = asprintf(errmsg, "tpm2_pcr_read: returned count 0 for %s",
+			       algo_name);
+		if (ret == -1) /* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		rc = 1;
+		goto end;
+	}
+	/* len parameter did not match the digest algorithm */
+	else if (pcr_read_out.pcrValues.digests[0].t.size != len) {
+		ret = asprintf(errmsg,
+			       "tpm2_pcr_read: "
+			       "expected length %d actual %u for %s",
+			       len, pcr_read_out.pcrValues.digests[0].t.size,
+			       algo_name);
+		if (ret == -1)	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		rc = 1;
+		goto end;
+	} else {
+		memcpy(hwpcr,
+		       pcr_read_out.pcrValues.digests[0].t.buffer,
+		       pcr_read_out.pcrValues.digests[0].t.size);
+	}
+end:
+	/* Call delete even on errors to free context resources */
+	rc1 = TSS_Delete(tss_context);
+
+	/* map TCG return code to function return code */
+	if ((rc == 0) && (rc1 == 0))
+		return 0;
+	else
+		return -1;
+}

src/pcr_tss.c

@@ -0,0 +1,192 @@
+/*
+ * ima-evm-utils - IMA/EVM support utilities
+ *
+ * Copyright (C) 2011 Nokia Corporation
+ * Copyright (C) 2011,2012,2013 Intel Corporation
+ * Copyright (C) 2013,2014 Samsung Electronics
+ *
+ * Authors:
+ * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
+ *                 <dmitry.kasatkin@intel.com>
+ *                 <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ *
+ * File: pcr_tss.c
+ *	 PCR reading implementation based on Intel TSS2
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/sha.h>
+
+#ifdef HAVE_LIBTSS2_ESYS
+# include <tss2/tss2_esys.h>
+
+# ifdef HAVE_LIBTSS2_RC
+#  include <tss2/tss2_rc.h>
+#  define LIB "tss2-rc-decode"
+# else
+#  define LIB "tss2-esys"
+# endif
+
+#endif /* HAVE_LIBTSS2_ESYS */
+
+#define USE_FPRINTF
+#include "imaevm.h"
+
+int tpm2_pcr_supported(void)
+{
+	if (imaevm_params.verbose > LOG_INFO)
+		log_info("Using %s to read PCRs.\n", LIB);
+
+	return 1;
+}
+
+static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
+{
+	int i, j;
+
+	if (a->count != b->count)
+		return 0;
+
+	for (i = 0; i < a->count; i++) {
+		if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
+			return 0;
+		if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
+			return 0;
+		for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
+			if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
+				return 0;
+		}
+	}
+
+	return 1;
+}
+
+static inline int tpm2_set_errmsg(char **errmsg, const char *message, TSS2_RC ret)
+{
+#ifdef HAVE_LIBTSS2_RC
+		return asprintf(errmsg, "%s: %s", message, Tss2_RC_Decode(ret));
+#else
+		return asprintf(errmsg, "%s: #%d", message, ret);
+#endif
+}
+
+static TPM2_ALG_ID algo_to_tss2(const char *algo_name)
+{
+	if (!strcmp(algo_name, "sha1"))
+		return TPM2_ALG_SHA1;
+	else if (!strcmp(algo_name, "sha256"))
+		return TPM2_ALG_SHA256;
+
+	return TPM2_ALG_ERROR;
+}
+
+int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
+		 int len, char **errmsg)
+{
+	TSS2_ABI_VERSION abi_version = {
+		.tssCreator = 1,
+		.tssFamily = 2,
+		.tssLevel = 1,
+		.tssVersion = 108,
+	};
+	ESYS_CONTEXT *ctx = NULL;
+	TSS2_RC ret = 0;
+	TPML_PCR_SELECTION *pcr_select_out;
+	TPML_DIGEST *pcr_digests;
+	UINT32 pcr_update_counter;
+
+	TPM2_ALG_ID algid = algo_to_tss2(algo_name);
+	if (algid == TPM2_ALG_ERROR) {
+		ret = asprintf(errmsg, "unsupported tss2 algorithm");
+		if (ret == -1)	/* the contents of errmsg are undefined */
+			*errmsg = NULL;
+		return -1;
+	}
+
+	TPML_PCR_SELECTION pcr_select_in = {
+		.count = 1,
+		.pcrSelections = {
+			{
+				.hash = algid,
+				.sizeofSelect = 3,
+				.pcrSelect = { 0x00, 0x00, 0x00 },
+			}
+		}
+	};
+
+	pcr_select_in.pcrSelections[0].pcrSelect[pcr_handle / 8] =
+	    (1 << (pcr_handle % 8));
+
+	ret = Esys_Initialize(&ctx, NULL, &abi_version);
+	if (ret != TPM2_RC_SUCCESS) {
+		ret = tpm2_set_errmsg(errmsg, "esys initialize failed", ret);
+		if (ret == -1)	/* the contents of errmsg are undefined */
+			*errmsg = NULL;
+		return -1;
+	}
+
+	ret = Esys_PCR_Read(ctx,
+			    ESYS_TR_NONE,
+			    ESYS_TR_NONE,
+			    ESYS_TR_NONE,
+			    &pcr_select_in,
+			    &pcr_update_counter,
+			    &pcr_select_out,
+			    &pcr_digests);
+	Esys_Finalize(&ctx);
+	if (ret != TPM2_RC_SUCCESS) {
+		ret = tpm2_set_errmsg(errmsg, "esys PCR reading failed", ret);
+		if (ret == -1)	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		return -1;
+	}
+
+	if (!pcr_selections_match(&pcr_select_in, pcr_select_out)) {
+		Esys_Free(pcr_select_out);
+		Esys_Free(pcr_digests);
+
+		ret = asprintf(errmsg, "TPM returned incorrect PCRs");
+		if (ret == -1)	/* the contents of errmsg are undefined */
+			*errmsg = NULL;
+		return -1;
+	}
+	Esys_Free(pcr_select_out);
+
+	if (pcr_digests->count != 1 || pcr_digests->digests[0].size != len) {
+		Esys_Free(pcr_digests);
+		ret = asprintf(errmsg, "TPM returned incorrect digests");
+		if (ret == -1)	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		return -1;
+	}
+
+	memcpy(hwpcr, pcr_digests->digests[0].buffer, len);
+	Esys_Free(pcr_digests);
+	return 0;
+}

src/pcr_tsspcrread.c

@@ -0,0 +1,111 @@
+/*
+ * ima-evm-utils - IMA/EVM support utilities
+ *
+ * Copyright (C) 2011 Nokia Corporation
+ * Copyright (C) 2011,2012,2013 Intel Corporation
+ * Copyright (C) 2013,2014 Samsung Electronics
+ *
+ * Authors:
+ * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
+ *                 <dmitry.kasatkin@intel.com>
+ *                 <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it in the license file.
+ *
+ * File: pcr_tsspcrread.c
+ *	 PCR reading implementation based on IBM TSS2
+ */
+
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <openssl/sha.h>
+
+#define USE_FPRINTF
+#include "utils.h"
+#include "imaevm.h"
+
+#define CMD "tsspcrread"
+
+static char path[PATH_MAX];
+
+int tpm2_pcr_supported(void)
+{
+	if (imaevm_params.verbose > LOG_INFO)
+		log_info("Using %s to read PCRs.\n", CMD);
+
+	if (get_cmd_path(CMD, path, sizeof(path))) {
+		log_debug("Couldn't find '%s' in $PATH\n", CMD);
+		return 0;
+	}
+
+	log_debug("Found '%s' in $PATH\n", CMD);
+	return 1;
+}
+
+int tpm2_pcr_read(const char *algo_name, uint32_t pcr_handle, uint8_t *hwpcr,
+		 int len, char **errmsg)
+{
+	FILE *fp;
+	char pcr[100];	/* may contain an error */
+	char cmd[PATH_MAX + 50];
+	int ret;
+
+	sprintf(cmd, "%s -halg %s -ha %u -ns 2> /dev/null",
+		path, algo_name, pcr_handle);
+	fp = popen(cmd, "r");
+	if (!fp) {
+		ret = asprintf(errmsg, "popen failed: %s", strerror(errno));
+		if (ret == -1)	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		return -1;
+	}
+
+	if (fgets(pcr, sizeof(pcr), fp) == NULL) {
+		ret = asprintf(errmsg, "tsspcrread failed: %s",
+			       strerror(errno));
+		if (ret == -1)	/* the contents of errmsg is undefined */
+			*errmsg = NULL;
+		ret = pclose(fp);
+		return -1;
+	}
+
+	/* get the popen "cmd" return code */
+	ret = pclose(fp);
+
+	/* Treat an unallocated bank as an error */
+	if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH))
+		ret = -1;
+
+	if (!ret)
+		hex2bin(hwpcr, pcr, len);
+	else
+		*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */
+
+	return ret;
+}

src/utils.c

@@ -0,0 +1,115 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * utils: set of common functions
+ *
+ * Copyright (C) 2020 Patrick Uiterwijk <patrick@puiterwijk.org>
+ * Copyright (C) 2010 Cyril Hrubis <chrubis@suse.cz>
+ */
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include "utils.h"
+
+#ifndef MIN
+# define MIN(a, b) ({ \
+	typeof(a) _a = (a); \
+	typeof(b) _b = (b); \
+	_a < _b ? _a : _b; \
+})
+#endif /* MIN */
+
+static int file_exist(const char *path)
+{
+	struct stat st;
+
+	if (!access(path, R_OK) && !stat(path, &st) && S_ISREG(st.st_mode))
+		return 1;
+
+	return 0;
+}
+
+int get_cmd_path(const char *prog_name, char *buf, size_t buf_len)
+{
+	const char *path = (const char *)getenv("PATH");
+	const char *start = path;
+	const char *end;
+	size_t size, ret;
+
+	if (path == NULL)
+		return -1;
+
+	do {
+		end = strchr(start, ':');
+
+		if (end != NULL)
+			snprintf(buf, MIN(buf_len, (size_t) (end - start + 1)),
+				 "%s", start);
+		else
+			snprintf(buf, buf_len, "%s", start);
+
+		size = strlen(buf);
+
+		/*
+		 * "::" inside $PATH, $PATH ending with ':' or $PATH starting
+		 * with ':' should be expanded into current working directory.
+		 */
+		if (size == 0) {
+			snprintf(buf, buf_len, ".");
+			size = strlen(buf);
+		}
+
+		/*
+		 * If there is no '/' ad the end of path from $PATH add it.
+		 */
+		if (buf[size - 1] != '/')
+			ret =
+			    snprintf(buf + size, buf_len - size, "/%s",
+				     prog_name);
+		else
+			ret =
+			    snprintf(buf + size, buf_len - size, "%s",
+				     prog_name);
+
+		if (buf_len - size > ret && file_exist(buf))
+			return 0;
+
+		if (end != NULL)
+			start = end + 1;
+
+	} while (end != NULL);
+
+	return -1;
+}
+
+int hex_to_bin(char ch)
+{
+	if ((ch >= '0') && (ch <= '9'))
+		return ch - '0';
+	ch = tolower(ch);
+	if ((ch >= 'a') && (ch <= 'f'))
+		return ch - 'a' + 10;
+	return -1;
+}
+
+int hex2bin(void *dst, const char *src, size_t count)
+{
+	int hi, lo;
+
+	while (count--) {
+		if (*src == ' ')
+			src++;
+
+		hi = hex_to_bin(*src++);
+		lo = hex_to_bin(*src++);
+
+		if ((hi < 0) || (lo < 0))
+			return -1;
+
+		*(uint8_t *)dst++ = (hi << 4) | lo;
+	}
+	return 0;
+}

src/utils.h

@@ -0,0 +1,6 @@
+#include <ctype.h>
+#include <sys/types.h>
+
+int get_cmd_path(const char *prog_name, char *buf, size_t buf_len);
+int hex_to_bin(char ch);
+int hex2bin(void *dst, const char *src, size_t count);

tests/.gitignore

@@ -0,0 +1,16 @@
+# Generated by test driver
+*.log
+*.trs
+
+# Generated by tests
+*.txt
+*.out
+*.sig
+*.sig2
+
+# Generated certs and keys (by gen-keys.sh)
+*.cer
+*.pub
+*.key
+*.conf
+

tests/Makefile.am

@@ -0,0 +1,12 @@
+check_SCRIPTS =
+TESTS = $(check_SCRIPTS)
+
+check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test
+
+clean-local:
+	-rm -f *.txt *.out *.sig *.sig2
+
+distclean: distclean-keys
+.PHONY: distclean-keys
+distclean-keys:
+	./gen-keys.sh clean

tests/boot_aggregate.test

@@ -0,0 +1,197 @@
+#!/bin/bash
+
+#
+# Calculate the boot_aggregate for each TPM bank, verifying that the
+# boot_aggregate in the IMA measurement list matches one of them.
+#
+# A software TPM may be used to verify the boot_aggregate.  If a
+# software TPM is not already running on the system, this test
+# starts one and initializes the TPM PCR banks by walking the sample
+# binary_bios_measurements event log, included in this directory, and
+# extending the TPM PCRs.  The associated ascii_runtime_measurements
+# for verifying the calculated boot_aggregate is included in this
+# directory as well.
+
+trap cleanup SIGINT SIGTERM EXIT
+
+# Base VERBOSE on the environment variable, if set.
+VERBOSE="${VERBOSE:-0}"
+
+cd "$(dirname "$0")"
+export PATH=../src:$PATH
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+. ./functions.sh
+_require evmctl
+TSSDIR="$(dirname -- "$(which tssstartup)")"
+PCRFILE="/sys/class/tpm/tpm0/device/pcrs"
+MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs"
+
+# Only stop this test's software TPM
+cleanup() {
+	if [ -n "${SWTPM_PID}" ]; then
+		kill -SIGTERM "${SWTPM_PID}"
+	elif [ -n "${TPMSERVER_PID}" ]; then
+		"${TSSDIR}/tsstpmcmd" -stop
+	fi
+}
+
+# Try to start a software TPM if needed.
+swtpm_start() {
+	local tpm_server swtpm
+
+	tpm_server="$(which tpm_server)"
+	swtpm="$(which swtpm)"
+	if [ -z "${tpm_server}" ] && [ -z "${swtpm}" ]; then
+		echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}"
+		return "$SKIP"
+	fi
+
+	if [ -n "${swtpm}" ]; then
+		pgrep swtpm
+		if [ $? -eq 0 ]; then
+			echo "INFO: Software TPM (swtpm) already running"
+			return 114
+		else
+			echo "INFO: Starting software TPM: ${swtpm}"
+			mkdir -p ./myvtpm
+			${swtpm} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 &
+			SWTPM_PID=$!
+		fi
+	elif [ -n "${tpm_server}" ]; then
+		# tpm_server uses the Microsoft simulator encapsulated packet format
+		export TPM_SERVER_TYPE="mssim"
+		pgrep tpm_server
+		if [ $? -eq 0 ]; then
+			echo "INFO: Software TPM (tpm_server) already running"
+			return 114
+		else
+			echo "INFO: Starting software TPM: ${tpm_server}"
+			${tpm_server} > /dev/null 2>&1 &
+			TPMSERVER_PID=$!
+		fi
+	fi
+	return 0
+}
+
+# Initialize the software TPM using the sample binary_bios_measurements log.
+swtpm_init() {
+	if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then
+		echo "${CYAN}SKIP: tssstartup and tsseventextend needed for test${NORM}"
+		return "$SKIP"
+	fi
+
+	echo "INFO: Sending software TPM startup"
+	"${TSSDIR}/tssstartup"
+	if [ $? -ne 0 ]; then
+		echo "INFO: Retry sending software TPM startup"
+		sleep 1
+		"${TSSDIR}/tssstartup"
+	fi
+
+	if [ $? -ne 0 ]; then
+		echo "INFO: Software TPM startup failed"
+		return "$SKIP"
+	fi
+
+	echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM"
+#	$(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null
+	"${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1
+}
+
+# In VERBOSE mode, display the calculated TPM PCRs for the different banks.
+display_pcrs() {
+	local PCRMAX=9
+	local banks=("sha1" "sha256")
+	local i;
+
+	for bank in "${banks[@]}"; do
+		echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 9)"
+		for i in $(seq 0 $PCRMAX); do
+			rc=0
+			pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns)
+			if [ $rc -ne 0 ]; then
+				echo "INFO: tsspcrread failed: $pcr"
+				break
+			fi
+			echo "$i: $pcr"
+		done
+	done
+}
+
+# The first entry in the IMA measurement list is the "boot_aggregate".
+# For each kexec, an additional "boot_aggregate" will appear in the
+# measurement list, assuming the previous measurement list is carried
+# across the kexec.
+#
+# Verify that the last "boot_aggregate" record in the IMA measurement
+# list matches.
+check() {
+	echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
+	bootaggr=$(evmctl ima_boot_aggregate)
+	if [ $? -ne 0 ]; then
+		echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
+		exit "$SKIP"
+	fi
+
+	boot_aggr=( $bootaggr )
+
+	echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}"
+	for hash in "${boot_aggr[@]}"; do
+		if [ "$VERBOSE" != "0" ]; then
+			echo "$hash"
+		fi
+		if grep -e " boot_aggregate$" -e " boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
+			echo "${GREEN}SUCCESS: boot_aggregate ${hash} found${NORM}"
+			return "$OK"
+		fi
+	done
+	echo "${RED}FAILURE: boot_aggregate not found${NORM}"
+	echo "$bootaggr"
+	return "$FAIL"
+}
+
+if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
+	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
+	if [ ! -d "/sys/kernel/security/ima" ]; then
+		echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
+		exit "$SKIP"
+	fi
+else
+	BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
+	ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
+	export TPM_INTERFACE_TYPE="socsim"
+	export TPM_COMMAND_PORT=2321
+	export TPM_PLATFORM_PORT=2322
+	export TPM_SERVER_NAME="localhost"
+
+	# swtpm uses the raw, unencapsulated packet format
+	export TPM_SERVER_TYPE="raw"
+fi
+
+# Start and initialize a software TPM as needed
+if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
+	if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then
+		echo "${CYAN}SKIP: system has discrete TPM 1.2, sample TPM 2.0 event log test not supported.${NORM}"
+		exit "$SKIP"
+	fi
+
+	swtpm_start
+	error=$?
+	if [ $error -eq "$SKIP" ]; then
+		echo "skip: swtpm not installed"
+		exit "$SKIP"
+	fi
+
+	if [ $error -eq 0 ]; then
+		swtpm_init
+		if [ $? -eq "$SKIP" ]; then
+			echo "testing boot_aggregate without entries"
+			exit "$SKIP"
+		fi
+	fi
+	if [ "$VERBOSE" != "0" ]; then
+		display_pcrs
+	fi
+fi
+
+expect_pass check

tests/functions.sh

@@ -0,0 +1,315 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# ima-evm-utils tests bash functions
+#
+# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# Tests accounting
+declare -i testspass=0 testsfail=0 testsskip=0
+
+# Exit codes (compatible with automake)
+declare -r OK=0
+declare -r FAIL=1
+declare -r HARDFAIL=99 # hard failure no matter testing mode
+declare -r SKIP=77
+
+# You can set env VERBOSE=1 to see more output from evmctl
+VERBOSE=${VERBOSE:-0}
+V=vvvv
+V=${V:0:$VERBOSE}
+V=${V:+-$V}
+
+# Exit if env FAILEARLY is defined.
+# Used in expect_{pass,fail}.
+exit_early() {
+  if [ "$FAILEARLY" ]; then
+    exit "$1"
+  fi
+}
+
+# Require particular executables to be present
+_require() {
+  ret=
+  for i; do
+    if ! type $i; then
+      echo "$i is required for test"
+      ret=1
+    fi
+  done
+  [ $ret ] && exit "$HARDFAIL"
+}
+
+# Non-TTY output is never colored
+if [ -t 1 ]; then
+     RED=$'\e[1;31m'
+   GREEN=$'\e[1;32m'
+  YELLOW=$'\e[1;33m'
+    BLUE=$'\e[1;34m'
+    CYAN=$'\e[1;36m'
+    NORM=$'\e[m'
+  export RED GREEN YELLOW BLUE CYAN NORM
+fi
+
+# Test mode determined by TFAIL variable:
+#   undefined: to success testing
+#   defined: failure testing
+TFAIL=
+TMODE=+ # mode character to prepend running command in log
+declare -i TNESTED=0 # just for sanity checking
+
+# Run positive test (one that should pass) and account its result
+expect_pass() {
+  local -i ret
+
+  if [ $TNESTED -gt 0 ]; then
+    echo $RED"expect_pass should not be run nested"$NORM
+    testsfail+=1
+    exit "$HARDFAIL"
+  fi
+  TFAIL=
+  TMODE=+
+  TNESTED+=1
+  [ "$VERBOSE" -gt 1 ] && echo "____ START positive test: $*"
+  "$@"
+  ret=$?
+  [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) positive test: $*"
+  TNESTED+=-1
+  case $ret in
+    0)  testspass+=1 ;;
+    77) testsskip+=1 ;;
+    99) testsfail+=1; exit_early 1 ;;
+    *)  testsfail+=1; exit_early 2 ;;
+  esac
+  return $ret
+}
+
+# Eval negative test (one that should fail) and account its result
+expect_fail() {
+  local ret
+
+  if [ $TNESTED -gt 0 ]; then
+    echo $RED"expect_fail should not be run nested"$NORM
+    testsfail+=1
+    exit "$HARDFAIL"
+  fi
+
+  TFAIL=yes
+  TMODE=-
+  TNESTED+=1
+  [ "$VERBOSE" -gt 1 ] && echo "____ START negative test: $*"
+  "$@"
+  ret=$?
+  [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) negative test: $*"
+  TNESTED+=-1
+  case $ret in
+    0)  testsfail+=1; exit_early 3 ;;
+    77) testsskip+=1 ;;
+    99) testsfail+=1; exit_early 4 ;;
+    *)  testspass+=1 ;;
+  esac
+  # Restore defaults (as in positive tests)
+  # for tests to run without wrappers
+  TFAIL=
+  TMODE=+
+  return $ret
+}
+
+# return true if current test is positive
+_test_expected_to_pass() {
+  [ ! $TFAIL ]
+}
+
+# return true if current test is negative
+_test_expected_to_fail() {
+  [ $TFAIL ]
+}
+
+# Show blank line and color following text to red
+# if it's real error (ie we are in expect_pass mode).
+color_red_on_failure() {
+  if _test_expected_to_pass; then
+    echo "$RED"
+    COLOR_RESTORE=true
+  fi
+}
+
+# For hard errors
+color_red() {
+  echo "$RED"
+  COLOR_RESTORE=true
+}
+
+color_restore() {
+  [ $COLOR_RESTORE ] && echo "$NORM"
+  COLOR_RESTORE=
+}
+
+ADD_DEL=
+ADD_TEXT_FOR=
+# _evmctl_run should be run as `_evmctl_run ... || return'
+_evmctl_run() {
+  local op=$1 out=$1-$$.out
+  local text_for=${FOR:+for $ADD_TEXT_FOR}
+  # Additional parameters:
+  # ADD_DEL: additional files to rm on failure
+  # ADD_TEXT_FOR: append to text as 'for $ADD_TEXT_FOR'
+
+  cmd="evmctl $V $EVMCTL_ENGINE $*"
+  echo $YELLOW$TMODE "$cmd"$NORM
+  $cmd >"$out" 2>&1
+  ret=$?
+
+  # Shell special and signal exit codes (except 255)
+  if [ $ret -ge 126 ] && [ $ret -lt 255 ]; then
+    color_red
+    echo "evmctl $op failed hard with ($ret) $text_for"
+    sed 's/^/  /' "$out"
+    color_restore
+    rm "$out" $ADD_DEL
+    ADD_DEL=
+    ADD_TEXT_FOR=
+    return "$HARDFAIL"
+  elif [ $ret -gt 0 ]; then
+    color_red_on_failure
+    echo "evmctl $op failed" ${TFAIL:+properly} "with ($ret) $text_for"
+    # Show evmctl output only in verbose mode or if real failure.
+    if _test_expected_to_pass || [ "$VERBOSE" ]; then
+      sed 's/^/  /' "$out"
+    fi
+    color_restore
+    rm "$out" $ADD_DEL
+    ADD_DEL=
+    ADD_TEXT_FOR=
+    return "$FAIL"
+  elif _test_expected_to_fail; then
+    color_red
+    echo "evmctl $op wrongly succeeded $text_for"
+    sed 's/^/  /' "$out"
+    color_restore
+  else
+    [ "$VERBOSE" ] && sed 's/^/  /' "$out"
+  fi
+  rm "$out"
+  ADD_DEL=
+  ADD_TEXT_FOR=
+  return "$OK"
+}
+
+# Extract xattr $attr from $file into $out file skipping $pref'ix
+_extract_xattr() {
+  local file=$1 attr=$2 out=$3 pref=$4
+
+  getfattr -n "$attr" -e hex "$file" \
+    | grep "^$attr=" \
+    | sed "s/^$attr=$pref//" \
+    | xxd -r -p > "$out"
+}
+
+# Test if xattr $attr in $file matches $prefix
+# Show error and fail otherwise.
+_test_xattr() {
+  local file=$1 attr=$2 prefix=$3
+  local text_for=${ADD_TEXT_FOR:+ for $ADD_TEXT_FOR}
+
+  if ! getfattr -n "$attr" -e hex "$file" | egrep -qx "$attr=$prefix"; then
+    color_red_on_failure
+    echo "Did not find expected hash$text_for:"
+    echo "    $attr=$prefix"
+    echo ""
+    echo "Actual output below:"
+    getfattr -n "$attr" -e hex "$file" | sed 's/^/    /'
+    color_restore
+    rm "$file"
+    ADD_TEXT_FOR=
+    return "$FAIL"
+  fi
+  ADD_TEXT_FOR=
+}
+
+# Try to enable gost-engine if needed.
+_enable_gost_engine() {
+  # Do not enable if it's already working (enabled by user)
+  if ! openssl md_gost12_256 /dev/null >/dev/null 2>&1 \
+    && openssl engine gost >/dev/null 2>&1; then
+    export EVMCTL_ENGINE="--engine gost"
+    export OPENSSL_ENGINE="-engine gost"
+  fi
+}
+
+# Show test stats and exit into automake test system
+# with proper exit code (same as ours). Do cleanups.
+_report_exit_and_cleanup() {
+  if [ -n "${WORKDIR}" ]; then
+    rm -rf "${WORKDIR}"
+  fi
+
+  if [ $testsfail -gt 0 ]; then
+    echo "================================="
+    echo " Run with FAILEARLY=1 $0 $*"
+    echo " To stop after first failure"
+    echo "================================="
+  fi
+  [ $testspass -gt 0 ] && echo -n "$GREEN" || echo -n "$NORM"
+  echo -n "PASS: $testspass"
+  [ $testsskip -gt 0 ] && echo -n "$YELLOW" || echo -n "$NORM"
+  echo -n " SKIP: $testsskip"
+  [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
+  echo " FAIL: $testsfail"
+  echo "$NORM"
+  if [ $testsfail -gt 0 ]; then
+    exit "$FAIL"
+  elif [ $testspass -gt 0 ]; then
+    exit "$OK"
+  else
+    exit "$SKIP"
+  fi
+}
+
+# Setup SoftHSM for local testing by calling the softhsm_setup script.
+# Use the provided workdir as the directory where SoftHSM will store its state
+# into.
+# Upon successfully setting up SoftHSM, this function sets the global variables
+# OPENSSL_ENGINE and OPENSSL_KEYFORM so that the openssl command line tool can
+# use SoftHSM. Also the PKCS11_KEYURI global variable is set to the test key's
+# pkcs11 URI.
+_softhsm_setup() {
+  local workdir="$1"
+
+  local msg
+
+  export SOFTHSM_SETUP_CONFIGDIR="${workdir}/softhsm"
+  export SOFTHSM2_CONF="${workdir}/softhsm/softhsm2.conf"
+
+  mkdir -p "${SOFTHSM_SETUP_CONFIGDIR}"
+
+  msg=$(./softhsm_setup setup 2>&1)
+  if [ $? -eq 0 ]; then
+    echo "softhsm_setup setup succeeded: $msg"
+    PKCS11_KEYURI=$(echo $msg | sed -n 's|^keyuri: \(.*\)|\1|p')
+
+    export EVMCTL_ENGINE="--engine pkcs11"
+    export OPENSSL_ENGINE="-engine pkcs11"
+    export OPENSSL_KEYFORM="-keyform engine"
+  else
+    echo "softhsm_setup setup failed: ${msg}"
+  fi
+}
+
+# Tear down the SoftHSM setup and clean up the environment
+_softhsm_teardown() {
+  ./softhsm_setup teardown &>/dev/null
+  rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
+  unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
+    EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
+}

tests/gen-keys.sh

@@ -0,0 +1,161 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Generate keys for the tests
+#
+# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+cd "$(dirname "$0")" || exit 1
+PATH=../src:$PATH
+type openssl
+
+log() {
+  echo >&2 - "$*"
+  eval "$@"
+}
+
+if [ "$1" = clean ]; then
+  rm -f test-ca.conf
+elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
+	|| [ gen-keys.sh -nt test-ca.conf ]; then
+cat > test-ca.conf <<- EOF
+	[ req ]
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = v3_ca
+
+	[ req_distinguished_name ]
+	O = IMA-CA
+	CN = IMA/EVM certificate signing key
+	emailAddress = ca@ima-ca
+
+	[ v3_ca ]
+	basicConstraints=CA:TRUE
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid:always,issuer
+
+	[ skid ]
+	basicConstraints=CA:TRUE
+	subjectKeyIdentifier=12345678
+	authorityKeyIdentifier=keyid:always,issuer
+EOF
+fi
+
+# RSA
+# Second key will be used for wrong key tests.
+for m in 1024 1024_skid 2048; do
+  if [ "$1" = clean ] || [ "$1" = force ] \
+	  || [ gen-keys.sh -nt test-rsa$m.key ]; then
+    rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
+  fi
+  if [ "$1" = clean ]; then
+    continue
+  fi
+  if [ -z "${m%%*_*}" ]; then
+    # Add named extension.
+    bits=${m%_*}
+    ext="-extensions ${m#*_}"
+  else
+    bits=$m
+    ext=
+  fi
+  if [ ! -e test-rsa$m.key ]; then
+    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
+      -config test-ca.conf \
+      -newkey rsa:$bits \
+      -out test-rsa$m.cer -outform DER \
+      -keyout test-rsa$m.key
+    # for v1 signatures
+    log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
+    if [ $m = 1024_skid ]; then
+      # Create combined key+cert.
+      log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
+    fi
+  fi
+done
+
+for curve in prime192v1 prime256v1; do
+  if [ "$1" = clean ] || [ "$1" = force ]; then
+    rm -f test-$curve.cer test-$curve.key test-$curve.pub
+  fi
+  if [ "$1" = clean ]; then
+    continue
+  fi
+  if [ ! -e test-$curve.key ]; then
+    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+      -config test-ca.conf \
+      -newkey ec \
+      -pkeyopt ec_paramgen_curve:$curve \
+      -out test-$curve.cer -outform DER \
+      -keyout test-$curve.key
+    if [ -s test-$curve.key ]; then
+      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+    fi
+  fi
+done
+
+# EC-RDSA
+for m in \
+  gost2012_256:A \
+  gost2012_256:B \
+  gost2012_256:C \
+  gost2012_512:A \
+  gost2012_512:B; do
+    IFS=':' read -r algo param <<< "$m"
+    if [ "$1" = clean ] || [ "$1" = force ]; then
+      rm -f "test-$algo-$param.key" "test-$algo-$param.cer" "test-$algo-$param.pub"
+    fi
+    if [ "$1" = clean ]; then
+      continue
+    fi
+    [ -e "test-$algo-$param.key" ] && continue
+    log openssl req -nodes -x509 -utf8 -days 10000 -batch \
+      -config test-ca.conf \
+      -newkey "$algo" \
+      -pkeyopt "paramset:$param" \
+      -out    "test-$algo-$param.cer" -outform DER \
+      -keyout "test-$algo-$param.key"
+    if [ -s "test-$algo-$param.key" ]; then
+      log openssl pkey -in "test-$algo-$param.key" -out "test-$algo-$param.pub" -pubout
+    fi
+done
+
+# SM2, If openssl 3.0 is installed, gen SM2 keys using
+if [ -x /opt/openssl3/bin/openssl ]; then
+  (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
+  for curve in sm2; do
+    if [ "$1" = clean ] || [ "$1" = force ]; then
+      rm -f test-$curve.cer test-$curve.key test-$curve.pub
+    fi
+    if [ "$1" = clean ]; then
+      continue
+    fi
+    if [ ! -e test-$curve.key ]; then
+      log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
+        -sm3 -sigopt "distid:1234567812345678" \
+        -config test-ca.conf \
+        -copy_extensions copyall \
+        -newkey $curve \
+        -out test-$curve.cer -outform DER \
+        -keyout test-$curve.key
+      if [ -s test-$curve.key ]; then
+        log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+      fi
+    fi
+  done)
+fi
+
+# This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
+# They are never deleted except by `make distclean'.
+

tests/ima_hash.test

@@ -0,0 +1,79 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# evmctl ima_hash tests
+#
+# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+cd "$(dirname "$0")" || exit 1
+PATH=../src:$PATH
+source ./functions.sh
+_require evmctl openssl getfattr
+
+trap _report_exit_and_cleanup EXIT
+set -f # disable globbing
+
+check() {
+  local alg=$1 prefix=$2 chash=$3 hash
+  local file=$alg-hash.txt
+
+  rm -f "$file"
+  touch "$file"
+  # Generate hash with openssl, if it failed skip test,
+  # unless it's negative test, then pass to evmctl
+  cmd="openssl dgst $OPENSSL_ENGINE -$alg $file"
+  echo - "$cmd"
+  hash=$(set -o pipefail; $cmd 2>/dev/null | cut -d' ' -f2)
+  if [ $? -ne 0 ] && _test_expected_to_pass; then
+    echo "${CYAN}$alg test is skipped$NORM"
+    rm "$file"
+    return "$SKIP"
+  fi
+  if [ "$chash" ] && [ "$chash" != "$hash" ]; then
+    color_red
+    echo "Invalid hash for $alg from openssl"
+    echo "Expected: $chash"
+    echo "Returned: $hash"
+    color_restore
+    rm "$file"
+    return "$HARDFAIL"
+  fi
+
+  ADD_TEXT_FOR=$alg ADD_DEL=$file \
+    _evmctl_run ima_hash --hashalgo "$alg" --xattr-user "$file" || return
+  ADD_TEXT_FOR=$alg \
+    _test_xattr "$file" user.ima "$prefix$hash" || return
+  rm "$file"
+  return "$OK"
+}
+
+# check args: algo hdr-prefix canonic-hash
+expect_pass check  md4        0x01 31d6cfe0d16ae931b73c59d7e0c089c0
+expect_pass check  md5        0x01 d41d8cd98f00b204e9800998ecf8427e
+expect_pass check  sha1       0x01 da39a3ee5e6b4b0d3255bfef95601890afd80709
+expect_fail check  SHA1       0x01 # uppercase
+expect_fail check  sha512-224 0x01 # valid for pkcs1
+expect_fail check  sha512-256 0x01 # valid for pkcs1
+expect_fail check  unknown    0x01 # nonexistent
+expect_pass check  sha224     0x0407 d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
+expect_pass check  sha256     0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+expect_pass check  sha384     0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
+expect_pass check  sha512     0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
+expect_pass check  rmd160     0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
+expect_pass check  sm3        0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
+_enable_gost_engine
+expect_pass check  md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
+expect_pass check  streebog256   0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
+expect_pass check  md_gost12_512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
+expect_pass check  streebog512   0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
+

tests/install-openssl3.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -ex
+
+if [ -z "$COMPILE_SSL" ]; then
+    echo "Missing \$COMPILE_SSL!" >&2
+    exit 1
+fi
+
+version=${COMPILE_SSL}
+
+wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz
+tar --no-same-owner -xzf ${version}.tar.gz
+cd openssl-${version}
+
+./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
+make -j$(nproc)
+# only install apps and library
+sudo make install_sw
+
+cd ..
+rm -rf ${version}.tar.gz
+rm -rf openssl-${version}

tests/install-swtpm.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -ex
+
+# No need to run via sudo if we already have permissions.
+# Also, some distros do not have sudo configured for root:
+#   `root is not in the sudoers file.  This incident will be reported.'
+if [ -w /usr/local/bin ]; then
+	SUDO=
+else
+	SUDO=sudo
+fi
+
+version=1637
+
+wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download
+mkdir ibmtpm$version
+cd ibmtpm$version
+tar --no-same-owner -xvzf ../download
+cd src
+make -j$(nproc)
+$SUDO cp tpm_server /usr/local/bin/
+cd ../..

tests/install-tss.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -ex
+git clone https://git.code.sf.net/p/ibmtpm20tss/tss
+cd tss
+autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install
+cd ..
+rm -rf tss

tests/sample-ascii_runtime_measurements-pcrs-8-9

@@ -0,0 +1 @@
+10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate

tests/sample-tpm-2.0-pcrs-8-9

@@ -0,0 +1,25 @@
+pcrread: tsspcrread -halg sha1
+0: 92c1850372e9493929aa9a2e9ea953e21ff1be45
+1: 41c54039ca2750ea60d8ab7c48b142b10aba5667
+2: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+3: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+4: 4c1a19aad90f770956ff5ee00334a2d548b1a350
+5: a1444a8a9904666165730168b3ae489447d3cef7
+6: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+7: 5c6327a67ff36f138e0b7bb1d2eafbf8a6e52ebf
+8: fed489d2e5f9f85136e5ff53553d5f8b978dbe1a
+9: a2fa191f2622bb014702013bfebfca9fe210d9e5
+10: 3134641a3e8a1f5f75fa850bb21c3104d6ab863b
+11: 0000000000000000000000000000000000000000
+12: 0000000000000000000000000000000000000000
+13: 0000000000000000000000000000000000000000
+14: 71161a5707051fa7d6f584d812240b2e80f61942
+15: 0000000000000000000000000000000000000000
+16: 0000000000000000000000000000000000000000
+17: ffffffffffffffffffffffffffffffffffffffff
+18: ffffffffffffffffffffffffffffffffffffffff
+19: ffffffffffffffffffffffffffffffffffffffff
+20: ffffffffffffffffffffffffffffffffffffffff
+21: ffffffffffffffffffffffffffffffffffffffff
+22: ffffffffffffffffffffffffffffffffffffffff
+23: 0000000000000000000000000000000000000000

tests/sign_verify.test

@@ -0,0 +1,439 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# evmctl {,ima_}{sign,verify} tests
+#
+# Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+cd "$(dirname "$0")" || exit 1
+PATH=../src:$PATH
+source ./functions.sh
+
+_require cmp evmctl getfattr openssl xxd
+
+if cmp -b 2>&1 | grep -q "invalid option"; then
+	echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils"
+	exit "$HARDFAIL"
+fi
+
+./gen-keys.sh >/dev/null 2>&1
+
+trap _report_exit_and_cleanup EXIT
+WORKDIR=$(mktemp -d)
+set -f # disable globbing
+
+# Determine keyid from a cert
+_keyid_from_cert() {
+  local cer=${1%.*}.cer cmd
+  local tmp
+
+  cer=test-${cer#test-}
+  # shellcheck disable=SC2086
+  cmd="openssl x509 $OPENSSL_ENGINE \
+          -in $cer -inform DER -pubkey -noout"
+  id=$($cmd 2>/dev/null \
+    | openssl asn1parse \
+    | grep BIT.STRING \
+    | tail -n1 \
+    | cut -d: -f1)
+  if [ -z "$id" ]; then
+    echo - "$cmd" >&2
+    echo "Cannot asn1parse $cer to determine keyid" >&2
+    exit 1
+  fi
+  tmp=$(mktemp)
+  # shellcheck disable=SC2086
+  openssl x509 $OPENSSL_ENGINE \
+      -in "$cer" -inform DER -pubkey -noout 2>/dev/null \
+    | openssl asn1parse -strparse "$id" -out "$tmp" -noout
+  # shellcheck disable=SC2002
+  cat "$tmp" \
+    | openssl dgst -c -sha1 \
+    | cut -d' ' -f2 \
+    | grep -o ":..:..:..:..$" \
+    | tr -d :
+  rm -f "$tmp"
+}
+
+# Convert test $type into evmctl op prefix
+_op() {
+  if [ "$1" = ima ]; then
+    echo ima_
+  fi
+}
+
+# Convert test $type into xattr name
+_xattr() {
+  if [ "$1" = ima ]; then
+    echo user.ima
+  else
+    echo user.evm
+  fi
+}
+
+# Check that detached signature matches xattr signature
+_test_sigfile() {
+  local file=$1 attr=$2 file_sig=$3 file_sig2=$4
+
+  if [ ! -e "$file_sig" ]; then
+    color_red
+    echo "evmctl ima_sign: no detached signature $file_sig"
+    color_restore
+    rm "$file"
+    return "$FAIL"
+  fi
+
+  _extract_xattr "$file" "$attr" "$file_sig2"
+  if ! cmp -bl "$file_sig" "$file_sig2"; then
+    color_red
+    echo "evmctl ima_sign: xattr signature on $file differ from detached $file_sig"
+    color_restore
+    rm "$file" "$file_sig" "$file_sig2"
+    return "$FAIL"
+  fi
+
+  # Leave '$file_sig' for ima_verify --sigfile test.
+  rm "$file_sig2"
+}
+
+# Run single sign command
+_evmctl_sign() {
+  local type=$1 key=$2 alg=$3 file=$4 opts=$5
+
+  # Can check --sigfile for ima_sign
+  [ "$type" = ima ] && opts+=" --sigfile"
+
+  # shellcheck disable=SC2086
+  ADD_TEXT_FOR="$alg ($key)" ADD_DEL=$file \
+    _evmctl_run "$(_op "$type")sign" $opts \
+    --hashalgo "$alg" --key "$key" --xattr-user "$file" || return
+
+  if [ "$type" = ima ]; then
+    _test_sigfile "$file" "$(_xattr "$type")" "$file.sig" "$file.sig2"
+  fi
+}
+
+# Run and test {ima_,}sign operation
+check_sign() {
+  # Arguments are passed via global vars:
+  # TYPE (ima or evm),
+  # KEY,
+  # ALG (hash algo),
+  # PREFIX (signature header prefix in hex),
+  # OPTS (additional options for evmctl),
+  # FILE (working file to sign).
+  local "$@"
+  local key verifykey
+  local FILE=${FILE:-$ALG.txt}
+
+  # Normalize key filename if it's not a pkcs11 URI
+  if [ ${KEY:0:7} != pkcs11: ]; then
+    key=${KEY%.*}.key
+    key=test-${key#test-}
+  else
+    key=${KEY}
+  fi
+
+  # Append suffix to files for negative tests, because we may
+  # leave only good files for verify tests.
+  _test_expected_to_fail && FILE+='~'
+
+  rm -f $FILE
+  if ! touch $FILE; then
+    color_red
+    echo "Can't create test file: $FILE"
+    color_restore
+    return "$HARDFAIL"
+  fi
+
+  if _test_expected_to_pass; then
+    # Can openssl work with this digest?
+    cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG $FILE"
+    echo - "$cmd"
+    if ! $cmd >/dev/null; then
+      echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to digest)$NORM"
+      return "$SKIP"
+    fi
+
+    if [ "${key:0:7}" != pkcs11: ] && [ ! -e "$key" ]; then
+      echo "${CYAN}$ALG ($key) test is skipped (key file not found)$NORM"
+      return "$SKIP"
+    fi
+
+    # Can openssl sign with this digest and key?
+    cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key -hex $FILE"
+    echo - "$cmd"
+    if ! $cmd >/dev/null; then
+      echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to sign)$NORM"
+      return "$SKIP"
+    fi
+  fi
+
+  # Insert keyid from cert into PREFIX in-place of marker `:K:'
+  if [[ $PREFIX =~ :K: ]]; then
+    keyid=$(_keyid_from_cert "$key")
+    if [ $? -ne 0 ]; then
+      color_red
+      echo "Unable to determine keyid for $key"
+      color_restore
+      return "$HARDFAIL"
+    fi
+    [ "$VERBOSE" -gt 2 ] && echo "  Expected keyid: $keyid"
+    PREFIX=${PREFIX/:K:/$keyid}
+  fi
+
+  # Perform signing by evmctl
+  _evmctl_sign "$TYPE" "$key" "$ALG" "$FILE" "$OPTS" || return
+
+  # First simple pattern match the signature.
+  ADD_TEXT_FOR=$ALG \
+    _test_xattr "$FILE" "$(_xattr "$TYPE")" "$PREFIX.*" || return
+
+  # This is all we can do for v1 signatures.
+  [[ "$OPTS" =~ --rsa ]] && return "$OK"
+
+  # This is all we can do for evm.
+  [[ "$TYPE" =~ evm ]] && return "$OK"
+
+  # When using the SM2/3 algorithm, the openssl tool uses USERID for verify,
+  # which is incompatible with calling API directly, so skip it.
+  [[ "$ALG" == sm3 ]] && return "$OK"
+
+  # Extract signature to a file
+  _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
+
+  # Verify extracted signature with openssl
+  if [ "${key:0:7}" != pkcs11: ]; then
+      verifykey=${key%.*}.pub
+  else
+      verifykey=${key}
+  fi
+
+  cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -verify ${verifykey} \
+	-signature $FILE.sig2 $FILE"
+  echo - "$cmd"
+  if ! $cmd; then
+    color_red_on_failure
+    echo "Signature v2 verification with openssl is failed."
+    color_restore
+    rm "$FILE.sig2"
+    return "$FAIL"
+  fi
+
+  rm "$FILE.sig2"
+  return "$OK"
+}
+
+# Test verify operation
+check_verify() {
+  # Arguments are passed via global vars:
+  # TYPE (ima or evm),
+  # KEY,
+  # ALG (hash algo),
+  # OPTS (additional options for evmctl),
+  # FILE (filename to verify).
+  local "$@"
+
+  # shellcheck disable=SC2086
+  if ! openssl dgst $OPENSSL_ENGINE -"$ALG" /dev/null >/dev/null 2>&1; then
+    echo $CYAN"$ALG ($KEY) test is skipped (openssl does not support $ALG)"$NORM
+    return $SKIP
+  fi
+
+  # shellcheck disable=SC2086
+  ADD_TEXT_FOR="$FILE ($KEY)" \
+    _evmctl_run "$(_op "$TYPE")verify" --key "$KEY" --xattr-user $OPTS "$FILE"
+}
+
+# Test runners
+
+# Perform sign and verify ima and evm testing
+sign_verify() {
+  local key=$1 alg=$2 prefix="$3" opts="$4"
+  local file=$alg.txt
+
+  # Set defaults:
+  # Public key is different for v1 and v2 (where x509 cert is used).
+  if [[ $opts =~ --rsa ]]; then
+    KEY=test-$key.pub
+  else
+    KEY=test-$key.cer
+  fi
+  ALG=$alg
+  PREFIX=$prefix
+  OPTS=$opts
+  FILE=$file
+
+  TYPE=ima
+  if expect_pass check_sign; then
+
+    # Normal verify with proper key should pass
+    expect_pass check_verify
+    expect_pass check_verify OPTS="--sigfile"
+
+    # Multiple files and some don't verify
+    expect_fail check_verify FILE="/dev/null $file"
+
+    rm "$FILE.sig"
+  fi
+
+  TYPE=evm
+  # Avoid running blkid for evm tests which may require root
+  # No generation on overlayfs:
+  # ioctl(3, FS_IOC_GETVERSION, 0x7ffd8e0bd628) = -1 ENOTTY (Inappropriate ioctl for device)
+  OPTS="$opts --uuid --generation 0"
+  if expect_pass check_sign; then
+
+    # Normal verify with proper key
+    expect_pass check_verify
+
+    # Verify with wrong key
+    expect_fail check_verify KEY=rsa2048
+  fi
+
+  # Note: Leaving TYPE=evm and file is evm signed
+}
+
+# Test --keys
+try_different_keys() {
+  # This run after sign_verify which leaves
+  # TYPE=evm and file is evm signed
+
+  # v2 signing can work with multiple keys in --key option
+  if [[ ! $OPTS =~ --rsa ]]; then
+
+    # Have correct key in the key list
+    expect_pass check_verify KEY="test-rsa2048.cer,$KEY"
+    expect_pass check_verify KEY="/dev/null,$KEY,"
+  fi
+
+  # Try key that is not used for signing
+  expect_fail check_verify KEY=rsa2048
+
+  # Try completely wrong key files
+  expect_fail check_verify KEY=/dev/null
+  expect_fail check_verify KEY=/dev/zero
+}
+
+try_different_sigs() {
+  # TYPE=evm and file is evm signed
+
+  # Test --imasig
+  if expect_pass check_sign OPTS="$OPTS --imasig"; then
+
+    # Verify both evm and ima sigs
+    expect_pass check_verify
+    expect_pass check_verify TYPE=ima
+  fi
+
+  # Test --imahash
+  if expect_pass check_sign OPTS="$OPTS --imahash"; then
+
+    expect_pass check_verify
+
+    # IMA hash is not verifiable by ima_verify
+    expect_fail check_verify TYPE=ima
+  fi
+
+  # Test --portable (only supported for V2 signatures)
+  if expect_pass check_sign OPTS="$OPTS --portable --imahash" PREFIX=0x05; then
+     if [[ "$OPTS" =~ --rsa ]]; then
+        expect_fail check_verify
+     else
+        expect_pass check_verify
+     fi
+  fi
+
+  # Test -i (immutable)
+  expect_pass check_sign OPTS="$OPTS -i" PREFIX=0x0303
+  # Cannot be verified for now
+}
+
+# Single test args: type key hash signature-prefix "evmctl-options"
+# sign_verify args:      key hash signature-prefix "evmctl-options"
+# Only single test can be prefixed with expect_{fail,pass}
+# `sign_verify' can not be prefixed with expect_{fail,pass} because
+# it runs multiple tests inside. See more tests there.
+# signature-prefix can contain `:K:' which will be resolved to keyid (v2 only)
+
+## Test v1 signatures
+# Signature v1 only supports sha1 and sha256 so any other should fail
+expect_fail \
+  check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
+
+sign_verify  rsa1024  sha1    0x0301 --rsa
+sign_verify  rsa1024  sha256  0x0301 --rsa
+  try_different_keys
+  try_different_sigs
+
+## Test v2 signatures with RSA PKCS#1
+# List of allowed hashes much greater but not all are supported.
+sign_verify  rsa1024  md5     0x030201:K:0080
+sign_verify  rsa1024  sha1    0x030202:K:0080
+sign_verify  rsa1024  sha224  0x030207:K:0080
+expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
+expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer
+expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080
+sign_verify  rsa1024  sha256  0x030204:K:0080
+  try_different_keys
+  try_different_sigs
+sign_verify  rsa1024  sha384  0x030205:K:0080
+sign_verify  rsa1024  sha512  0x030206:K:0080
+sign_verify  rsa1024  rmd160  0x030203:K:0080
+
+# Test v2 signatures with ECDSA
+# Signature length is typically 0x34-0x38 bytes long, very rarely 0x33
+sign_verify  prime192v1 sha1   0x030202:K:003[345678]
+sign_verify  prime192v1 sha224 0x030207:K:003[345678]
+sign_verify  prime192v1 sha256 0x030204:K:003[345678]
+sign_verify  prime192v1 sha384 0x030205:K:003[345678]
+sign_verify  prime192v1 sha512 0x030206:K:003[345678]
+
+# Signature length is typically 0x44-0x48 bytes long, very rarely 0x43
+sign_verify  prime256v1 sha1   0x030202:K:004[345678]
+sign_verify  prime256v1 sha224 0x030207:K:004[345678]
+sign_verify  prime256v1 sha256 0x030204:K:004[345678]
+sign_verify  prime256v1 sha384 0x030205:K:004[345678]
+sign_verify  prime256v1 sha512 0x030206:K:004[345678]
+
+# If openssl 3.0 is installed, test the SM2/3 algorithm combination
+if [ -x /opt/openssl3/bin/openssl ]; then
+  PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \
+    sign_verify  sm2    sm3    0x030211:K:004[345678]
+fi
+
+# Test v2 signatures with EC-RDSA
+_enable_gost_engine
+sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
+sign_verify  gost2012_256-B md_gost12_256 0x030212:K:0040
+sign_verify  gost2012_256-C md_gost12_256 0x030212:K:0040
+sign_verify  gost2012_512-A md_gost12_512 0x030213:K:0080
+sign_verify  gost2012_512-B md_gost12_512 0x030213:K:0080
+# Test if signing with wrong key length does not work.
+expect_fail \
+  check_sign TYPE=ima KEY=gost2012_512-B ALG=md_gost12_256 PREFIX=0x0302 OPTS=
+expect_fail \
+  check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS=
+
+# Test signing with key described by pkcs11 URI
+_softhsm_setup "${WORKDIR}"
+if [ -n "${PKCS11_KEYURI}" ]; then
+  expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS=--keyid=aabbccdd
+  expect_pass check_sign FILE=pkcs11test TYPE=ima KEY=${PKCS11_KEYURI} ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS=--keyid=aabbccdd
+else
+  # to have a constant number of tests, skip these two tests
+  __skip() { echo "pkcs11 test is skipped: could not setup softhsm"; return $SKIP; }
+  expect_pass __skip
+  expect_pass __skip
+fi
+_softhsm_teardown "${WORKDIR}"

tests/softhsm_setup

@@ -0,0 +1,293 @@
+#!/usr/bin/env bash
+
+# SPDX-License-Identifier: GPL-2.0 and BSD-3-clause
+# This program originates from 'swtpm' project (https://github.com/stefanberger/swtpm/)
+
+if [ -z "$(type -P p11tool)" ]; then
+	echo "Need p11tool from gnutls"
+	exit 77
+fi
+
+if [ -z "$(type -P softhsm2-util)" ]; then
+	echo "Need softhsm2-util from softhsm2 package"
+	exit 77
+fi
+
+MAJOR=$(softhsm2-util -v | cut -d '.' -f1)
+MINOR=$(softhsm2-util -v | cut -d '.' -f2)
+if [ ${MAJOR} -lt 2 ] || [ ${MAJOR} -eq 2 -a ${MINOR} -lt 2 ]; then
+	echo "Need softhsm v2.2.0 or later"
+	exit 77
+fi
+
+NAME=swtpm-test
+PIN=${PIN:-1234}
+SO_PIN=${SO_PIN:-1234}
+SOFTHSM_SETUP_CONFIGDIR=${SOFTHSM_SETUP_CONFIGDIR:-~/.config/softhsm2}
+export SOFTHSM2_CONF=${SOFTHSM_SETUP_CONFIGDIR}/softhsm2.conf
+
+UNAME_S="$(uname -s)"
+
+case "${UNAME_S}" in
+Darwin)
+	msg=$(sudo -v -n)
+	if [ $? -ne 0 ]; then
+		echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf"
+		exit 1
+	fi
+	;;
+esac
+
+teardown_softhsm() {
+	local configdir=${SOFTHSM_SETUP_CONFIGDIR}
+	local configfile=${SOFTHSM2_CONF}
+	local bakconfigfile=${configfile}.bak
+	local tokendir=${configdir}/tokens
+
+	softhsm2-util --token "${NAME}" --delete-token &>/dev/null
+
+	case "${UNAME_S}" in
+	Darwin*)
+		if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
+			sudo rm -f /etc/gnutls/pkcs11.conf
+			sudo mv /etc/gnutls/pkcs11.conf.bak \
+			   /etc/gnutls/pkcs11.conf &>/dev/null
+		fi
+		;;
+	esac
+
+	if [ -f "$bakconfigfile" ]; then
+		mv "$bakconfigfile" "$configfile"
+	else
+		rm -f "$configfile"
+	fi
+	if [ -d "$tokendir" ]; then
+		rm -rf "${tokendir}"
+	fi
+	return 0
+}
+
+setup_softhsm() {
+	local msg tokenuri keyuri
+	local configdir=${SOFTHSM_SETUP_CONFIGDIR}
+	local configfile=${SOFTHSM2_CONF}
+	local bakconfigfile=${configfile}.bak
+	local tokendir=${configdir}/tokens
+	local rc
+
+	case "${UNAME_S}" in
+	Darwin*)
+		if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
+			echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first"
+			return 1
+		fi
+		sudo mv /etc/gnutls/pkcs11.conf \
+			/etc/gnutls/pkcs11.conf.bak &>/dev/null
+		if [ $(id -u) -eq 0 ]; then
+			SONAME="$(sudo -u nobody brew ls --verbose softhsm | \
+				  grep -E "\.so$")"
+		else
+			SONAME="$(brew ls --verbose softhsm | \
+				  grep -E "\.so$")"
+		fi
+		sudo mkdir -p /etc/gnutls &>/dev/null
+		sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf"
+		;;
+	esac
+
+	if ! [ -d $configdir ]; then
+		mkdir -p $configdir
+	fi
+	mkdir -p ${tokendir}
+
+	if [ -f $configfile ]; then
+		mv "$configfile" "$bakconfigfile"
+	fi
+
+	if ! [ -f $configfile ]; then
+		cat <<_EOF_ > $configfile
+directories.tokendir = ${tokendir}
+objectstore.backend = file
+log.level = DEBUG
+slots.removable = false
+_EOF_
+	fi
+
+	msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1)
+	if [ $? -ne 0 ]; then
+		echo "Could not list existing tokens"
+		echo "$msg"
+	fi
+	tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
+
+	if [ -z "$tokenuri" ]; then
+		msg=$(softhsm2-util \
+			--init-token --pin ${PIN} --so-pin ${SO_PIN} \
+			--free --label ${NAME} 2>&1)
+		if [ $? -ne 0 ]; then
+			echo "Could not initialize token"
+			echo "$msg"
+			return 2
+		fi
+
+		slot=$(echo "$msg" | \
+		       sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p')
+		if [ -z "$slot" ]; then
+			slot=$(softhsm2-util --show-slots | \
+			       grep -E "^Slot " | head -n1 |
+			       sed -n 's/Slot \([0-9]*\)/\1/p')
+			if [ -z "$slot" ]; then
+				echo "Could not parse slot number from output."
+				echo "$msg"
+				return 3
+			fi
+		fi
+
+		msg=$(p11tool --list-tokens 2>&1 | \
+			grep "token=${NAME}" | tail -n1)
+		if [ $? -ne 0 ]; then
+			echo "Could not list existing tokens"
+			echo "$msg"
+		fi
+		tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
+		if [ -z "${tokenuri}" ]; then
+			echo "Could not get tokenuri!"
+			return 4
+		fi
+
+		# more recent versions of p11tool have --generate-privkey ...
+		msg=$(GNUTLS_PIN=$PIN p11tool \
+			--generate-privkey=rsa --bits 2048 --label mykey --login \
+			"${tokenuri}" 2>&1)
+		if [ $? -ne 0 ]; then
+			# ... older versions have --generate-rsa
+			msg=$(GNUTLS_PIN=$PIN p11tool \
+				--generate-rsa --bits 2048 --label mykey --login \
+				"${tokenuri}" 2>&1)
+			if [ $? -ne 0 ]; then
+				echo "Could not create RSA key!"
+				echo "$msg"
+				return 5
+			fi
+		fi
+	fi
+
+	getkeyuri_softhsm $slot
+	rc=$?
+	if [ $rc -ne 0 ]; then
+		teardown_softhsm
+	fi
+
+	return $rc
+}
+
+_getkeyuri_softhsm() {
+	local msg tokenuri keyuri
+
+	msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}")
+	if [ $? -ne 0 ]; then
+		echo "Could not list existing tokens"
+		echo "$msg"
+		return 5
+	fi
+	tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
+	if [ -z "$tokenuri" ]; then
+		echo "Could not get token URL"
+		echo "$msg"
+		return 6
+	fi
+	msg=$(p11tool --list-all ${tokenuri} 2>&1)
+	if [ $? -ne 0 ]; then
+		echo "Could not list object under token $tokenuri"
+		echo "$msg"
+		softhsm2-util --show-slots
+		return 7
+	fi
+
+	keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
+	if [ -z "$keyuri" ]; then
+		echo "Could not get key URL"
+		echo "$msg"
+		return 8
+	fi
+	echo "$keyuri"
+	return 0
+}
+
+getkeyuri_softhsm() {
+	local keyuri rc
+
+	keyuri=$(_getkeyuri_softhsm)
+	rc=$?
+	if [ $rc -ne 0 ]; then
+		return $rc
+	fi
+	echo "keyuri: $keyuri?pin-value=${PIN}" #&module-name=softhsm2"
+	return 0
+}
+
+getpubkey_softhsm() {
+	local keyuri rc
+
+	keyuri=$(_getkeyuri_softhsm)
+	rc=$?
+	if [ $rc -ne 0 ]; then
+		return $rc
+	fi
+	GNUTLS_PIN=${PIN} p11tool --export-pubkey "${keyuri}" --login 2>/dev/null
+	return $?
+}
+
+usage() {
+	cat <<_EOF_
+Usage: $0 [command]
+
+Supported commands are:
+
+setup      : Setup the user's account for softhsm and create a
+             token and key with a test configuration
+
+getkeyuri  : Get the key's URI; may only be called after setup
+
+getpubkey  : Get the public key in PEM format; may only be called after setup
+
+teardown   : Remove the temporary softhsm test configuration
+
+_EOF_
+}
+
+main() {
+	local ret
+
+	if [ $# -lt 1 ]; then
+		usage $0
+		echo -e "Missing command.\n\n"
+		return 1
+	fi
+	case "$1" in
+	setup)
+		setup_softhsm
+		ret=$?
+		;;
+	getkeyuri)
+		getkeyuri_softhsm
+		ret=$?
+		;;
+	getpubkey)
+		getpubkey_softhsm
+		ret=$?
+		;;
+	teardown)
+		teardown_softhsm
+		ret=$?
+		;;
+	*)
+		echo -e "Unsupported command: $1\n\n"
+		usage $0
+		ret=1
+	esac
+	return $ret
+}
+
+main "$@"
+exit $?

tests/test_ascii_runtime_measurements

@@ -0,0 +1,3 @@
+10 cf41b43c4031672fcc2bd358b309ad33b977424f ima-ng sha256:f1b4c7c9b27e94569f4c2b64051c452bc609c3cb891dd7fae06b758f8bc83d14 boot_aggregate
+10 983dcd8e6f7c84a1a5f10e762d1850623966ceab ima-ng sha256:ae06e032a65fed8102aff5f8f31c678dcf2eb25b826f77ecb699faa0411f89e0 /init
+10 b6e4d01c73f6e4b698eaf48e7d76a2bae0c02514 ima-ng sha256:4b1764ee112aa8b2a6ae9a3a2f1e272b6601681f610708497673cd49e5bd2f5c /bin/sh