ima-evm-utils: Release version 1.2.1

This release contains a few bug fixes: autoconf, keys for v1 signature verification, return code error, and openssl version. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-07-03 22:23:16 +02:00 · 2019-07-30 15:19:00 -04:00
44 changed files with 364 additions and 3084 deletions
--- a/.gitignore
+++ b/.gitignore
@ -21,7 +21,7 @@ missing
 compile
 libtool
 ltmain.sh
-test-driver
+
 # Compiled executables
 *.o
--- a/.travis.yml
+++ b/.travis.yml
@ -1,78 +0,0 @@
 dist: bionic
 language: C
 services:
    - docker
 matrix:
    include:
        # 32 bit build
        - os: linux
          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss
          compiler: gcc
        # cross compilation builds
        - os: linux
          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss
          compiler: powerpc64le-linux-gnu-gcc
        - os: linux
          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss
          compiler: aarch64-linux-gnu-gcc
        - os: linux
          env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss
          compiler: s390x-linux-gnu-gcc
        # musl
        - os: linux
          env: DISTRO=alpine:latest TSS=tpm2-tss
          compiler: gcc
        # glibc (gcc/clang)
        - os: linux
          env: DISTRO=opensuse/tumbleweed TSS=ibmtss
          compiler: clang
        - os: linux
          env: DISTRO=opensuse/leap TSS=tpm2-tss
          compiler: gcc
        - os: linux
          env: DISTRO=ubuntu:eoan TSS=ibmtss
          compiler: gcc
        - os: linux
          env: DISTRO=ubuntu:xenial TSS=tpm2-tss
          compiler: clang
        - os: linux
          env: DISTRO=fedora:latest TSS=ibmtss
          compiler: clang
        - os: linux
          env: DISTRO=centos:7 TSS=tpm2-tss
          compiler: gcc
        - os: linux
          env: DISTRO=centos:latest TSS=tpm2-tss
          compiler: clang
        - os: linux
          env: DISTRO=debian:testing TSS=tpm2-tss
          compiler: clang
        - os: linux
          env: DISTRO=debian:stable TSS=ibmtss
          compiler: gcc
 before_install:
    - df -hT
    - DIR="/usr/src/ima-evm-utils"
    - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile
    - cat Dockerfile
    - docker build -t ima-evm-utils .
 script:
    - INSTALL="${DISTRO%%:*}"
    - INSTALL="${INSTALL%%/*}"
    - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh"
--- a/127
+++ b/127
@ -0,0 +1,127 @@
 2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2 new features:
 	* Generate EVM signatures based on the specified hash algorithm
 	* include "security.apparmor" in EVM signature
 	* Add support for writing & verifying "user.xxxx" xattrs for testing
 	* Support Strebog/Gost hash functions
 	* Add OpenSSL engine support
 	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
 	* Support verifying multiple signatures at once
 	* Support new template "buf" field and warn about other unknown fields
 	* Improve OpenSSL error reporting
 	* Support reading TPM 2.0 PCRs using tsspcrread
 	Bug fixes and code cleanup:
 	* Update manpage stylesheet detection
 	* Fix xattr.h include file
 	* On error when reading TPM PCRs, don't log gargabe
 	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
 	  limiting keyid output to verbose mode
 	* Fix hash buffer overflow caused by EVM support for larger hashes,
 	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
 	* Linked with libcrypto instead of OpenSSL
 	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
 	* Include new "hash-info.gen" in tar
 	* Log the hash algorithm, not just the hash value
 	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
 	* Fixed other warnings/bugs discovered by clang, coverity
 	* Remove indirect calls in verify_hash() to improve code readability
 	* Don't fallback to using sha1
 	* Namespace some too generic object names
 	* Make functions/arrays static if possible
 2018-01-28  Mimi Zohar <zohar@us.ibm.com>
 	version 1.1
 	* Support the new openssl 1.1 api
 	* Support for validating multiple pcrs
 	* Verify the measurement list signature based on the list digest
 	* Verify the "ima-sig" measurement list using multiple keys
 	* Fixed parsing the measurement template data field length
 	* Portable & immutable EVM signatures (new format)
 	* Multiple fixes that have been lingering in the next branch. Some
 	  are for experimental features that are not yet supported in the
 	  kernel.
 2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 	version 1.0
 	* Recursive hashing
 	* Immutable EVM signatures (experimental)
 	* Command 'ima_clear' to remove xattrs
 	* Support for passing password to the library
 	* Support for asking password safely from the user
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.9
 	* Updated README
 	* man page generated and added to the package
 	* Use additional SMACK xattrs for EVM signature generation
 	* Signing functions moved to libimaevm for external use (RPM)
 	* Fixed setting of correct hash header
 2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.8
 	* Symbilic names for keyrings
 	* Hash list signing
 	* License text fix for using OpenSSL
 	* Help output fix
 2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.7
 	* Fix symbolic links related bugs
 	* Provide recursive fixing
 	* Provide recursive signing
 	* Move IMA verification to the library (first for LTP use)
 	* Support for target architecture data size
 	* Remove obsolete module signing code
 	* Code cleanup
 2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.6
 	* support for asymmetric crypto keys and new signature format (v2)
 	* fixes to set correct hash algo for digital signature v1
 	* uuid support for EVM
 	* signature verification support
 	* test scripts removed
 	* README updates
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.3
 	* llistxattr returns 0 if there are no xattrs and it is valid
 	* Added entry type to directory hash calculation
 	* inline block variable renamed
 	* Remove forced tag creation
 	* Use libexec for programs and scripts
 	* Some files updated
 	* Do not search for algorithm as it is known
 	* Refactored to remove redundant hash initialization code
 	* Added hash calculation for special files
 2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.2
 	* added RPM & TAR building makefile rules
 	* renamed evm-utils to ima-evm-utils
 	* added command options description
 	* updated error handling
 	* refactored redundant code
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1.0
 	* Fully functional version for lastest 3.x kernels
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1
 	* Initial public version.
--- a/Makefile.am
+++ b/Makefile.am
@ -1,7 +1,5 @@
-SUBDIRS = src tests
+SUBDIRS = src
 if MANPAGE_DOCBOOK_XSL
 dist_man_MANS = evmctl.1
 endif
 doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
 EXTRA_DIST = autogen.sh $(doc_DATA)
@ -25,7 +23,6 @@ rpm: $(tarname)
 	cp $(tarname) $(SRCS)/
 	rpmbuild -ba --nodeps $(SPEC)
 if MANPAGE_DOCBOOK_XSL
 evmctl.1.html: README
 	@asciidoc -o $@ $<
@ -38,6 +35,5 @@ rmman:
 	rm -f evmctl.1
 doc: evmctl.1.html rmman evmctl.1
 endif
 .PHONY: $(tarname)
--- a/202
+++ b/202
@ -1,202 +0,0 @@
 2020-10-28  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3.2:
 	* Bugfixes: importing keys
 	* NEW: Docker based travis distro testing
 	* Travis bugfixes, code cleanup, software version update,
 	  and script removal
 	* Initial travis testing
 2020-08-11  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3.1:
 	* "--pcrs" support for per crypto algorithm
 	* Drop/rename "ima_measurement" options
 	* Moved this summary from "Changelog" to "NEWS", removing
 	  requirement for GNU empty files
 	* Distro build fixes
 2020-07-21  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.3 new features:
 	* NEW ima-evm-utils regression test infrastructure with two initial
 	  tests:
 	  - ima_hash.test: calculate/verify different crypto hash algorithms
 	  - sign_verify.test: EVM and IMA sign/verify signature tests
 	* TPM 2.0 support
 	  - Calculate the new per TPM 2.0 bank template data digest
 	  - Support original padding the SHA1 template data digest
 	  - Compare ALL the re-calculated TPM 2.0 bank PCRs against the
 	    TPM 2.0 bank PCR values
 	  - Calculate the per TPM bank "boot_aggregate" values, including
 	    PCRs 8 & 9 in calculation
 	  - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS
 	  - boot_aggregate.test: compare the calculated "boot_aggregate"
 	    values with the "boot_aggregate" value included in the IMA
 	    measurement.
 	* TPM 1.2 support
 	  - Additionally support reading the TPM 1.2 PCRs from a supplied file
 	    ("--pcrs" option)
 	* Based on original IMA LTP and standalone version support
 	  - Calculate the TPM 1.2 "boot_aggregate" based on the exported
 	    TPM 1.2 BIOS event log.
 	  - In addition to verifying the IMA measurement list against the
 	    the TPM PCRs, verify the IMA template data digest against the
 	    template data.  (Based on LTP "--verify" option.)
 	  - Ignore file measurement violations while verifying the IMA
 	    measurment list. (Based on LTP "--validate" option.)
 	  - Verify the file data signature included in the measurement list
 	    based on the file hash also included in the measurement list
 	    (--verify-sig)
 	  - Support original "ima" template (mixed templates not supported)
 	* Support "sm3" crypto name
 	Bug fixes and code cleanup:
 	* Don't exit with -1 on failure, exit with 125
 	* On signature verification failure, include pathname.
 	* Provide minimal hash_info.h file in case one doesn't exist, needed
 	  by the ima-evm-utils regression tests.
 	* On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs
 	* Fix hash_algo type comparison mismatch
 	* Simplify/clean up code
 	* Address compiler complaints and failures
 	* Fix memory allocations and leaks
 	* Sanity check provided input files are regular files
 	* Revert making "tsspcrread" a compile build time decision.
 	* Limit additional messages based on log level (-v)
 2019-07-30  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2.1 Bug fixes:
 	* When verifying multiple file signatures, return correct status
 	* Don't automatically use keys from x509 certs if user supplied "--rsa"
 	* Fix verifying DIGSIG_VERSION_1 signatures
 	* autoconf, openssl fixes
 2019-07-24  Mimi Zohar <zohar@linux.ibm.com>
 	version 1.2 new features:
 	* Generate EVM signatures based on the specified hash algorithm
 	* include "security.apparmor" in EVM signature
 	* Add support for writing & verifying "user.xxxx" xattrs for testing
 	* Support Strebog/Gost hash functions
 	* Add OpenSSL engine support
 	* Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures
 	* Support verifying multiple signatures at once
 	* Support new template "buf" field and warn about other unknown fields
 	* Improve OpenSSL error reporting
 	* Support reading TPM 2.0 PCRs using tsspcrread
 	Bug fixes and code cleanup:
 	* Update manpage stylesheet detection
 	* Fix xattr.h include file
 	* On error when reading TPM PCRs, don't log gargabe
 	* Properly return keyid string to calc_keyid_v1/v2 callers, caused by
 	  limiting keyid output to verbose mode
 	* Fix hash buffer overflow caused by EVM support for larger hashes,
 	  defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts".
 	* Linked with libcrypto instead of OpenSSL
 	* Updated Autotools, replacing INCLUDES with AM_CPPFLAGS
 	* Include new "hash-info.gen" in tar
 	* Log the hash algorithm, not just the hash value
 	* Fixed memory leaks in: EV_MD_CTX, init_public_keys
 	* Fixed other warnings/bugs discovered by clang, coverity
 	* Remove indirect calls in verify_hash() to improve code readability
 	* Don't fallback to using sha1
 	* Namespace some too generic object names
 	* Make functions/arrays static if possible
 2018-01-28  Mimi Zohar <zohar@us.ibm.com>
 	version 1.1
 	* Support the new openssl 1.1 api
 	* Support for validating multiple pcrs
 	* Verify the measurement list signature based on the list digest
 	* Verify the "ima-sig" measurement list using multiple keys
 	* Fixed parsing the measurement template data field length
 	* Portable & immutable EVM signatures (new format)
 	* Multiple fixes that have been lingering in the next branch. Some
 	  are for experimental features that are not yet supported in the
 	  kernel.
 2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
 	version 1.0
 	* Recursive hashing
 	* Immutable EVM signatures (experimental)
 	* Command 'ima_clear' to remove xattrs
 	* Support for passing password to the library
 	* Support for asking password safely from the user
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.9
 	* Updated README
 	* man page generated and added to the package
 	* Use additional SMACK xattrs for EVM signature generation
 	* Signing functions moved to libimaevm for external use (RPM)
 	* Fixed setting of correct hash header
 2014-05-05  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.8
 	* Symbilic names for keyrings
 	* Hash list signing
 	* License text fix for using OpenSSL
 	* Help output fix
 2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.7
 	* Fix symbolic links related bugs
 	* Provide recursive fixing
 	* Provide recursive signing
 	* Move IMA verification to the library (first for LTP use)
 	* Support for target architecture data size
 	* Remove obsolete module signing code
 	* Code cleanup
 2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
 	version 0.6
 	* support for asymmetric crypto keys and new signature format (v2)
 	* fixes to set correct hash algo for digital signature v1
 	* uuid support for EVM
 	* signature verification support
 	* test scripts removed
 	* README updates
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.3
 	* llistxattr returns 0 if there are no xattrs and it is valid
 	* Added entry type to directory hash calculation
 	* inline block variable renamed
 	* Remove forced tag creation
 	* Use libexec for programs and scripts
 	* Some files updated
 	* Do not search for algorithm as it is known
 	* Refactored to remove redundant hash initialization code
 	* Added hash calculation for special files
 2012-04-05  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.2
 	* added RPM & TAR building makefile rules
 	* renamed evm-utils to ima-evm-utils
 	* added command options description
 	* updated error handling
 	* refactored redundant code
 2012-04-02  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1.0
 	* Fully functional version for lastest 3.x kernels
 2011-08-24  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 	version 0.1
 	* Initial public version.
--- a/7
+++ b/7
@ -28,11 +28,10 @@ COMMANDS
 import [--rsa] pubkey keyring
 sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
 verify file
 ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
 ima_sign [--sigfile] [--key key] [--pass password] file
 ima_verify file
 ima_hash file
- ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--key "key1, key2, ..."] [--list] file
 ima_fix [-t fdsxm] path
 sign_hash [--key key] [--pass password]
 hmac [--imahash | --imasig ] file
@ -60,10 +59,6 @@ OPTIONS
      --m32          force EVM hmac/signature for 32 bit target system
      --m64          force EVM hmac/signature for 64 bit target system
      --engine e     preload OpenSSL engine e (such as: gost)
      --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
      --ignore-violations ignore ToMToU measurement violations
      --verify-sig   verify the file signature based on the file hash, both
                     stored in the template data.
  -v                 increase verbosity level
  -h, --help         display this help and exit
--- a/autogen.sh
+++ b/autogen.sh
@ -1,4 +1,16 @@
 #! /bin/sh
 set -e
-autoreconf -i
+# new way
 # strange, but need this for Makefile.am, because it has -I m4
 test -d m4 || mkdir m4
 autoreconf -f -i
 # old way
 #libtoolize --automake --copy --force
 #aclocal
 #autoconf --force
 #autoheader --force
 #automake --add-missing --copy --force-missing --gnu
--- a/build.sh
+++ b/build.sh
@ -1,97 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -e
 CC="${CC:-gcc}"
 CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}"
 PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}"
 export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib"
 export PATH="$PREFIX/bin:/usr/local/bin:$PATH"
 title()
 {
 	echo "===== $1 ====="
 }
 log_exit()
 {
 	local ret="${3:-$?}"
 	local log="$1"
 	local msg="$2"
 	local prefix
 	echo "=== $log ==="
 	[ $ret -eq 0 ] || prefix="FAIL: "
 	cat $log
 	echo
 	echo "$prefix$msg, see output of $log above"
 	exit $ret
 }
 cd `dirname $0`
 case "$VARIANT" in
 	i386)
 		echo "32-bit compilation"
 		export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS"
 		export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig
 		;;
 	cross-compile)
 		host="${CC%-gcc}"
 		export CROSS_COMPILE="${host}-"
 		host="--host=$host"
 		echo "cross compilation: $host"
 		echo "CROSS_COMPILE: '$CROSS_COMPILE'"
 		;;
 	*)
 		if [ "$VARIANT" ]; then
 			echo "Wrong VARIANT: '$VARIANT'" >&2
 			exit 1
 		fi
 		echo "native build"
 		;;
 esac
 title "compiler version"
 $CC --version
 echo "CFLAGS: '$CFLAGS'"
 echo "LDFLAGS: '$LDFLAGS'"
 echo "PREFIX: '$PREFIX'"
 title "configure"
 ./autogen.sh
 ./configure --prefix=$PREFIX $host || log_exit config.log "configure failed"
 title "make"
 make -j$(nproc)
 make install
 title "test"
 if [ "$VARIANT" = "cross-compile" ]; then
 	echo "skip make check on cross compilation"
 	exit 0
 fi
 ret=0
 VERBOSE=1 make check || ret=$?
 title "logs"
 if [ $ret -eq 0 ]; then
 	tail -3 tests/ima_hash.log
 	tail -3 tests/sign_verify.log
 	tail -20 tests/boot_aggregate.log
 	exit 0
 fi
 cat tests/test-suite.log
 if [ $ret -eq 77 ]; then
 	msg="WARN: some tests skipped"
 	ret=0
 else
 	msg="FAIL: tests exited: $ret"
 fi
 log_exit tests/test-suite.log "$msg" $ret
--- a/configure.ac
+++ b/configure.ac
@ -1,8 +1,8 @@
 # autoconf script
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 1.3.2, zohar@linux.ibm.com)
+AC_INIT(ima-evm-utils, 1.2.1, zohar@linux.ibm.com)
-AM_INIT_AUTOMAKE([foreign])
+AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@ -30,9 +30,10 @@ AC_SUBST(KERNEL_HEADERS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
-AC_CHECK_LIB([tss2-esys], [Esys_Free])
+AC_CHECK_PROG(TSSPCRREAD, [tsspcrread], yes, no)
-AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode])
+if test "x$TSSPCRREAD" = "xyes"; then
-AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"])
+	AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread binary installed])
 fi
 AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
 AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
@ -66,7 +67,6 @@ EVMCTL_MANPAGE_DOCBOOK_XSL
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		tests/Makefile
 		packaging/ima-evm-utils.spec
 		])
 AC_OUTPUT
@ -77,7 +77,5 @@ echo
 echo	"Configuration:"
 echo	"          debug: $pkg_cv_enable_debug"
 echo	"   openssl-conf: $enable_openssl_conf"
-echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
+echo	"     tsspcrread: $TSSPCRREAD"
 echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
 echo	"            doc: $have_doc"
 echo
--- a/m4/manpage-docbook-xsl.m4
+++ b/m4/manpage-docbook-xsl.m4
@ -1,10 +1,7 @@
-dnl Copyright (c) 2018-2020 Petr Vorel <pvorel@suse.cz>
+dnl Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
 dnl Find docbook manpage stylesheet
 AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
 	DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
 	DOCBOOK_XSL_PATH="manpages/docbook.xsl"
 	AC_PATH_PROGS(XMLCATALOG, xmlcatalog)
 	AC_ARG_WITH([xml-catalog],
 		AC_HELP_STRING([--with-xml-catalog=CATALOG],
@ -12,37 +9,20 @@ AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [
 				[with_xml_catalog=/etc/xml/catalog])
 	XML_CATALOG_FILE="$with_xml_catalog"
 	AC_SUBST([XML_CATALOG_FILE])
 	if test "x${XMLCATALOG}" = "x"; then
 		AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH])
 	else
 	AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)])
 	if test -f "$XML_CATALOG_FILE"; then
 		have_xmlcatalog_file=yes
 		AC_MSG_RESULT([found])
 	else
-			AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH])
+		AC_MSG_RESULT([not found])
 	fi
 	fi
 	if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then
-		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|')
+		DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current"
 		DOCBOOK_XSL_PATH="manpages/docbook.xsl"
 		MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q')
 	fi
 	if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then
 		MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl"
 		AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH])
 	fi
 	if test -f "$MANPAGE_DOCBOOK_XSL"; then
 		have_doc=yes
 		AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc])
 	else
 		AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped])
 		MANPAGE_DOCBOOK_XSL=
 		have_doc=no
 	fi
 	AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes)
 	AC_SUBST(MANPAGE_DOCBOOK_XSL)
 ])
--- a/packaging/ima-evm-utils.spec
+++ b/packaging/ima-evm-utils.spec
@ -1,5 +1,5 @@
 Name:		ima-evm-utils
-Version:	1.3.2
+Version:	1.2.1
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -4,7 +4,7 @@ libimaevm_la_SOURCES = libimaevm.c
 libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 # current[:revision[:age]]
 # result: [current-age].age.revision
-libimaevm_la_LDFLAGS = -version-info 2:0:0
+libimaevm_la_LDFLAGS = -version-info 1:0:0
 libimaevm_la_LIBADD =  $(LIBCRYPTO_LIBS)
 include_HEADERS = imaevm.h
@ -17,18 +17,12 @@ hash_info.h: Makefile
 bin_PROGRAMS = evmctl
-evmctl_SOURCES = evmctl.c utils.c
+evmctl_SOURCES = evmctl.c
 evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
 evmctl_LDFLAGS = $(LDFLAGS_READLINE)
 evmctl_LDADD =  $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
 if USE_PCRTSS
 evmctl_SOURCES += pcr_tss.c
 else
 evmctl_SOURCES += pcr_tsspcrread.c
 endif
 AM_CPPFLAGS = -I$(top_srcdir) -include config.h
-CLEANFILES = hash_info.h tmp_hash_info.h
+CLEANFILES = hash_info.h
 DISTCLEANFILES = @DISTCLEANFILES@
--- a/src/evmctl.c
+++ b/src/evmctl.c
--- a/src/hash_info.gen
+++ b/src/hash_info.gen
@ -18,54 +18,11 @@ KERNEL_HEADERS=$1
 HASH_INFO_H=uapi/linux/hash_info.h
 HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
 TMPHASHINFO="./tmp_hash_info.h"
 gen_hashinfo() {
 cat << __EOF__ >$TMPHASHINFO
 /* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
 /*
 * Hash Info: Hash algorithms information
 *
 * Copyright (c) 2013 Dmitry Kasatkin <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 2 of the License, or (at your option)
 * any later version.
 *
 */
 enum hash_algo {
 	HASH_ALGO_MD4,
 	HASH_ALGO_MD5,
 	HASH_ALGO_SHA1,
 	HASH_ALGO_RIPE_MD_160,
 	HASH_ALGO_SHA256,
 	HASH_ALGO_SHA384,
 	HASH_ALGO_SHA512,
 	HASH_ALGO_SHA224,
 	HASH_ALGO_RIPE_MD_128,
 	HASH_ALGO_RIPE_MD_256,
 	HASH_ALGO_RIPE_MD_320,
 	HASH_ALGO_WP_256,
 	HASH_ALGO_WP_384,
 	HASH_ALGO_WP_512,
 	HASH_ALGO_TGR_128,
 	HASH_ALGO_TGR_160,
 	HASH_ALGO_TGR_192,
 	HASH_ALGO_SM3_256,
 	HASH_ALGO__LAST
 };
 __EOF__
 }
 # Allow to specify kernel-headers past include/
 if [ ! -e $HASH_INFO ]; then
  HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
  if [ -e $HASH_INFO2 ]; then
    HASH_INFO=$HASH_INFO2
  else
    gen_hashinfo
    HASH_INFO="$TMPHASHINFO"
  fi
 fi
--- a/src/imaevm.h
+++ b/src/imaevm.h
@ -46,7 +46,7 @@
 #include <syslog.h>
 #include <stdbool.h>
 #include <errno.h>
-#include <sys/types.h>
+
 #include <openssl/rsa.h>
 #ifdef USE_FPRINTF
@ -203,7 +203,7 @@ struct RSA_ASN1_template {
 	size_t size;
 };
-#define	NUM_PCRS 24
+#define	NUM_PCRS 20
 #define DEFAULT_PCR 10
 extern struct libimaevm_params imaevm_params;
@ -223,7 +223,5 @@ int sign_hash(const char *algo, const unsigned char *hash, int size, const char
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
 void init_public_keys(const char *keyfiles);
 int imaevm_hash_algo_from_sig(unsigned char *sig);
 const char *imaevm_hash_algo_by_id(int algo);
 #endif
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -71,7 +71,6 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_SHA384]	= "sha384",
 	[PKEY_HASH_SHA512]	= "sha512",
 	[PKEY_HASH_SHA224]	= "sha224",
 	[PKEY_HASH_SM3_256]	= "sm3",
 	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
 	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
 };
@ -83,7 +82,7 @@ static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
 };
 struct libimaevm_params imaevm_params = {
-	.verbose = LOG_INFO,
+	.verbose = LOG_INFO - 1,
 	.x509 = 1,
 	.hash_algo = "sha1",
 };
@ -106,7 +105,7 @@ void imaevm_hexdump(const void *ptr, int len)
 	imaevm_do_hexdump(stdout, ptr, len, true);
 }
-const char *imaevm_hash_algo_by_id(int algo)
+static const char *get_hash_algo_by_id(int algo)
 {
 	if (algo < PKEY_HASH__LAST)
 		return pkey_hash_algo[algo];
@ -114,7 +113,7 @@ const char *imaevm_hash_algo_by_id(int algo)
 		return hash_algo_name[algo];
 	log_err("digest %d not found\n", algo);
-	return NULL;
+	return "unknown";
 }
 /* Output all remaining openssl error messages. */
@ -323,8 +322,7 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 	fp = fopen(keyfile, "r");
 	if (!fp) {
-		if (imaevm_params.verbose > LOG_INFO)
+		log_err("Failed to open keyfile: %s\n", keyfile);
 			log_info("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
@ -512,7 +510,6 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 	if (!pkey) {
 		uint32_t keyid = hdr->keyid;
 		if (imaevm_params.verbose > LOG_INFO)
 		log_info("%s: verification failed: unknown keyid %x\n",
 			 file, __be32_to_cpup(&keyid));
 		return -1;
@ -578,11 +575,11 @@ int imaevm_get_hash_algo(const char *algo)
 	return -1;
 }
-int imaevm_hash_algo_from_sig(unsigned char *sig)
+static int get_hash_algo_from_sig(unsigned char *sig)
 {
 	uint8_t hashalgo;
-	if (sig[0] == DIGSIG_VERSION_1) {
+	if (sig[0] == 1) {
 		hashalgo = ((struct signature_hdr *)sig)->hash;
 		if (hashalgo >= DIGEST_ALGO_MAX)
@ -596,7 +593,7 @@ int imaevm_hash_algo_from_sig(unsigned char *sig)
 		default:
 			return -1;
 		}
-	} else if (sig[0] == DIGSIG_VERSION_2) {
+	} else if (sig[0] == 2) {
 		hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
 		if (hashalgo >= PKEY_HASH__LAST)
 			return -1;
@ -630,18 +627,18 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 	unsigned char hash[MAX_DIGEST_SIZE];
 	int hashlen, sig_hash_algo;
-	if (sig[0] != EVM_IMA_XATTR_DIGSIG) {
+	if (sig[0] != 0x03) {
-		log_err("%s: xattr ima has no signature\n", file);
+		log_err("xattr ima has no signature\n");
 		return -1;
 	}
-	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
+	sig_hash_algo = get_hash_algo_from_sig(sig + 1);
 	if (sig_hash_algo < 0) {
-		log_err("%s: Invalid signature\n", file);
+		log_err("Invalid signature\n");
 		return -1;
 	}
 	/* Use hash algorithm as retrieved from signature */
-	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
+	imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
 	/*
 	 * Validate the signature based on the digest included in the
@ -927,7 +924,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
 	hdr->version = (uint8_t) DIGSIG_VERSION_2;
 	hdr->hash_algo = imaevm_get_hash_algo(algo);
-	if (hdr->hash_algo == (uint8_t)-1) {
+	if (hdr->hash_algo == -1) {
 		log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
 		return -1;
 	}
--- a/src/pcr.h
+++ b/src/pcr.h
@ -1,3 +0,0 @@
 int tpm2_pcr_supported(void);
 int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr,
 		 int len, char **errmsg);
--- a/src/pcr_tss.c
+++ b/src/pcr_tss.c
@ -1,191 +0,0 @@
 /*
 * ima-evm-utils - IMA/EVM support utilities
 *
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011,2012,2013 Intel Corporation
 * Copyright (C) 2013,2014 Samsung Electronics
 *
 * Authors:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *                 <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * As a special exception, the copyright holders give permission to link the
 * code of portions of this program with the OpenSSL library under certain
 * conditions as described in each individual source file and distribute
 * linked combinations including the program with the OpenSSL library. You
 * must comply with the GNU General Public License in all respects
 * for all of the code used other than as permitted herein. If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version. If you
 * delete this exception statement from all source files in the program,
 * then also delete it in the license file.
 *
 * File: pcr_tss.c
 *	 PCR reading implementation based on Intel TSS2
 */
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
 #ifdef HAVE_LIBTSS2_ESYS
 # include <tss2/tss2_esys.h>
 # ifdef HAVE_LIBTSS2_RC
 #  include <tss2/tss2_rc.h>
 #  define LIB "tss2-rc-decode"
 # else
 #  define LIB "tss2-esys"
 # endif
 #endif /* HAVE_LIBTSS2_ESYS */
 #define USE_FPRINTF
 #include "imaevm.h"
 int tpm2_pcr_supported(void)
 {
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("Using %s to read PCRs.\n", LIB);
 	return 1;
 }
 static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
 {
 	int i, j;
 	if (a->count != b->count)
 		return 0;
 	for (i = 0; i < a->count; i++) {
 		if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
 			return 0;
 		if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
 			return 0;
 		for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
 			if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
 				return 0;
 		}
 	}
 	return 1;
 }
 static inline int tpm2_set_errmsg(char **errmsg, const char *message, TSS2_RC ret)
 {
 #ifdef HAVE_LIBTSS2_RC
 		return asprintf(errmsg, "%s: %s", message, Tss2_RC_Decode(ret));
 #else
 		return asprintf(errmsg, "%s: #%d", message, ret);
 #endif
 }
 static TPM2_ALG_ID algo_to_tss2(const char *algo_name)
 {
 	if (!strcmp(algo_name, "sha1"))
 		return TPM2_ALG_SHA1;
 	else if (!strcmp(algo_name, "sha256"))
 		return TPM2_ALG_SHA256;
 	return TPM2_ALG_ERROR;
 }
 int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr,
 		 int len, char **errmsg)
 {
 	TSS2_ABI_VERSION abi_version = {
 		.tssCreator = 1,
 		.tssFamily = 2,
 		.tssLevel = 1,
 		.tssVersion = 108,
 	};
 	ESYS_CONTEXT *ctx = NULL;
 	TSS2_RC ret = 0;
 	TPML_PCR_SELECTION *pcr_select_out;
 	TPML_DIGEST *pcr_digests;
 	UINT32 pcr_update_counter;
 	TPM2_ALG_ID algid = algo_to_tss2(algo_name);
 	if (algid == TPM2_ALG_ERROR) {
 		ret = asprintf(errmsg, "unsupported tss2 algorithm");
 		if (ret == -1)	/* the contents of errmsg are undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	TPML_PCR_SELECTION pcr_select_in = {
 		.count = 1,
 		.pcrSelections = {
 			{
 				.hash = algid,
 				.sizeofSelect = 3,
 				.pcrSelect = { 0x00, 0x00, 0x00 },
 			}
 		}
 	};
 	pcr_select_in.pcrSelections[0].pcrSelect[idx / 8] = (1 << (idx % 8));
 	ret = Esys_Initialize(&ctx, NULL, &abi_version);
 	if (ret != TPM2_RC_SUCCESS) {
 		ret = tpm2_set_errmsg(errmsg, "esys initialize failed", ret);
 		if (ret == -1)	/* the contents of errmsg are undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	ret = Esys_PCR_Read(ctx,
 			    ESYS_TR_NONE,
 			    ESYS_TR_NONE,
 			    ESYS_TR_NONE,
 			    &pcr_select_in,
 			    &pcr_update_counter,
 			    &pcr_select_out,
 			    &pcr_digests);
 	Esys_Finalize(&ctx);
 	if (ret != TPM2_RC_SUCCESS) {
 		ret = tpm2_set_errmsg(errmsg, "esys PCR reading failed", ret);
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	if (!pcr_selections_match(&pcr_select_in, pcr_select_out)) {
 		Esys_Free(pcr_select_out);
 		Esys_Free(pcr_digests);
 		ret = asprintf(errmsg, "TPM returned incorrect PCRs");
 		if (ret == -1)	/* the contents of errmsg are undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	Esys_Free(pcr_select_out);
 	if (pcr_digests->count != 1 || pcr_digests->digests[0].size != len) {
 		Esys_Free(pcr_digests);
 		ret = asprintf(errmsg, "TPM returned incorrect digests");
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	memcpy(hwpcr, pcr_digests->digests[0].buffer, len);
 	Esys_Free(pcr_digests);
 	return 0;
 }
--- a/src/pcr_tsspcrread.c
+++ b/src/pcr_tsspcrread.c
@ -1,111 +0,0 @@
 /*
 * ima-evm-utils - IMA/EVM support utilities
 *
 * Copyright (C) 2011 Nokia Corporation
 * Copyright (C) 2011,2012,2013 Intel Corporation
 * Copyright (C) 2013,2014 Samsung Electronics
 *
 * Authors:
 * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
 *                 <dmitry.kasatkin@intel.com>
 *                 <d.kasatkin@samsung.com>
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * version 2 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * As a special exception, the copyright holders give permission to link the
 * code of portions of this program with the OpenSSL library under certain
 * conditions as described in each individual source file and distribute
 * linked combinations including the program with the OpenSSL library. You
 * must comply with the GNU General Public License in all respects
 * for all of the code used other than as permitted herein. If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so. If you do not
 * wish to do so, delete this exception statement from your version. If you
 * delete this exception statement from all source files in the program,
 * then also delete it in the license file.
 *
 * File: pcr_tsspcrread.c
 *	 PCR reading implementation based on IBM TSS2
 */
 #include <errno.h>
 #include <limits.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdint.h>
 #include <openssl/sha.h>
 #define USE_FPRINTF
 #include "utils.h"
 #include "imaevm.h"
 #define CMD "tsspcrread"
 static char path[PATH_MAX];
 int tpm2_pcr_supported(void)
 {
 	if (imaevm_params.verbose > LOG_INFO)
 		log_info("Using %s to read PCRs.\n", CMD);
 	if (get_cmd_path(CMD, path, sizeof(path))) {
 		log_debug("Couldn't find '%s' in $PATH", CMD);
 		return 0;
 	}
 	log_debug("Found '%s' in $PATH", CMD);
 	return 1;
 }
 int tpm2_pcr_read(const char *algo_name, int idx, uint8_t *hwpcr,
 		 int len, char **errmsg)
 {
 	FILE *fp;
 	char pcr[100];	/* may contain an error */
 	char cmd[PATH_MAX + 50];
 	int ret;
 	sprintf(cmd, "%s -halg %s -ha %d -ns 2> /dev/null",
 		path, algo_name, idx);
 	fp = popen(cmd, "r");
 	if (!fp) {
 		ret = asprintf(errmsg, "popen failed: %s", strerror(errno));
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		return -1;
 	}
 	if (fgets(pcr, sizeof(pcr), fp) == NULL) {
 		ret = asprintf(errmsg, "tsspcrread failed: %s",
 			       strerror(errno));
 		if (ret == -1)	/* the contents of errmsg is undefined */
 			*errmsg = NULL;
 		ret = pclose(fp);
 		return -1;
 	}
 	/* get the popen "cmd" return code */
 	ret = pclose(fp);
 	/* Treat an unallocated bank as an error */
 	if (!ret && (strlen(pcr) < SHA_DIGEST_LENGTH))
 		ret = -1;
 	if (!ret)
 		hex2bin(hwpcr, pcr, len);
 	else
 		*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */
 	return ret;
 }
--- a/src/utils.c
+++ b/src/utils.c
@ -1,114 +0,0 @@
 // SPDX-License-Identifier: GPL-2.0
 /*
 * utils: set of common functions
 *
 * Copyright (C) 2020 Patrick Uiterwijk <patrick@puiterwijk.org>
 * Copyright (C) 2010 Cyril Hrubis <chrubis@suse.cz>
 */
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include "utils.h"
 #ifndef MIN
 # define MIN(a, b) ({ \
 	typeof(a) _a = (a); \
 	typeof(b) _b = (b); \
 	_a < _b ? _a : _b; \
 })
 #endif /* MIN */
 static int file_exist(const char *path)
 {
 	struct stat st;
 	if (!access(path, R_OK) && !stat(path, &st) && S_ISREG(st.st_mode))
 		return 1;
 	return 0;
 }
 int get_cmd_path(const char *prog_name, char *buf, size_t buf_len)
 {
 	const char *path = (const char *)getenv("PATH");
 	const char *start = path;
 	const char *end;
 	size_t size, ret;
 	if (path == NULL)
 		return -1;
 	do {
 		end = strchr(start, ':');
 		if (end != NULL)
 			snprintf(buf, MIN(buf_len, (size_t) (end - start + 1)),
 				 "%s", start);
 		else
 			snprintf(buf, buf_len, "%s", start);
 		size = strlen(buf);
 		/*
 		 * "::" inside $PATH, $PATH ending with ':' or $PATH starting
 		 * with ':' should be expanded into current working directory.
 		 */
 		if (size == 0) {
 			snprintf(buf, buf_len, ".");
 			size = strlen(buf);
 		}
 		/*
 		 * If there is no '/' ad the end of path from $PATH add it.
 		 */
 		if (buf[size - 1] != '/')
 			ret =
 			    snprintf(buf + size, buf_len - size, "/%s",
 				     prog_name);
 		else
 			ret =
 			    snprintf(buf + size, buf_len - size, "%s",
 				     prog_name);
 		if (buf_len - size > ret && file_exist(buf))
 			return 0;
 		start = end + 1;
 	} while (end != NULL);
 	return -1;
 }
 int hex_to_bin(char ch)
 {
 	if ((ch >= '0') && (ch <= '9'))
 		return ch - '0';
 	ch = tolower(ch);
 	if ((ch >= 'a') && (ch <= 'f'))
 		return ch - 'a' + 10;
 	return -1;
 }
 int hex2bin(void *dst, const char *src, size_t count)
 {
 	int hi, lo;
 	while (count--) {
 		if (*src == ' ')
 			src++;
 		hi = hex_to_bin(*src++);
 		lo = hex_to_bin(*src++);
 		if ((hi < 0) || (lo < 0))
 			return -1;
 		*(uint8_t *)dst++ = (hi << 4) | lo;
 	}
 	return 0;
 }
--- a/src/utils.h
+++ b/src/utils.h
@ -1,6 +0,0 @@
 #include <ctype.h>
 #include <sys/types.h>
 int get_cmd_path(const char *prog_name, char *buf, size_t buf_len);
 int hex_to_bin(char ch);
 int hex2bin(void *dst, const char *src, size_t count);
--- a/tests/.gitignore
+++ b/tests/.gitignore
@ -1,16 +0,0 @@
 # Generated by test driver
 *.log
 *.trs
 # Generated by tests
 *.txt
 *.out
 *.sig
 *.sig2
 # Generated certs and keys (by gen-keys.sh)
 *.cer
 *.pub
 *.key
 *.conf
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -1,12 +0,0 @@
 check_SCRIPTS =
 TESTS = $(check_SCRIPTS)
 check_SCRIPTS += ima_hash.test sign_verify.test boot_aggregate.test
 clean-local:
 	-rm -f *.txt *.out *.sig *.sig2
 distclean: distclean-keys
 .PHONY: distclean-keys
 distclean-keys:
 	./gen-keys.sh clean
--- a/tests/boot_aggregate.test
+++ b/tests/boot_aggregate.test
@ -1,197 +0,0 @@
 #!/bin/bash
 #
 # Calculate the boot_aggregate for each TPM bank, verifying that the
 # boot_aggregate in the IMA measurement list matches one of them.
 #
 # A software TPM may be used to verify the boot_aggregate.  If a
 # software TPM is not already running on the system, this test
 # starts one and initializes the TPM PCR banks by walking the sample
 # binary_bios_measurements event log, included in this directory, and
 # extending the TPM PCRs.  The associated ascii_runtime_measurements
 # for verifying the calculated boot_aggregate is included in this
 # directory as well.
 trap cleanup SIGINT SIGTERM EXIT
 # Base VERBOSE on the environment variable, if set.
 VERBOSE="${VERBOSE:-0}"
 cd "$(dirname "$0")"
 export PATH=../src:$PATH
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
 . ./functions.sh
 _require evmctl
 TSSDIR="$(dirname -- "$(which tssstartup)")"
 PCRFILE="/sys/class/tpm/tpm0/device/pcrs"
 MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs"
 # Only stop this test's software TPM
 cleanup() {
 	if [ -n "${SWTPM_PID}" ]; then
 		kill -SIGTERM "${SWTPM_PID}"
 	elif [ -n "${TPMSERVER_PID}" ]; then
 		"${TSSDIR}/tsstpmcmd" -stop
 	fi
 }
 # Try to start a software TPM if needed.
 swtpm_start() {
 	local tpm_server swtpm
 	tpm_server="$(which tpm_server)"
 	swtpm="$(which swtpm)"
 	if [ -z "${tpm_server}" ] && [ -z "${swtpm}" ]; then
 		echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}"
 		return "$SKIP"
 	fi
 	if [ -n "${swtpm}" ]; then
 		pgrep swtpm
 		if [ $? -eq 0 ]; then
 			echo "INFO: Software TPM (swtpm) already running"
 			return 114
 		else
 			echo "INFO: Starting software TPM: ${swtpm}"
 			mkdir -p ./myvtpm
 			${swtpm} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 &
 			SWTPM_PID=$!
 		fi
 	elif [ -n "${tpm_server}" ]; then
 		# tpm_server uses the Microsoft simulator encapsulated packet format
 		export TPM_SERVER_TYPE="mssim"
 		pgrep tpm_server
 		if [ $? -eq 0 ]; then
 			echo "INFO: Software TPM (tpm_server) already running"
 			return 114
 		else
 			echo "INFO: Starting software TPM: ${tpm_server}"
 			${tpm_server} > /dev/null 2>&1 &
 			TPMSERVER_PID=$!
 		fi
 	fi
 	return 0
 }
 # Initialize the software TPM using the sample binary_bios_measurements log.
 swtpm_init() {
 	if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then
 		echo "${CYAN}SKIP: tssstartup and tsseventextend needed for test${NORM}"
 		return "$SKIP"
 	fi
 	echo "INFO: Sending software TPM startup"
 	"${TSSDIR}/tssstartup"
 	if [ $? -ne 0 ]; then
 		echo "INFO: Retry sending software TPM startup"
 		sleep 1
 		"${TSSDIR}/tssstartup"
 	fi
 	if [ $? -ne 0 ]; then
 		echo "INFO: Software TPM startup failed"
 		return "$SKIP"
 	fi
 	echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM"
 #	$(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null
 	"${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1
 }
 # In VERBOSE mode, display the calculated TPM PCRs for the different banks.
 display_pcrs() {
 	local PCRMAX=9
 	local banks=("sha1" "sha256")
 	local i;
 	for bank in "${banks[@]}"; do
 		echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 9)"
 		for i in $(seq 0 $PCRMAX); do
 			rc=0
 			pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns)
 			if [ $rc -ne 0 ]; then
 				echo "INFO: tsspcrread failed: $pcr"
 				break
 			fi
 			echo "$i: $pcr"
 		done
 	done
 }
 # The first entry in the IMA measurement list is the "boot_aggregate".
 # For each kexec, an additional "boot_aggregate" will appear in the
 # measurement list, assuming the previous measurement list is carried
 # across the kexec.
 #
 # Verify that the last "boot_aggregate" record in the IMA measurement
 # list matches.
 check() {
 	echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
 	bootaggr=$(evmctl ima_boot_aggregate)
 	if [ $? -ne 0 ]; then
 		echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
 		exit "$SKIP"
 	fi
 	boot_aggr=( $bootaggr )
 	echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}"
 	for hash in "${boot_aggr[@]}"; do
 		if [ "$VERBOSE" != "0" ]; then
 			echo "$hash"
 		fi
 		if grep -e " boot_aggregate$" -e " boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
 			echo "${GREEN}SUCCESS: boot_aggregate ${hash} found${NORM}"
 			return "$OK"
 		fi
 	done
 	echo "${RED}FAILURE: boot_aggregate not found${NORM}"
 	echo "$bootaggr"
 	return "$FAIL"
 }
 if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
 	ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
 	if [ ! -d "/sys/kernel/security/ima" ]; then
 		echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
 		exit "$SKIP"
 	fi
 else
 	BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
 	ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
 	export TPM_INTERFACE_TYPE="socsim"
 	export TPM_COMMAND_PORT=2321
 	export TPM_PLATFORM_PORT=2322
 	export TPM_SERVER_NAME="localhost"
 	# swtpm uses the raw, unencapsulated packet format
 	export TPM_SERVER_TYPE="raw"
 fi
 # Start and initialize a software TPM as needed
 if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
 	if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then
 		echo "${CYAN}SKIP: system has discrete TPM 1.2, sample TPM 2.0 event log test not supported.${NORM}"
 		exit "$SKIP"
 	fi
 	swtpm_start
 	error=$?
 	if [ $error -eq "$SKIP" ]; then
 		echo "skip: swtpm not installed"
 		exit "$SKIP"
 	fi
 	if [ $error -eq 0 ]; then
 		swtpm_init
 		if [ $? -eq "$SKIP" ]; then
 			echo "testing boot_aggregate without entries"
 			exit "$SKIP"
 		fi
 	fi
 	if [ "$VERBOSE" != "0" ]; then
 		display_pcrs
 	fi
 fi
 expect_pass check
--- a/tests/functions.sh
+++ b/tests/functions.sh
@ -1,274 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # ima-evm-utils tests bash functions
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 # Tests accounting
 declare -i testspass=0 testsfail=0 testsskip=0
 # Exit codes (compatible with automake)
 declare -r OK=0
 declare -r FAIL=1
 declare -r HARDFAIL=99 # hard failure no matter testing mode
 declare -r SKIP=77
 # You can set env VERBOSE=1 to see more output from evmctl
 VERBOSE=${VERBOSE:-0}
 V=vvvv
 V=${V:0:$VERBOSE}
 V=${V:+-$V}
 # Exit if env FAILEARLY is defined.
 # Used in expect_{pass,fail}.
 exit_early() {
  if [ "$FAILEARLY" ]; then
    exit "$1"
  fi
 }
 # Require particular executables to be present
 _require() {
  ret=
  for i; do
    if ! type $i; then
      echo "$i is required for test"
      ret=1
    fi
  done
  [ $ret ] && exit "$HARDFAIL"
 }
 # Non-TTY output is never colored
 if [ -t 1 ]; then
     RED=$'\e[1;31m'
   GREEN=$'\e[1;32m'
  YELLOW=$'\e[1;33m'
    BLUE=$'\e[1;34m'
    CYAN=$'\e[1;36m'
    NORM=$'\e[m'
  export RED GREEN YELLOW BLUE CYAN NORM
 fi
 # Test mode determined by TFAIL variable:
 #   undefined: to success testing
 #   defined: failure testing
 TFAIL=
 TMODE=+ # mode character to prepend running command in log
 declare -i TNESTED=0 # just for sanity checking
 # Run positive test (one that should pass) and account its result
 expect_pass() {
  local -i ret
  if [ $TNESTED -gt 0 ]; then
    echo $RED"expect_pass should not be run nested"$NORM
    testsfail+=1
    exit "$HARDFAIL"
  fi
  TFAIL=
  TMODE=+
  TNESTED+=1
  [ "$VERBOSE" -gt 1 ] && echo "____ START positive test: $*"
  "$@"
  ret=$?
  [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) positive test: $*"
  TNESTED+=-1
  case $ret in
    0)  testspass+=1 ;;
    77) testsskip+=1 ;;
    99) testsfail+=1; exit_early 1 ;;
    *)  testsfail+=1; exit_early 2 ;;
  esac
  return $ret
 }
 # Eval negative test (one that should fail) and account its result
 expect_fail() {
  local ret
  if [ $TNESTED -gt 0 ]; then
    echo $RED"expect_fail should not be run nested"$NORM
    testsfail+=1
    exit "$HARDFAIL"
  fi
  TFAIL=yes
  TMODE=-
  TNESTED+=1
  [ "$VERBOSE" -gt 1 ] && echo "____ START negative test: $*"
  "$@"
  ret=$?
  [ "$VERBOSE" -gt 1 ] && echo "^^^^ STOP ($ret) negative test: $*"
  TNESTED+=-1
  case $ret in
    0)  testsfail+=1; exit_early 3 ;;
    77) testsskip+=1 ;;
    99) testsfail+=1; exit_early 4 ;;
    *)  testspass+=1 ;;
  esac
  # Restore defaults (as in positive tests)
  # for tests to run without wrappers
  TFAIL=
  TMODE=+
  return $ret
 }
 # return true if current test is positive
 _test_expected_to_pass() {
  [ ! $TFAIL ]
 }
 # return true if current test is negative
 _test_expected_to_fail() {
  [ $TFAIL ]
 }
 # Show blank line and color following text to red
 # if it's real error (ie we are in expect_pass mode).
 color_red_on_failure() {
  if _test_expected_to_pass; then
    echo "$RED"
    COLOR_RESTORE=true
  fi
 }
 # For hard errors
 color_red() {
  echo "$RED"
  COLOR_RESTORE=true
 }
 color_restore() {
  [ $COLOR_RESTORE ] && echo "$NORM"
  COLOR_RESTORE=
 }
 ADD_DEL=
 ADD_TEXT_FOR=
 # _evmctl_run should be run as `_evmctl_run ... || return'
 _evmctl_run() {
  local op=$1 out=$1-$$.out
  local text_for=${FOR:+for $ADD_TEXT_FOR}
  # Additional parameters:
  # ADD_DEL: additional files to rm on failure
  # ADD_TEXT_FOR: append to text as 'for $ADD_TEXT_FOR'
  cmd="evmctl $V $EVMCTL_ENGINE $*"
  echo $YELLOW$TMODE "$cmd"$NORM
  $cmd >"$out" 2>&1
  ret=$?
  # Shell special and signal exit codes (except 255)
  if [ $ret -ge 126 ] && [ $ret -lt 255 ]; then
    color_red
    echo "evmctl $op failed hard with ($ret) $text_for"
    sed 's/^/  /' "$out"
    color_restore
    rm "$out" $ADD_DEL
    ADD_DEL=
    ADD_TEXT_FOR=
    return "$HARDFAIL"
  elif [ $ret -gt 0 ]; then
    color_red_on_failure
    echo "evmctl $op failed" ${TFAIL:+properly} "with ($ret) $text_for"
    # Show evmctl output only in verbose mode or if real failure.
    if _test_expected_to_pass || [ "$VERBOSE" ]; then
      sed 's/^/  /' "$out"
    fi
    color_restore
    rm "$out" $ADD_DEL
    ADD_DEL=
    ADD_TEXT_FOR=
    return "$FAIL"
  elif _test_expected_to_fail; then
    color_red
    echo "evmctl $op wrongly succeeded $text_for"
    sed 's/^/  /' "$out"
    color_restore
  else
    [ "$VERBOSE" ] && sed 's/^/  /' "$out"
  fi
  rm "$out"
  ADD_DEL=
  ADD_TEXT_FOR=
  return "$OK"
 }
 # Extract xattr $attr from $file into $out file skipping $pref'ix
 _extract_xattr() {
  local file=$1 attr=$2 out=$3 pref=$4
  getfattr -n "$attr" -e hex "$file" \
    | grep "^$attr=" \
    | sed "s/^$attr=$pref//" \
    | xxd -r -p > "$out"
 }
 # Test if xattr $attr in $file matches $prefix
 # Show error and fail otherwise.
 _test_xattr() {
  local file=$1 attr=$2 prefix=$3
  local text_for=${ADD_TEXT_FOR:+ for $ADD_TEXT_FOR}
  if ! getfattr -n "$attr" -e hex "$file" | egrep -qx "$attr=$prefix"; then
    color_red_on_failure
    echo "Did not find expected hash$text_for:"
    echo "    $attr=$prefix"
    echo ""
    echo "Actual output below:"
    getfattr -n "$attr" -e hex "$file" | sed 's/^/    /'
    color_restore
    rm "$file"
    ADD_TEXT_FOR=
    return "$FAIL"
  fi
  ADD_TEXT_FOR=
 }
 # Try to enable gost-engine if needed.
 _enable_gost_engine() {
  # Do not enable if it's already working (enabled by user)
  if ! openssl md_gost12_256 /dev/null >/dev/null 2>&1 \
    && openssl engine gost >/dev/null 2>&1; then
    export EVMCTL_ENGINE="--engine gost"
    export OPENSSL_ENGINE="-engine gost"
  fi
 }
 # Show test stats and exit into automake test system
 # with proper exit code (same as ours).
 _report_exit() {
  if [ $testsfail -gt 0 ]; then
    echo "================================="
    echo " Run with FAILEARLY=1 $0 $*"
    echo " To stop after first failure"
    echo "================================="
  fi
  [ $testspass -gt 0 ] && echo -n "$GREEN" || echo -n "$NORM"
  echo -n "PASS: $testspass"
  [ $testsskip -gt 0 ] && echo -n "$YELLOW" || echo -n "$NORM"
  echo -n " SKIP: $testsskip"
  [ $testsfail -gt 0 ] && echo -n "$RED" || echo -n "$NORM"
  echo " FAIL: $testsfail"
  echo "$NORM"
  if [ $testsfail -gt 0 ]; then
    exit "$FAIL"
  elif [ $testspass -gt 0 ]; then
    exit "$OK"
  else
    exit "$SKIP"
  fi
 }
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@ -1,97 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # Generate keys for the tests
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 type openssl
 log() {
  echo - "$*"
  eval "$@"
 }
 if [ "$1" = clean ]; then
  rm -f test-ca.conf
 elif [ "$1" = force ] || [ ! -e test-ca.conf ]; then
 cat > test-ca.conf <<- EOF
 	[ req ]
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
 	x509_extensions = v3_ca
 	[ req_distinguished_name ]
 	O = IMA-CA
 	CN = IMA/EVM certificate signing key
 	emailAddress = ca@ima-ca
 	[ v3_ca ]
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
 EOF
 fi
 # RSA
 # Second key will be used for wrong key tests.
 for m in 1024 2048; do
  if [ "$1" = clean ] || [ "$1" = force ]; then
    rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
  fi
  if [ "$1" = clean ]; then
    continue
  fi
  if [ ! -e test-rsa$m.key ]; then
    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
      -config test-ca.conf \
      -newkey rsa:$m \
      -out test-rsa$m.cer -outform DER \
      -keyout test-rsa$m.key
    # for v1 signatures
    log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
  fi
 done
 # EC-RDSA
 for m in \
  gost2012_256:A \
  gost2012_256:B \
  gost2012_256:C \
  gost2012_512:A \
  gost2012_512:B; do
    IFS=':' read -r algo param <<< "$m"
    if [ "$1" = clean ] || [ "$1" = force ]; then
      rm -f "test-$algo-$param.key" "test-$algo-$param.cer" "test-$algo-$param.pub"
    fi
    if [ "$1" = clean ]; then
      continue
    fi
    [ -e "test-$algo-$param.key" ] && continue
    log openssl req -nodes -x509 -utf8 -days 10000 -batch \
      -config test-ca.conf \
      -newkey "$algo" \
      -pkeyopt "paramset:$param" \
      -out    "test-$algo-$param.cer" -outform DER \
      -keyout "test-$algo-$param.key"
    if [ -s "test-$algo-$param.key" ]; then
      log openssl pkey -in "test-$algo-$param.key" -out "test-$algo-$param.pub" -pubout
    fi
 done
 # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
 # They are never deleted except by `make distclean'.
--- a/tests/ima_hash.test
+++ b/tests/ima_hash.test
@ -1,80 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # evmctl ima_hash tests
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 source ./functions.sh
 _require evmctl openssl getfattr
 trap _report_exit EXIT
 set -f # disable globbing
 check() {
  local alg=$1 prefix=$2 chash=$3 hash
  local file=$alg-hash.txt
  rm -f "$file"
  touch "$file"
  # Generate hash with openssl, if it failed skip test,
  # unless it's negative test, then pass to evmctl
  cmd="openssl dgst $OPENSSL_ENGINE -$alg $file"
  echo - "$cmd"
  hash=$(set -o pipefail; $cmd 2>/dev/null | cut -d' ' -f2)
  if [ $? -ne 0 ] && _test_expected_to_pass; then
    echo "${CYAN}$alg test is skipped$NORM"
    rm "$file"
    return "$SKIP"
  fi
  if [ "$chash" ] && [ "$chash" != "$hash" ]; then
    color_red
    echo "Invalid hash for $alg from openssl"
    echo "Expected: $chash"
    echo "Returned: $hash"
    color_restore
    rm "$file"
    return "$HARDFAIL"
  fi
  ADD_TEXT_FOR=$alg ADD_DEL=$file \
    _evmctl_run ima_hash --hashalgo "$alg" --xattr-user "$file" || return
  ADD_TEXT_FOR=$alg \
    _test_xattr "$file" user.ima "$prefix$hash" || return
  rm "$file"
  return "$OK"
 }
 # check args: algo hdr-prefix canonic-hash
 expect_pass check  md4        0x01 31d6cfe0d16ae931b73c59d7e0c089c0
 expect_pass check  md5        0x01 d41d8cd98f00b204e9800998ecf8427e
 expect_pass check  sha1       0x01 da39a3ee5e6b4b0d3255bfef95601890afd80709
 expect_fail check  SHA1       0x01 # uppercase
 expect_fail check  sha512-224 0x01 # valid for pkcs1
 expect_fail check  sha512-256 0x01 # valid for pkcs1
 expect_fail check  unknown    0x01 # nonexistent
 expect_pass check  sha224     0x0407 d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
 expect_pass check  sha256     0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 expect_pass check  sha384     0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
 expect_pass check  sha512     0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
 expect_pass check  rmd160     0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
 expect_fail check  sm3        0x01
 expect_fail check  sm3-256    0x01
 _enable_gost_engine
 expect_pass check  md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
 expect_pass check  streebog256   0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
 expect_pass check  md_gost12_512 0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
 expect_pass check  streebog512   0x0413 8e945da209aa869f0455928529bcae4679e9873ab707b55315f56ceb98bef0a7362f715528356ee83cda5f2aac4c6ad2ba3a715c1bcd81cb8e9f90bf4c1c1a8a
--- a/tests/install-swtpm.sh
+++ b/tests/install-swtpm.sh
@ -1,13 +0,0 @@
 #!/bin/sh
 set -ex
 version=1637
 wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download
 mkdir ibmtpm$version
 cd ibmtpm$version
 tar -xvzf ../download
 cd src
 make -j$(nproc)
 sudo cp tpm_server /usr/local/bin/
 cd ../..
--- a/tests/install-tss.sh
+++ b/tests/install-tss.sh
@ -1,8 +0,0 @@
 #!/bin/sh
 set -ex
 git clone https://git.code.sf.net/p/ibmtpm20tss/tss
 cd tss
 autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install
 cd ..
 rm -rf tss
--- a/tests/sample-ascii_runtime_measurements-pcrs-8-9
+++ b/tests/sample-ascii_runtime_measurements-pcrs-8-9
@ -1 +0,0 @@
 10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate
--- a/tests/sample-binary_bios_measurements-pcrs-8-9
+++ b/tests/sample-binary_bios_measurements-pcrs-8-9
--- a/tests/sample-tpm-2.0-pcrs-8-9
+++ b/tests/sample-tpm-2.0-pcrs-8-9
@ -1,25 +0,0 @@
 pcrread: tsspcrread -halg sha1
 0: 92c1850372e9493929aa9a2e9ea953e21ff1be45
 1: 41c54039ca2750ea60d8ab7c48b142b10aba5667
 2: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
 3: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
 4: 4c1a19aad90f770956ff5ee00334a2d548b1a350
 5: a1444a8a9904666165730168b3ae489447d3cef7
 6: b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
 7: 5c6327a67ff36f138e0b7bb1d2eafbf8a6e52ebf
 8: fed489d2e5f9f85136e5ff53553d5f8b978dbe1a
 9: a2fa191f2622bb014702013bfebfca9fe210d9e5
 10: 3134641a3e8a1f5f75fa850bb21c3104d6ab863b
 11: 0000000000000000000000000000000000000000
 12: 0000000000000000000000000000000000000000
 13: 0000000000000000000000000000000000000000
 14: 71161a5707051fa7d6f584d812240b2e80f61942
 15: 0000000000000000000000000000000000000000
 16: 0000000000000000000000000000000000000000
 17: ffffffffffffffffffffffffffffffffffffffff
 18: ffffffffffffffffffffffffffffffffffffffff
 19: ffffffffffffffffffffffffffffffffffffffff
 20: ffffffffffffffffffffffffffffffffffffffff
 21: ffffffffffffffffffffffffffffffffffffffff
 22: ffffffffffffffffffffffffffffffffffffffff
 23: 0000000000000000000000000000000000000000
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@ -1,381 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: GPL-2.0
 #
 # evmctl {,ima_}{sign,verify} tests
 #
 # Copyright (C) 2020 Vitaly Chikunov <vt@altlinux.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2, or (at your option)
 # any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
 source ./functions.sh
 _require cmp evmctl getfattr openssl xxd
 if cmp -b 2>&1 | grep -q "invalid option"; then
 	echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils"
 	exit "$HARDFAIL"
 fi
 ./gen-keys.sh >/dev/null 2>&1
 trap _report_exit EXIT
 set -f # disable globbing
 # Determine keyid from a cert
 _keyid_from_cert() {
  local cer=${1%.*}.cer cmd
  local tmp
  cer=test-${cer#test-}
  # shellcheck disable=SC2086
  cmd="openssl x509 $OPENSSL_ENGINE \
          -in $cer -inform DER -pubkey -noout"
  id=$($cmd 2>/dev/null \
    | openssl asn1parse \
    | grep BIT.STRING \
    | cut -d: -f1)
  if [ -z "$id" ]; then
    echo - "$cmd" >&2
    echo "Cannot asn1parse $cer to determine keyid" >&2
    exit 1
  fi
  tmp=$(mktemp)
  # shellcheck disable=SC2086
  openssl x509 $OPENSSL_ENGINE \
      -in "$cer" -inform DER -pubkey -noout 2>/dev/null \
    | openssl asn1parse -strparse "$id" -out "$tmp" -noout
  # shellcheck disable=SC2002
  cat "$tmp" \
    | openssl dgst -c -sha1 \
    | cut -d' ' -f2 \
    | grep -o ":..:..:..:..$" \
    | tr -d :
  rm -f "$tmp"
 }
 # Convert test $type into evmctl op prefix
 _op() {
  if [ "$1" = ima ]; then
    echo ima_
  fi
 }
 # Convert test $type into xattr name
 _xattr() {
  if [ "$1" = ima ]; then
    echo user.ima
  else
    echo user.evm
  fi
 }
 # Check that detached signature matches xattr signature
 _test_sigfile() {
  local file=$1 attr=$2 file_sig=$3 file_sig2=$4
  if [ ! -e "$file_sig" ]; then
    color_red
    echo "evmctl ima_sign: no detached signature $file_sig"
    color_restore
    rm "$file"
    return "$FAIL"
  fi
  _extract_xattr "$file" "$attr" "$file_sig2"
  if ! cmp -bl "$file_sig" "$file_sig2"; then
    color_red
    echo "evmctl ima_sign: xattr signature on $file differ from detached $file_sig"
    color_restore
    rm "$file" "$file_sig" "$file_sig2"
    return "$FAIL"
  fi
  # Leave '$file_sig' for ima_verify --sigfile test.
  rm "$file_sig2"
 }
 # Run single sign command
 _evmctl_sign() {
  local type=$1 key=$2 alg=$3 file=$4 opts=$5
  # Can check --sigfile for ima_sign
  [ "$type" = ima ] && opts+=" --sigfile"
  # shellcheck disable=SC2086
  ADD_TEXT_FOR="$alg ($key)" ADD_DEL=$file \
    _evmctl_run "$(_op "$type")sign" $opts \
    --hashalgo "$alg" --key "$key" --xattr-user "$file" || return
  if [ "$type" = ima ]; then
    _test_sigfile "$file" "$(_xattr "$type")" "$file.sig" "$file.sig2"
  fi
 }
 # Run and test {ima_,}sign operation
 check_sign() {
  # Arguments are passed via global vars:
  # TYPE (ima or evm),
  # KEY,
  # ALG (hash algo),
  # PREFIX (signature header prefix in hex),
  # OPTS (additional options for evmctl),
  # FILE (working file to sign).
  local "$@"
  local KEY=${KEY%.*}.key
  local FILE=${FILE:-$ALG.txt}
  # Normalize key filename
  KEY=test-${KEY#test-}
  # Append suffix to files for negative tests, because we may
  # leave only good files for verify tests.
  _test_expected_to_fail && FILE+='~'
  rm -f $FILE
  if ! touch $FILE; then
    color_red
    echo "Can't create test file: $FILE"
    color_restore
    return "$HARDFAIL"
  fi
  if _test_expected_to_pass; then
    # Can openssl work with this digest?
    cmd="openssl dgst $OPENSSL_ENGINE -$ALG $FILE"
    echo - "$cmd"
    if ! $cmd >/dev/null; then
      echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to digest)$NORM"
      return "$SKIP"
    fi
    if [ ! -e "$KEY" ]; then
      echo "${CYAN}$ALG ($KEY) test is skipped (key file not found)$NORM"
      return "$SKIP"
    fi
    # Can openssl sign with this digest and key?
    cmd="openssl dgst $OPENSSL_ENGINE -$ALG -sign $KEY -hex $FILE"
    echo - "$cmd"
    if ! $cmd >/dev/null; then
      echo "${CYAN}$ALG ($KEY) test is skipped (openssl is unable to sign)$NORM"
      return "$SKIP"
    fi
  fi
  # Insert keyid from cert into PREFIX in-place of marker `:K:'
  if [[ $PREFIX =~ :K: ]]; then
    keyid=$(_keyid_from_cert "$KEY")
    if [ $? -ne 0 ]; then
      color_red
      echo "Unable to determine keyid for $KEY"
      color_restore
      return "$HARDFAIL"
    fi
    [ "$VERBOSE" -gt 2 ] && echo "  Expected keyid: $keyid"
    PREFIX=${PREFIX/:K:/$keyid}
  fi
  # Perform signing by evmctl
  _evmctl_sign "$TYPE" "$KEY" "$ALG" "$FILE" "$OPTS" || return
  # First simple pattern match the signature.
  ADD_TEXT_FOR=$ALG \
    _test_xattr "$FILE" "$(_xattr "$TYPE")" "$PREFIX.*" || return
  # This is all we can do for v1 signatures.
  [[ "$OPTS" =~ --rsa ]] && return "$OK"
  # This is all we can do for evm.
  [[ "$TYPE" =~ evm ]] && return "$OK"
  # Extract signature to a file
  _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
  # Verify extracted signature with openssl
  cmd="openssl dgst $OPENSSL_ENGINE -$ALG -verify ${KEY%.*}.pub \
 	-signature $FILE.sig2 $FILE"
  echo - "$cmd"
  if ! $cmd; then
    color_red_on_failure
    echo "Signature v2 verification with openssl is failed."
    color_restore
    rm "$FILE.sig2"
    return "$FAIL"
  fi
  rm "$FILE.sig2"
  return "$OK"
 }
 # Test verify operation
 check_verify() {
  # Arguments are passed via global vars:
  # TYPE (ima or evm),
  # KEY,
  # ALG (hash algo),
  # OPTS (additional options for evmctl),
  # FILE (filename to verify).
  local "$@"
  # shellcheck disable=SC2086
  if ! openssl dgst $OPENSSL_ENGINE -"$ALG" /dev/null >/dev/null 2>&1; then
    echo $CYAN"$ALG ($KEY) test is skipped (openssl does not support $ALG)"$NORM
    return $SKIP
  fi
  # shellcheck disable=SC2086
  ADD_TEXT_FOR="$FILE ($KEY)" \
    _evmctl_run "$(_op "$TYPE")verify" --key "$KEY" --xattr-user $OPTS "$FILE"
 }
 # Test runners
 # Perform sign and verify ima and evm testing
 sign_verify() {
  local key=$1 alg=$2 prefix="$3" opts="$4"
  local file=$alg.txt
  # Set defaults:
  # Public key is different for v1 and v2 (where x509 cert is used).
  if [[ $opts =~ --rsa ]]; then
    KEY=test-$key.pub
  else
    KEY=test-$key.cer
  fi
  ALG=$alg
  PREFIX=$prefix
  OPTS=$opts
  FILE=$file
  TYPE=ima
  if expect_pass check_sign; then
    # Normal verify with proper key should pass
    expect_pass check_verify
    expect_pass check_verify OPTS="--sigfile"
    # Multiple files and some don't verify
    expect_fail check_verify FILE="/dev/null $file"
    rm "$FILE.sig"
  fi
  TYPE=evm
  # Avoid running blkid for evm tests which may require root
  # No generation on overlayfs:
  # ioctl(3, FS_IOC_GETVERSION, 0x7ffd8e0bd628) = -1 ENOTTY (Inappropriate ioctl for device)
  OPTS="$opts --uuid --generation 0"
  if expect_pass check_sign; then
    # Normal verify with proper key
    expect_pass check_verify
    # Verify with wrong key
    expect_fail check_verify KEY=rsa2048
  fi
  # Note: Leaving TYPE=evm and file is evm signed
 }
 # Test --keys
 try_different_keys() {
  # This run after sign_verify which leaves
  # TYPE=evm and file is evm signed
  # v2 signing can work with multiple keys in --key option
  if [[ ! $OPTS =~ --rsa ]]; then
    # Have correct key in the key list
    expect_pass check_verify KEY="test-rsa2048.cer,$KEY"
    expect_pass check_verify KEY="/dev/null,$KEY,"
  fi
  # Try key that is not used for signing
  expect_fail check_verify KEY=rsa2048
  # Try completely wrong key files
  expect_fail check_verify KEY=/dev/null
  expect_fail check_verify KEY=/dev/zero
 }
 try_different_sigs() {
  # TYPE=evm and file is evm signed
  # Test --imasig
  if expect_pass check_sign OPTS="$OPTS --imasig"; then
    # Verify both evm and ima sigs
    expect_pass check_verify
    expect_pass check_verify TYPE=ima
  fi
  # Test --imahash
  if expect_pass check_sign OPTS="$OPTS --imahash"; then
    expect_pass check_verify
    # IMA hash is not verifiable by ima_verify
    expect_fail check_verify TYPE=ima
  fi
  # Test --portable
  expect_pass check_sign OPTS="$OPTS --portable" PREFIX=0x05
  # Cannot be verified for now, until that support is added to evmctl
  # Test -i (immutable)
  expect_pass check_sign OPTS="$OPTS -i" PREFIX=0x0303
  # Cannot be verified for now
 }
 # Single test args: type key hash signature-prefix "evmctl-options"
 # sign_verify args:      key hash signature-prefix "evmctl-options"
 # Only single test can be prefixed with expect_{fail,pass}
 # `sign_verify' can not be prefixed with expect_{fail,pass} because
 # it runs multiple tests inside. See more tests there.
 # signature-prefix can contain `:K:' which will be resolved to keyid (v2 only)
 ## Test v1 signatures
 # Signature v1 only supports sha1 and sha256 so any other should fail
 expect_fail \
  check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
 sign_verify  rsa1024  sha1    0x0301 --rsa
 sign_verify  rsa1024  sha256  0x0301 --rsa
  try_different_keys
  try_different_sigs
 ## Test v2 signatures with RSA PKCS#1
 # List of allowed hashes much greater but not all are supported.
 sign_verify  rsa1024  md5     0x030201:K:0080
 sign_verify  rsa1024  sha1    0x030202:K:0080
 sign_verify  rsa1024  sha224  0x030207:K:0080
 sign_verify  rsa1024  sha256  0x030204:K:0080
  try_different_keys
  try_different_sigs
 sign_verify  rsa1024  sha384  0x030205:K:0080
 sign_verify  rsa1024  sha512  0x030206:K:0080
 sign_verify  rsa1024  rmd160  0x030203:K:0080
 # Test v2 signatures with EC-RDSA
 _enable_gost_engine
 sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
 sign_verify  gost2012_256-B md_gost12_256 0x030212:K:0040
 sign_verify  gost2012_256-C md_gost12_256 0x030212:K:0040
 sign_verify  gost2012_512-A md_gost12_512 0x030213:K:0080
 sign_verify  gost2012_512-B md_gost12_512 0x030213:K:0080
 # Test if signing with wrong key length does not work.
 expect_fail \
  check_sign TYPE=ima KEY=gost2012_512-B ALG=md_gost12_256 PREFIX=0x0302 OPTS=
 expect_fail \
  check_sign TYPE=ima KEY=gost2012_256-B ALG=md_gost12_512 PREFIX=0x0302 OPTS=
--- a/tests/test_ascii_runtime_measurements
+++ b/tests/test_ascii_runtime_measurements
@ -1,3 +0,0 @@
 10 cf41b43c4031672fcc2bd358b309ad33b977424f ima-ng sha256:f1b4c7c9b27e94569f4c2b64051c452bc609c3cb891dd7fae06b758f8bc83d14 boot_aggregate
 10 983dcd8e6f7c84a1a5f10e762d1850623966ceab ima-ng sha256:ae06e032a65fed8102aff5f8f31c678dcf2eb25b826f77ecb699faa0411f89e0 /init
 10 b6e4d01c73f6e4b698eaf48e7d76a2bae0c02514 ima-ng sha256:4b1764ee112aa8b2a6ae9a3a2f1e272b6601681f610708497673cd49e5bd2f5c /bin/sh
--- a/tests/test_binary_bios_measurements
+++ b/tests/test_binary_bios_measurements
--- a/travis/alpine.sh
+++ b/travis/alpine.sh
@ -1,50 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -ex
 if [ -z "$CC" ]; then
 	echo "missing \$CC!" >&2
 	exit 1
 fi
 case "$TSS" in
 ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;;
 tpm2-tss) TSS="tpm2-tss-dev";;
 '') echo "Missing TSS!" >&2; exit 1;;
 *) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
 esac
 # ibmswtpm2 requires gcc
 [ "$CC" = "gcc" ] || CC="gcc $CC"
 apk update
 apk add \
 	$CC $TSS \
 	asciidoc \
 	attr \
 	attr-dev \
 	autoconf \
 	automake \
 	diffutils \
 	docbook-xml \
 	docbook-xsl \
 	keyutils-dev \
 	libtool \
 	libxslt \
 	linux-headers \
 	make \
 	musl-dev \
 	openssl \
 	openssl-dev \
 	pkgconfig \
 	procps \
 	sudo \
 	wget \
 	which \
 	xxd
 if [ ! "$TSS" ]; then
 	apk add git
 	../tests/install-tss.sh
 fi
--- a/travis/centos.sh
+++ b/travis/centos.sh
@ -1 +0,0 @@
 fedora.sh
--- a/travis/debian.cross-compile.sh
+++ b/travis/debian.cross-compile.sh
@ -1,23 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -ex
 if [ -z "$ARCH" ]; then
 	echo "missing \$ARCH!" >&2
 	exit 1
 fi
 case "$ARCH" in
 arm64) gcc_arch="aarch64";;
 ppc64el) gcc_arch="powerpc64le";;
 s390x) gcc_arch="$ARCH";;
 *) echo "unsupported arch: '$ARCH'!" >&2; exit 1;;
 esac
 dpkg --add-architecture $ARCH
 apt update
 apt install -y --no-install-recommends \
 	dpkg-dev \
 	gcc-${gcc_arch}-linux-gnu \
 	libc6-dev-${ARCH}-cross
--- a/travis/debian.i386.sh
+++ b/travis/debian.i386.sh
@ -1,11 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -ex
 dpkg --add-architecture i386
 apt update
 apt install -y --no-install-recommends \
 	linux-libc-dev:i386 \
 	gcc-multilib \
 	pkg-config:i386
--- a/travis/debian.sh
+++ b/travis/debian.sh
@ -1,54 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -ex
 if [ -z "$CC" ]; then
 	echo "missing \$CC!" >&2
 	exit 1
 fi
 # debian.*.sh must be run first
 if [ "$ARCH" ]; then
 	ARCH=":$ARCH"
 	unset CC
 else
 	apt update
 fi
 # ibmswtpm2 requires gcc
 [ "$CC" = "gcc" ] || CC="gcc $CC"
 case "$TSS" in
 ibmtss) TSS="libtss-dev";;
 tpm2-tss) TSS="libtss2-dev";;
 '') echo "Missing TSS!" >&2; exit 1;;
 *) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
 esac
 apt="apt install -y --no-install-recommends"
 $apt \
 	$CC $TSS \
 	asciidoc \
 	attr \
 	autoconf \
 	automake \
 	diffutils \
 	debianutils \
 	docbook-xml \
 	docbook-xsl \
 	gzip \
 	libattr1-dev$ARCH \
 	libkeyutils-dev$ARCH \
 	libssl-dev$ARCH \
 	libtool \
 	make \
 	openssl \
 	pkg-config \
 	procps \
 	sudo \
 	wget \
 	xsltproc \
 $apt xxd || $apt vim-common
 $apt libengine-gost-openssl1.1$ARCH || true
--- a/travis/fedora.sh
+++ b/travis/fedora.sh
@ -1,44 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -e
 if [ -z "$CC" ]; then
 	echo "missing \$CC!" >&2
 	exit 1
 fi
 case "$TSS" in
 ibmtss) TSS="tss2-devel";;
 tpm2-tss) TSS="tpm2-tss-devel";;
 '') echo "Missing TSS!" >&2; exit 1;;
 *) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
 esac
 # ibmswtpm2 requires gcc
 [ "$CC" = "gcc" ] || CC="gcc $CC"
 yum -y install \
 	$CC $TSS \
 	asciidoc \
 	attr \
 	autoconf \
 	automake \
 	diffutils \
 	docbook-xsl \
 	gzip \
 	keyutils-libs-devel \
 	libattr-devel \
 	libtool \
 	libxslt \
 	make \
 	openssl \
 	openssl-devel \
 	pkg-config \
 	procps \
 	sudo \
 	vim-common \
 	wget \
 	which
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
--- a/travis/opensuse.sh
+++ b/travis/opensuse.sh
@ -1 +0,0 @@
 tumbleweed.sh
--- a/travis/tumbleweed.sh
+++ b/travis/tumbleweed.sh
@ -1,47 +0,0 @@
 #!/bin/sh
 # Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
 set -ex
 if [ -z "$CC" ]; then
 	echo "missing \$CC!" >&2
 	exit 1
 fi
 case "$TSS" in
 ibmtss) TSS="ibmtss-devel";;
 tpm2-tss) TSS="tpm2-0-tss-devel";;
 '') echo "Missing TSS!" >&2; exit 1;;
 *) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;;
 esac
 # clang has some gcc dependency
 [ "$CC" = "gcc" ] || CC="gcc $CC"
 zypper --non-interactive install --force-resolution --no-recommends \
 	$CC $TSS \
 	asciidoc \
 	attr \
 	autoconf \
 	automake \
 	diffutils \
 	docbook_5 \
 	docbook5-xsl-stylesheets \
 	gzip \
 	ibmswtpm2 \
 	keyutils-devel \
 	libattr-devel \
 	libopenssl-devel \
 	libtool \
 	make \
 	openssl \
 	pkg-config \
 	procps \
 	sudo \
 	vim \
 	wget \
 	which \
 	xsltproc
 if [ -f /usr/lib/ibmtss/tpm_server ]; then
 	ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin
 fi
--- a/travis/ubuntu.sh
+++ b/travis/ubuntu.sh
@ -1 +0,0 @@
 debian.sh
		`@ -1 +0,0 @@`
			`10 2e03b3fdb0014fc8bae2a07ca33ae67125b290f3 ima-ng sha256:83d19723ef3b3c05bb8ae70d86b3886c158f2408f1b71ed265886a7b79eb700e boot_aggregate`