1. Generate private key

# plain key
openssl genrsa -out privkey_evm.pem 1024

# encrypted key
openssl genrsa -des3 -out privkey_evm.pem 1024

# set password for the key
openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
or
openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem

2. Generate public key

openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem

3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys

scp pubkey_evm.pem mad:/etc/keys

4. Load keys and enable EVM

evm_enable.sh

This should be done at early phase, before mounting root filesystem.

5. Sign EVM and use hash value for IMA - common case

evmctl sign --imahash test.txt

6. Sign IMA and EVM - for immutable files and modules

evmctl sign --imasig test.txt

7. Sign whole filesystem

evm_sign_all.sh
or
find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
# security.ima needs to have signature for modules
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;

# generate signatures in .sig files
find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;

8. Label filesystem in fix mode...

ima_fix_dir.sh <dir>