diff --git a/README b/README index 4a454f9..b9c5376 100644 --- a/README +++ b/README @@ -14,9 +14,9 @@ Key and signature formats EVM support (v2) in latest version of the kernel adds the file system UUID to the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and -version 2 is enabled by default. To include the UUID to the signature calculation, -it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command. -UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'. +version 2 is enabled by default. In this version default UUID is included by +default. Custom value can be supplied via '--uuid=UUID' or '-uUUID' parameter +to the 'sign' command. To use old format HMAC format use '-' as a parameter. Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key support for verifying digital signatures. This version uses x509 format by default. @@ -121,7 +121,7 @@ Default private key: /etc/keys/privkey_evm.pem Default X509 certificate: /etc/keys/x509_evm.der Signing for using old RSA format is done using '-1' or '--rsa' parameter. -Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter. +Signing for using old EVM HMAC format is done using '-u-' or '--uuid=-' parameter. Sign file with EVM signature and use hash value for IMA - common case diff --git a/src/evmctl.c b/src/evmctl.c index 9cba307..f6e3fac 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -72,7 +72,7 @@ static int digsig; static char *keypass; static int sigfile; static int modsig; -static char *uuid_str; +static char *uuid_str = "+"; static char *search_type; static int recursive; static dev_t fs_dev; @@ -434,7 +434,7 @@ static int get_uuid(struct stat *st, char *uuid) FILE *fp; size_t len; - if (uuid_str[0] != '-') + if (uuid_str[0] != '+') return pack_uuid(uuid_str, uuid); dev = st->st_dev; @@ -540,7 +540,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return 1; } - if (uuid_str) { + if (*uuid_str != '-') { err = get_uuid(&st, uuid); if (err) return -1; @@ -1604,7 +1604,7 @@ int main(int argc, char *argv[]) xattr = 0; break; case 'u': - uuid_str = optarg ?: "-"; + uuid_str = optarg ?: "+"; break; case '1': params.x509 = 0;