Add more info on:
* introduction
* EVM formats
* Signature and keys formats
* IMA trusted keys and keyrings
* EVM trusted keys
* Updated scripts and examples
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Latest versions of smack uses additional xattrs. This patch adds them to
EVM protection. Linux kernel configuration option CONFIG_EVM_EXTRA_SMACK_XATTRS
has to be enabled.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Do not require to re-build man file at the build process.
It will require less build dependencies.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Update README with additional information to produce initial
evmctl.1 man page. Sligtly reformat it for that purpose as well.
Requires asciidoc, xslproc, docbook-xsl packages to build man page.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
This patch enables package managers, such as rpm, to include IMA signatures in
packages.
To do this, sign_hash and some helper functions were moved from evmctl to
libimaevm. These functions used global variables that belong to evmctl, sigdump
and keypass. The variable sigdump is a flag that file signatures should be
printed to stdout, so the signature dump is now handled by functions that call
sign_hash. The variable keypass is a passphrase for an encrypted key, so it was
added to 'struct libevm_params'.
v2: Uses 'struct libevm_params' to minimize sign_hash parameters
v3: Export single sign_hash function that selects _v1 or _v2 internally based
on params.x509. Moved parameter checks and explicitly return -1 for failures.
Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
'ima_hash -a sha256' and 'sign -a sha256 --imahash' commands did set
incorrect xattr header for hash algos other than sha1.
Fix it.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
'-x' option was removed a while ago, but 'x' was not removed
from getopt_long() parameter. Remove it.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
In a number of situations, the file hash has already been calculated.
Instead of reading a file to calculate the file hash, read the file hash
from stdin; and instead of writing the signature as an xattr or creating
a .sig file, output the signature as ascii-hex to stdout.
For example, piping the output of sha256sum <pathname> to evmctl would
display the original sha256 output with the file signature appended.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Currently evmctl supports importing keys onto a particular keyring
based on a numeric keyring identifier. This patch adds support
for importing keys based special values as defined by keyctl.
Thread keyring: @t (-1)
Process keyring: @p (-2)
Session keyring: @s (-3)
User specific keyring: @u (-4)
User default session keyring: @us (-5)
Group specific keyring: @g (-6)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
'--m32|--m64' parameter can be specified to label images for different
architecture size than host.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
