2 1. Generate private key
4 openssl genrsa -out privkey_evm.pem 1024
8 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
10 3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys
12 scp pubkey_evm.pem mad:/etc/keys
14 4. Load keys and enable EVM
18 This should be done at early phase, before mounting root filesystem.
20 5. Sign EVM and use hash value for IMA - common case
22 evmctl sign --imahash test.txt
24 6. Sign IMA and EVM - for immutable files and modules
26 evmctl sign --imasig test.txt
28 7. Sign whole filesystem
32 find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
33 find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
34 # security.ima needs to have signature for modules
35 find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
37 8. Label filesystem in fix mode...