UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
-support for verifying digital signatures. The new command line parameter
-'-x' or '--x509' was added to the evmctl to enable using of X509 certificates
-and new signature format.
+support for verifying digital signatures. This version uses x509 format by default.
+Use '--rsa' or '-1' parameter to use old signature format and API.
Key generation
# import IMA public key
ima_id=`keyctl newring _ima @u`
- evmctl import /etc/keys/pubkey_evm.pem $ima_id
+ evmctl --rsa import /etc/keys/pubkey_evm.pem $ima_id
# import EVM public key
evm_id=`keyctl newring _evm @u`
- evmctl import /etc/keys/pubkey_evm.pem $evm_id
+ evmctl --rsa import /etc/keys/pubkey_evm.pem $evm_id
# enable EVM
echo "1" > /sys/kernel/security/evm
Import X509 certificate into the kernel keyring (since kernel 3.9?)
- $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
- $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
+ $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
+ $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
Signing
Default private key: /etc/keys/privkey_evm.pem
Default X509 certificate: /etc/keys/x509_evm.der
-Signing for using X509 certificates is done using '-x' or '--x509' parameter.
+Signing for using old RSA format is done using '-1' or '--rsa' parameter.
Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
Sign file with EVM signature and use hash value for IMA - common case
- $ evmctl sign [-u] [-x] --imahash test.txt
+ $ evmctl sign [-u] [-1] --imahash test.txt
Sign file with both IMA and EVM signatures - for immutable files
- $ evmctl sign [-u] [-x] --imasig test.txt
+ $ evmctl sign [-u] [-1] --imasig test.txt
Sign file with IMA signature - for immutable files
- $ evmctl ima_sign [-x] test.txt
+ $ evmctl ima_sign [-1] test.txt
Label whole filesystem with EVM signatures
- $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-x] --imahash '{}' \;
+ $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-1] --imahash '{}' \;
Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
" -d, --imahash also make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
" -m, --modsig store module signature in .sig file instead of xattr\n"
- " -x, --x509 signing key is in x509 DER format (signing v2 for using asymmetric keys)\n"
+ " -1, --rsa signing key is in RSA DER format (signing v1)\n"
" -k, --key path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
" -p, --pass password for encrypted signing key\n"
" -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
struct command cmds[] = {
{"help", cmd_help, 0, "<command>"},
- {"import", cmd_import, 0, "[--x509] pubkey keyring", "Import public key into the keyring.\n"},
+ {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile | --modsig] [--key key] [--pass password] file", "Make file content signature.\n"},
{"sigfile", 0, 0, 'f'},
{"modsig", 0, 0, 'm'},
{"uuid", 2, 0, 'u'},
- {"x509", 0, 0, 'x'},
+ {"rsa", 0, 0, '1'},
{"key", 1, 0, 'k'},
{"type", 1, 0, 't'},
{"recursive", 0, 0, 'r'},
case 'u':
uuid_str = optarg ?: "-";
break;
- case 'x':
- params.x509 = 1;
+ case '1':
+ params.x509 = 0;
break;
case 'k':
params.keyfile = optarg;