EVM support (v2) in latest version of the kernel adds the file system UUID to
the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
-version 2 is enabled by default. To include the UUID to the signature calculation,
-it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command.
-UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
+version 2 is enabled by default. In this version default UUID is included by
+default. Custom value can be supplied via '--uuid=UUID' or '-uUUID' parameter
+to the 'sign' command. To use old format HMAC format use '-' as a parameter.
Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
support for verifying digital signatures. This version uses x509 format by default.
Default X509 certificate: /etc/keys/x509_evm.der
Signing for using old RSA format is done using '-1' or '--rsa' parameter.
-Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
+Signing for using old EVM HMAC format is done using '-u-' or '--uuid=-' parameter.
Sign file with EVM signature and use hash value for IMA - common case
static char *keypass;
static int sigfile;
static int modsig;
-static char *uuid_str;
+static char *uuid_str = "+";
static char *search_type;
static int recursive;
static dev_t fs_dev;
FILE *fp;
size_t len;
- if (uuid_str[0] != '-')
+ if (uuid_str[0] != '+')
return pack_uuid(uuid_str, uuid);
dev = st->st_dev;
return 1;
}
- if (uuid_str) {
+ if (*uuid_str != '-') {
err = get_uuid(&st, uuid);
if (err)
return -1;
xattr = 0;
break;
case 'u':
- uuid_str = optarg ?: "-";
+ uuid_str = optarg ?: "+";
break;
case '1':
params.x509 = 0;