EVM support (v2) in latest version of the kernel adds the file system UUID to
the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
version 2 is enabled by default. To include the UUID to the signature calculation,
-it is necessary to provide '--uuid -' or '-u -' parameter to the 'sign' command.
+it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command.
+UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
support for verifying digital signatures. The new command line parameter
Default X509 certificate: /etc/keys/x509_evm.der
Signing for using X509 certificates is done using '-x' or '--x509' parameter.
-Signing for using new the EVM HMAC format is done using '-u -' or '--uuid -' parameter.
+Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
Sign file with EVM signature and use hash value for IMA - common case
- $ evmctl sign [-u -] [-x] --imahash test.txt
+ $ evmctl sign [-u] [-x] --imahash test.txt
Sign file with both IMA and EVM signatures - for immutable files
- $ evmctl sign [-u -] [-x] --imasig test.txt
+ $ evmctl sign [-u] [-x] --imasig test.txt
Sign file with IMA signature - for immutable files
Label whole filesystem with EVM signatures
- $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u -] [-x] --imahash '{}' \;
+ $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-x] --imahash '{}' \;
Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
" -x, --x509 signing key is in x509 DER format (signing v2 for using asymmetric keys)\n"
" -k, --key path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
" -p, --pass password for encrypted signing key\n"
+ " -u, --uuid use file system UUID in HMAC calculation (EVM v2)\n"
" -n print result to stdout instead of setting xattr\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
{"pass", 1, 0, 'p'},
{"sigfile", 0, 0, 'f'},
{"modsig", 0, 0, 'm'},
- {"uuid", 1, 0, 'u'},
+ {"uuid", 2, 0, 'u'},
{"x509", 0, 0, 'x'},
{"key", 1, 0, 'k'},
{}
verify_hash = verify_hash_v1;
while (1) {
- c = getopt_long(argc, argv, "hvnsda:p:fu:xk:", opts, &lind);
+ c = getopt_long(argc, argv, "hvnsda:p:fu::xk:", opts, &lind);
if (c == -1)
break;
xattr = 0;
break;
case 'u':
- uuid_str = optarg;
+ uuid_str = optarg ?: "-";
break;
case 'x':
x509 = 1;