[PATCH ima-evm-utils 1/2] Update README

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Mon, 6 Mar 2023 06:36:34 -0500

Update the README to reflect the changes to "evmctl --help".

Update the "--pass" option format in both the README and evmctl usage
to reflect passing an optional password on the command line (not
recommended).  When providing the password, the format is:
 "[--pass[=<password>]]".

Also fix some typos.

Still include references to both the deprecated "--rsa" and "--engine"
options.

Related confiigure options:
--enable-sigv1          Build ima-evm-utils with signature v1 support
--disable-engine        build ima-evm-utils without OpenSSL engine support

Reported-by: Vitaly Chikunov <vt@xxxxxxxxxxxx> # typos, "--pass" format
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
 README       | 37 +++++++++++++++++++++++++------------
 src/evmctl.c |  9 +++++----
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/README b/README
index ffe46ad75728..75e4fd2e8948 100644
--- a/README
+++ b/README
@@ -25,29 +25,34 @@ COMMANDS
 
  --version
  help <command>
- import [--rsa] pubkey keyring
- sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file
+ import  [--rsa (deprecated)] pubkey keyring
+ sign [-r] [--imahash | --imasig ] [--key key] [--pass[=<password>] file
  verify file
- ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
- ima_sign [--sigfile] [--key key] [--pass password] file
+ ima_sign [--sigfile] [--key key] [--pass[=<password>]] file
  ima_verify file
+ ima_setxattr [--sigfile file]
  ima_hash file
- ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
+ ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]
+   [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...]
+   [--verify-bank hash-algorithm] file
+ ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]
+   [--hwtpm]
  ima_fix [-t fdsxm] path
- sign_hash [--veritysig] [--key key] [--pass password]
+ ima_clear [-t fdsxm] path
+ sign_hash [--veritysig] [--key key] [--pass=<password>]
  hmac [--imahash | --imasig ] file
 
 
 OPTIONS
 -------
 
-  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512
+  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: sha256)
   -s, --imasig       make IMA signature
       --veritysig    sign an fs-verity file digest hash
   -d, --imahash      make IMA hash
   -f, --sigfile      store IMA signature in .sig file instead of xattr
       --xattr-user   store xattrs in user namespace (for testing purposes)
-      --rsa          use RSA key type and signing scheme v1
+      --rsa          use RSA key type and signing scheme v1 (deprecated)
   -k, --key          path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
                      or a pkcs11 URI
       --keyid n      overwrite signature keyid with a 32-bit value in hex (for signing)
@@ -64,7 +69,15 @@ OPTIONS
       --smack        use extra SMACK xattrs for EVM
       --m32          force EVM hmac/signature for 32 bit target system
       --m64          force EVM hmac/signature for 64 bit target system
-      --engine e     preload OpenSSL engine e (such as: gost)
+      --engine e     preload OpenSSL engine e (such as: gost) is deprecated
+      --ino          use custom inode for EVM
+      --uid          use custom UID for EVM
+      --gid          use custom GID for EVM
+      --mode         use custom Mode for EVM
+      --generation   use custom Generation for EVM(unspecified: from FS, empty: use 0)
+      --ima          use custom IMA signature for EVM
+      --selinux      use custom Selinux label for EVM
+      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)
       --pcrs         file containing TPM pcrs, one per hash-algorithm/bank
       --ignore-violations ignore ToMToU measurement violations
       --verify-sig   verify the file signature based on the file hash, both
@@ -206,7 +219,7 @@ asymmetric keys support:
 
 Configuration file x509_evm.genkey:
 
-	# Begining of the file
+	# Beginning of the file
 	[ req ]
 	default_bits = 1024
 	distinguished_name = req_distinguished_name
@@ -257,7 +270,7 @@ following steps:
 
 Configuration file ima-local-ca.genkey:
 
-	# Begining of the file
+	# Beginning of the file
 	[ req ]
 	default_bits = 2048
 	distinguished_name = req_distinguished_name
@@ -288,7 +301,7 @@ Produce X509 in DER format for using while building the kernel:
 
 Configuration file ima.genkey:
 
-	# Begining of the file
+	# Beginning of the file
 	[ req ]
 	default_bits = 1024
 	distinguished_name = req_distinguished_name
diff --git a/src/evmctl.c b/src/evmctl.c
index 95281df08051..6d2bb67427da 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2820,6 +2820,7 @@ static void usage(void)
 		"\n"
 		"  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n"
 		"  -s, --imasig       make IMA signature\n"
+		"      --veritysig    sign an fs-verity file digest hash\n"
 		"  -d, --imahash      make IMA hash\n"
 		"  -f, --sigfile      store IMA signature in .sig file instead of xattr\n"
 		"      --xattr-user   store xattrs in user namespace (for testing purposes)\n"
@@ -2867,14 +2868,14 @@ struct command cmds[] = {
 	{"--version", NULL, 0, ""},
 	{"help", cmd_help, 0, "<command>"},
 #if CONFIG_SIGV1
-	{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring. ([--rsa] deprecated)\n"},
+	{"import", cmd_import, 0, "[--rsa (deprecated)] pubkey keyring", "Import public key into the keyring.\n"},
 	{"convert", cmd_convert, 0, "key", "convert public key into the keyring. (deprecated)\n"},
 #else
 	{"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"},
 #endif
-	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
+	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=<password>]] file", "Sign file metadata.\n"},
 	{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
-	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
+	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=<password>]] file", "Make file content signature.\n"},
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
@@ -2882,7 +2883,7 @@ struct command cmds[] = {
 	{"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] [--hwtpm]", "Calculate per TPM bank boot_aggregate digests\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
 	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
-	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass password]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
+	{"sign_hash", cmd_sign_hash, 0, "[--veritysig] [--key key] [--pass[=<password>]]", "Sign hashes from either shaXsum or \"fsverity digest\" output.\n"},
 #ifdef DEBUG
 	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
 #endif
-- 
2.31.1







