import UBI ima-evm-utils-1.6.2-3.el10

.gitignore

@@ -1,2 +1,3 @@
-SOURCES/ima-evm-utils-1.1.tar.gz
-SOURCES/ima-evm-utils-1.3.2.tar.gz
+centosimarelease-10.der
+ima-evm-utils-1.6.2.tar.gz
+redhatimarelease-10.der

.ima-evm-utils.metadata

@@ -1,2 +0,0 @@
-58705b3544ae6e650042374dba535c0b3837b8fc SOURCES/ima-evm-utils-1.1.tar.gz
-034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz

SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch

@@ -1,38 +0,0 @@
-From ea10a33d26572eebde59565179f622b6fb240d04 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Wed, 6 Jan 2021 10:43:34 +0100
-Subject: [PATCH] Fix sign_hash not observing the hashalgo argument
-
-This fixes sign_hash not using the correct algorithm for creating the
-signature, by ensuring it uses the passed in variable value.
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- src/libimaevm.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libimaevm.c b/src/libimaevm.c
-index fa6c27858d0f..72d5e67f6fdd 100644
---- a/src/libimaevm.c
-+++ b/src/libimaevm.c
-@@ -916,7 +916,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
- 		return -1;
- 	}
- 
--	log_info("hash(%s): ", imaevm_params.hash_algo);
-+	log_info("hash(%s): ", algo);
- 	log_dump(hash, size);
- 
- 	pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
-@@ -942,7 +942,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
- 	if (!EVP_PKEY_sign_init(ctx))
- 		goto err;
- 	st = "EVP_get_digestbyname";
--	if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
-+	if (!(md = EVP_get_digestbyname(algo)))
- 		goto err;
- 	st = "EVP_PKEY_CTX_set_signature_md";
- 	if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
--- 
-2.29.2
-

SOURCES/annocheck-opt-flag.patch

@@ -1,19 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index 6822f39..34e4a81 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -36,9 +36,9 @@ AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You n
- #debug support - yes for a while
- PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
- if test $pkg_cv_enable_debug = yes; then
--	CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe"
-+	CFLAGS="$CFLAGS -g -O2 -Wall -Wstrict-prototypes -pipe"
- else
--	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
-+	CFLAGS="$CFLAGS -O2 -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
- fi
- 
- # for gcov
--- 
-2.14.4
-

SOURCES/covscan-memory-leaks.patch

@@ -1,45 +0,0 @@
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 2ffee78..b80a1c9 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -1716,7 +1716,7 @@ static char *get_password(void)
- 
- 	if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
- 		perror("tcsetattr");
--		return NULL;
-+		goto get_pwd_err;
- 	}
- 
- 	printf("PEM password: ");
-@@ -1725,10 +1725,14 @@ static char *get_password(void)
- 	/* restore terminal */
- 	if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
- 		perror("tcsetattr");
--		return NULL;
-+		goto get_pwd_err;
- 	}
- 
-+	free(password);
- 	return pwd;
-+get_pwd_err:
-+	free(password);
-+	return NULL;
- }
- 
- int main(int argc, char *argv[])
-diff --git a/src/libimaevm.c b/src/libimaevm.c
-index 6fa0ed4..39582f2 100644
---- a/src/libimaevm.c
-+++ b/src/libimaevm.c
-@@ -466,6 +466,8 @@ void init_public_keys(const char *keyfiles)
- 		entry->next = public_keys;
- 		public_keys = entry;
- 	}
-+
-+	free(tmp_keyfiles);
- }
- 
- int verify_hash_v2(const char *file, const unsigned char *hash, int size,
--- 
-2.14.4
-

SOURCES/docbook-xsl-path.patch

@@ -1,12 +0,0 @@
-diff -urNp ima-evm-utils-1.0-orig/Makefile.am ima-evm-utils-1.0/Makefile.am
---- ima-evm-utils-1.0-orig/Makefile.am	2015-07-30 15:28:53.000000000 -0300
-+++ ima-evm-utils-1.0/Makefile.am	2017-11-20 16:20:04.245591165 -0200
-@@ -24,7 +24,7 @@ rpm: $(tarname)
- 	rpmbuild -ba --nodeps $(SPEC)
- 
- # requires asciidoc, xslproc, docbook-xsl
--MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
-+MANPAGE_DOCBOOK_XSL = /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl
- 
- evmctl.1.html: README
- 	@asciidoc -o $@ $<

SOURCES/libimaevm-keydesc-import.patch

@@ -1,37 +0,0 @@
-diff --git a/src/libimaevm.c b/src/libimaevm.c
-index 6fa0ed4..b6f9b9f 100644
---- a/src/libimaevm.c
-+++ b/src/libimaevm.c
-@@ -672,12 +672,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
- 	memcpy(keyid, sha1 + 12, 8);
- 	log_debug("keyid: ");
- 	log_debug_dump(keyid, 8);
-+	id = __be64_to_cpup((__be64 *) keyid);
-+	sprintf(str, "%llX", (unsigned long long)id);
- 
--	if (params.verbose > LOG_INFO) {
--		id = __be64_to_cpup((__be64 *) keyid);
--		sprintf(str, "%llX", (unsigned long long)id);
-+	if (params.verbose > LOG_INFO)
- 		log_info("keyid-v1: %s\n", str);
--	}
- }
- 
- void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
-@@ -694,11 +693,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
- 	memcpy(keyid, sha1 + 16, 4);
- 	log_debug("keyid: ");
- 	log_debug_dump(keyid, 4);
-+	sprintf(str, "%x", __be32_to_cpup(keyid));
- 
--	if (params.verbose > LOG_INFO) {
--		sprintf(str, "%x", __be32_to_cpup(keyid));
-+	if (params.verbose > LOG_INFO)
- 		log_info("keyid: %s\n", str);
--	}
- 
- 	free(pkey);
- }
--- 
-2.19.1
-

SPECS/ima-evm-utils.spec

@@ -1,208 +0,0 @@
-%global compat_soversion 0
-
-Name:    ima-evm-utils
-Version: 1.3.2
-Release: 12%{?dist}
-Summary: IMA/EVM support utilities
-License: GPLv2
-Url:     http://linux-ima.sourceforge.net/
-Source:  http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz
-Source10: ima-evm-utils-1.1.tar.gz
-
-Patch0: 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
-# compat patches
-Patch1: docbook-xsl-path.patch
-Patch2: covscan-memory-leaks.patch
-Patch3: annocheck-opt-flag.patch
-Patch4: libimaevm-keydesc-import.patch
-
-BuildRequires: asciidoc
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: gcc
-BuildRequires: keyutils-libs-devel
-BuildRequires: libtool
-BuildRequires: libxslt
-BuildRequires: openssl-devel
-BuildRequires: tpm2-tss-devel
-# compat requirement
-BuildRequires: libattr-devel
-
-#Requires: tpm2-tss
-
-%description
-The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
-(IMA) maintains a list of hash values of executables and other sensitive
-system files, as they are read or executed. These are stored in the file
-systems extended attributes. The Extended Verification Module (EVM) prevents
-unauthorized changes to these extended attributes on the file system.
-ima-evm-utils is used to prepare the file system for these extended attributes.
-
-%package devel
-Summary: Development files for %{name}
-Requires: %{name} = %{version}-%{release}
-
-%description devel
-This package provides the header files for %{name}
-
-%package -n %{name}%{compat_soversion}
-Summary: Compatibility package of %{name}
-
-%description -n %{name}%{compat_soversion}
-This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.1
-
-%prep
-%setup -q
-%patch0 -p1
-mkdir compat/
-tar -zxf %{SOURCE10} --strip-components=1 -C compat/
-cd compat/
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-
-%build
-# build compat version of the package
-pushd compat/
-autoreconf -vif
-%configure --disable-static
-%make_build
-popd
-
-autoreconf -vif
-%configure --disable-static
-%make_build
-
-%install
-%make_install
-find %{buildroot}%{_libdir} -type f -name "*.la" -print -delete
-# install compat libs
-pushd compat/src/.libs/
-install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
-ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
-popd
-
-%ldconfig_scriptlets
-
-%files
-%license COPYING
-%doc NEWS README AUTHORS
-%{_bindir}/*
-# if you need to bump the soname version, coordinate with dependent packages
-%{_libdir}/libimaevm.so.2
-%{_libdir}/libimaevm.so.2.0.0
-%{_mandir}/man1/*
-
-%files devel
-%{_pkgdocdir}/*.sh
-%{_includedir}/*
-%{_libdir}/libimaevm.so
-
-%files -n %{name}%{compat_soversion}
-%{_libdir}/libimaevm.so.%{compat_soversion}
-%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
-
-%changelog
-* Thu Feb 18 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-12
-- Add compat subpackage for keeping the API stability in userspace
-
-* Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-11
-- Bump release number for yet another rebuild
-
-* Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-10
-- Add patch for fixing hash algorithm used through libimaevm
-
-* Fri Jan 15 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-9
-- Add tpm2-tss as a runtime dependency
-
-* Sun Jan 10 2021 Michal Domonkos <mdomonko@redhat.com> - 1.3.2-8
-- Bump release number for yet another couple of rebuilds
-
-* Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-4
-- Bump release number for yet another build for solving wrong target usage
-
-* Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-3
-- Bump release number for another build, handling build issues
-
-* Tue Dec 01 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-2
-- Bump release number for forcing a new build
-
-* Mon Nov 09 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
-- Rebase to upstream v1.3.2 version
-- Sync specfile with Fedora's version
-
-* Thu Mar 28 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-5
-- Add patch to correctly handle key description on keyring during importation
-
-* Mon Oct 29 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-4
-- Solve a single memory leak not handled by the last patch
-
-* Thu Oct 25 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-3
-- Solve memory leaks pointed by covscan tool
-- Add optimization flag O2 during compilation to satisfy annocheck tool
-
-* Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
-- Remove libtool files
-- Run ldconfig scriptlets after un/installing
-- Add -devel subpackage to handle include files and examples
-- Disable any static file in the package
-
-* Fri Feb 16 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-1
-- New upstream release
-- Support for OpenSSL 1.1 was added directly to the source code in upstream,
-  thus removing specific patch for it
-- Docbook xsl stylesheet updated to a local path
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0-4
-- Switch to %%ldconfig_scriptlets
-
-* Fri Dec 01 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-3
-- Add OpenSSL 1.1 API support for the package, avoiding the need of
-  compat-openssl10-devel package
-
-* Mon Nov 20 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-2
-- Adjusted docbook xsl path to match the correct stylesheet
-- Remove only *.la files, considering there aren't any *.a files
-
-* Tue Sep 05 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-1
-- New upstream release
-- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1
-- Remove libtool files
-- Run ldconfig after un/installation to update *.so files
-- Add -devel subpackage to handle include files and examples
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Tue Jan 26 2016 Lubomir Rintel <lkundrak@v3.sk> - 0.9-3
-- Fix FTBFS
-
-* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Fri Oct 31 2014 Avesh Agarwal <avagarwa@redhat.com> - 0.9-1
-- New upstream release
-- Applied a patch to fix man page issues.
-- Updated spec file
-
-* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-
-* Tue Aug 27 2013 Vivek Goyal <vgoyal@redhat.com> - 0.6-1
-- Initial package

dracut-98-integrity.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" integrity "

ima-add-sigs.sh

@@ -0,0 +1,141 @@
+#!/bin/bash
+#
+# This script add IMA signatures to installed RPM package files
+usage() {
+	echo "Add IMA signatures to installed packages."
+	cat <<EOF
+usage: $0 [--package=PACKAGE_NAME|ALL] [--ima_cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
+
+       --package
+       By default, it will add IMA sigantures to all installed package files.
+       Or you can provide a package name to only add IMA signature for files of
+       specicifed package.
+
+       --reinstall_threshold
+       When there are >reinstall_threshold (=20 by default) packages in the RPM
+       DB missing IMA signatures, reinstalling the packages to add IMA
+       signatures to the packages.  By default, IMA sigatures will be obtained
+       from the RPM DB. However the RPM DB may not have the signatures. Dectect
+       this case by checking if there are >reinstall_threshold package missing
+       IMA signatures.
+
+       --ima_cert
+       With the signing IMA cert path specified, it will also try to verify the
+       added IMA signature.
+
+EOF
+	exit 1
+}
+
+for _opt in "$@"; do
+	case "$_opt" in
+	--reinstall_threshold=*)
+		reinstall_threshold=${_opt#*=}
+		;;
+	--package=*)
+		package=${_opt#*=}
+		;;
+	--ima_cert=*)
+		ima_cert=${_opt#*=}
+		;;
+	*)
+		[[ -n $1 ]] && usage
+		;;
+	esac
+done
+
+if [[ -z $package ]] || [[ $package == ALL ]]; then
+	package="--all"
+fi
+
+abort() {
+	echo "$1"
+	exit 1
+}
+
+get_system_ima_key() {
+	source /etc/os-release
+	local -A name_map=(['Fedora Linux']="fedora" ['Red Hat Enterprise Linux']="redhatimarelease" ['CentOS Stream']='centosimarelease')
+	local version_id
+	key_name=${name_map[$NAME]}
+	version_id=${VERSION_ID/.?/}
+
+	[[ $key_name == fedora ]] && name_suffix=-ima
+	key_path=/etc/keys/ima/${key_name}-${version_id}${name_suffix}.der
+	if [[ ! -e $key_path ]]; then
+		echo "Failed to get system IMA code verification key"
+		exit 1
+	fi
+
+	echo -n "$key_path"
+}
+
+# Add IMA signatures from RPM database
+add_from_rpm_db() {
+	if ! command -v setfattr &>/dev/null; then
+		abort "Please install attr"
+	fi
+
+	if [[ -e "$ima_cert" ]]; then
+		verify_ima_cert=$ima_cert
+	else
+		verify_ima_cert=$(get_system_ima_key)
+	fi
+
+	# use "|" as deliminator since it won't be used in a filename or signature
+	while IFS="|" read -r path sig; do
+		# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
+		# signatures. This may be a issue of rpm
+		if [[ "$sig" != "0"* ]]; then
+			continue
+		fi
+
+		# Skip directory, soft links, non-existent files and vfat fs
+		if [[ -d "$path" || -L "$path" || ! -f "$path" || "$path" == "/boot/efi/EFI/"* ]]; then
+			continue
+		fi
+
+		# Skip some files that are created on the fly
+		if [[ $path == "/usr/share/mime/"* || $path == "/etc/pki/ca-trust/extracted/"* ]]; then
+			continue
+		fi
+
+		if ! setfattr -n security.ima "$path" -v "0x$sig"; then
+			echo "Failed to add IMA sig for $path"
+		fi
+
+		if ! evmctl ima_verify -k "$verify_ima_cert" "$path" &>/dev/null; then
+			setfattr -x security.ima "$path"
+			# When ima_cert is set, shows the verfication result for users
+			[[ -e "$ima_cert" ]] && "Failed to verify $path"
+			continue
+		fi
+
+	done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
+}
+
+# Add IMA signatures by reinstalling all packages
+add_by_reinstall() {
+	[[ $package == "--all" ]] && package='*'
+	dnf reinstall "$package" -yq >/dev/null
+}
+
+if [[ -z $reinstall_threshold ]]; then
+	if [[ $package == "--all" ]]; then
+		reinstall_threshold=20
+	else
+		if ! rpm -q --quiet "$package"; then
+			dnf install "$package" -yq >/dev/null
+			exit 0
+		fi
+		reinstall_threshold=1
+	fi
+fi
+
+unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$")
+
+if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
+	add_by_reinstall
+else
+	add_from_rpm_db
+fi

ima-evm-utils.spec

@@ -0,0 +1,318 @@
+# If the soname gets bumped we need to ship a compat library to be able
+# to bootstrap and rebuild rpm else we end up with chicken and egg problem.
+%global bootstrap 0
+
+%if 0%{bootstrap}
+%global compat_soversion 4
+%endif
+
+Name:    ima-evm-utils
+Version: 1.6.2
+Release: 3%{?dist}
+Summary: IMA/EVM support utilities
+License: GPLv2
+Url:     http://linux-ima.sourceforge.net/
+Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
+
+# IMA setup tools
+Source2: dracut-98-integrity.conf
+Source3: ima-add-sigs.sh
+Source4: ima-setup.sh
+Source100: policy-01-appraise-executable-and-lib-signatures
+Source101: policy-02-keylime-remote-attestation
+Source200: policy_list
+Source300: redhatimarelease-10.der
+Source301: centosimarelease-10.der
+
+
+%if 0%{bootstrap}
+# compat source and patches
+Source10: ima-evm-utils-1.5.tar.gz
+%endif
+
+BuildRequires: asciidoc
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: gcc
+BuildRequires: keyutils-libs-devel
+BuildRequires: libtool
+BuildRequires: libxslt
+BuildRequires: make
+BuildRequires: openssl-devel
+BuildRequires: tpm2-tss-devel
+Requires: keyutils
+Requires: attr
+
+%description
+The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
+(IMA) maintains a list of hash values of executables and other sensitive
+system files, as they are read or executed. These are stored in the file
+systems extended attributes. The Extended Verification Module (EVM) prevents
+unauthorized changes to these extended attributes on the file system.
+ima-evm-utils is used to prepare the file system for these extended attributes.
+
+%package devel
+Summary: Development files for %{name}
+Requires: %{name} = %{version}-%{release}
+
+%description devel
+This package provides the header files for %{name}
+
+%prep
+%setup -q
+
+%if 0%{bootstrap}
+mkdir compat/
+pushd compat/
+tar -zxf %{SOURCE10} --strip-components=1
+popd
+%endif
+
+%build
+autoreconf -vif
+%configure --disable-static --disable-engine
+%make_build
+
+%if 0%{bootstrap}
+pushd compat/
+autoreconf -vif
+%configure --disable-static --disable-engine
+%make_build
+popd
+%endif
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete
+
+%if 0%{bootstrap}
+pushd compat/src/.libs/
+install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
+ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
+popd
+%endif
+
+%ldconfig_scriptlets
+
+# IMA setup tools
+install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/ima/dracut-98-integrity.conf
+
+mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/ima/policies
+while IFS= read -r policy_file
+do
+  install -m 644 %{_sourcedir}/policy-"$policy_file" $RPM_BUILD_ROOT%{_datadir}/ima/policies/"$policy_file"
+done < %{SOURCE200}
+
+install -D %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ima-add-sigs
+install -D %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/ima-setup
+
+# IMA code-signing certs
+install -d -m 755 $RPM_BUILD_ROOT/etc/keys/ima
+install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
+
+%files
+%license COPYING
+%doc NEWS README AUTHORS
+%{_bindir}/evmctl
+%{_mandir}/man1/evmctl*
+
+# IMA setup tools
+%{_datadir}/ima/policies
+%{_datadir}/ima/dracut-98-integrity.conf
+%{_bindir}/ima-add-sigs
+%{_bindir}/ima-setup
+
+# if you need to bump the soname version, coordinate with dependent packages
+%{_libdir}/libimaevm.so.5*
+%if 0%{bootstrap}
+%{_libdir}/libimaevm.so.%{compat_soversion}
+%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
+%endif
+
+# IMA code-signing certs
+/etc/keys/ima/*.der
+
+%files devel
+%{_pkgdocdir}/*.sh
+%{_includedir}/imaevm.h
+%{_libdir}/libimaevm.so
+
+%changelog
+* Thu Jul 31 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-3
+- Verify IMA signature to make sure it's correct
+
+* Mon Mar 10 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-2
+- ima-setup: run zipl after building initramfs for s390x (RHEL-82392)
+
+* Wed Jan 15 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-1
+- Disable compat lib (RHEL-65376)
+
+* Fri Nov 15 2024 Coiby Xu <coxu@redhat.com> - 1.6.2-0.1
+- Update to upstream 1.6 (RHEL-65376)
+
+* Fri Nov 08 2024 Coiby Xu <coxu@redhat.com> - 1.5-7
+- add some IMA setup tools (RHEL-34778)
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.5-6
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5-5
+- Bump release for June 2024 mass rebuild
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 08 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 1.5-1
+- Disable bootstrap
+
+* Wed Jun 07 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 1.5-0.1
+- Update to 1.5
+- Streamline bootstrap process a little
+- Bootstrap mode
+- Update download URL
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jan 20 2022 Björn Esser <besser82@fedoraproject.org> - 1.4-4
+- Build without compat bootstrap sub package
+
+* Thu Jan 20 2022 Björn Esser <besser82@fedoraproject.org> - 1.4-3
+- Build with compat bootstrap sub package
+
+* Tue Jan 18 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4-2
+- Add compat bootstrap sub package
+
+* Mon Nov 08 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4-1
+- Update to 1.4
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.3.2-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Oct 28 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
+- Rebase to new upstream v1.3.2 minor release
+
+* Tue Aug 11 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.1-1
+- Rebase to new upstream v1.3.1 minor release
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-2
+- Fix devel deps
+
+* Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-1
+- Update to 1.3
+- Use tpm2-tss instead of tss2
+- Minor spec cleanups
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.2.1-4
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-2
+- Add pull request to correct lib soname version, wich was bumped to 1.0.0
+
+* Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-1
+- Rebase to upstream v1.2.1
+- Remove both patches that were already solved in upstream version
+- Add runtime dependency of tss2 to retrieve PCR bank data from TPM2.0
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 20 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-4
+- Add patch to remove dependency from libattr-devel package
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
+- Remove libtool files
+- Run ldconfig scriptlets after un/installing
+- Add -devel subpackage to handle include files and examples
+- Disable any static file in the package
+
+* Fri Feb 16 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-1
+- New upstream release
+- Support for OpenSSL 1.1 was added directly to the source code in upstream,
+  thus removing specific patch for it
+- Docbook xsl stylesheet updated to a local path
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0-4
+- Switch to %%ldconfig_scriptlets
+
+* Fri Dec 01 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-3
+- Add OpenSSL 1.1 API support for the package, avoiding the need of
+  compat-openssl10-devel package
+
+* Mon Nov 20 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-2
+- Adjusted docbook xsl path to match the correct stylesheet
+- Remove only *.la files, considering there aren't any *.a files
+
+* Tue Sep 05 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-1
+- New upstream release
+- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1
+- Remove libtool files
+- Run ldconfig after un/installation to update *.so files
+- Add -devel subpackage to handle include files and examples
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Jan 26 2016 Lubomir Rintel <lkundrak@v3.sk> - 0.9-3
+- Fix FTBFS
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Oct 31 2014 Avesh Agarwal <avagarwa@redhat.com> - 0.9-1
+- New upstream release
+- Applied a patch to fix man page issues.
+- Updated spec file
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue Aug 27 2013 Vivek Goyal <vgoyal@redhat.com> - 0.6-1
+- Initial package

ima-setup.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+#
+# This script helps set up IMA.
+#
+IMA_SYSTEMD_POLICY=/etc/ima/ima-policy
+IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
+
+usage() {
+	echo "Set up IMA."
+	cat <<EOF
+usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
+
+       --policy
+       The path of IMA policy to be loaded. Sample polices are inside
+       /usr/share/ima/policies or you can use your own IMA policy
+       The path of IMA policy to be loaded.  Sample polices are inside
+       /usr/share/ima/policies or you can use your own IMA policy
+
+       --reinstall_threshold
+       When there are >reinstall_threshold packages in the RPM DB missing IMA
+       signatures, reinstalling the packages to add IMA signatures to the
+       packages.  By default, IMA sigatures will be obtained from the RPM DB.
+       However the RPM DB may not have the signatures. Dectect this case by
+       checking if there are >reinstall_threshold package missing IMA
+       signatures.
+
+EOF
+	exit 1
+}
+
+for _opt in "$@"; do
+	case "$_opt" in
+	--policy=*)
+		ima_policy_path=${_opt#*=}
+		if [[ ! -e $ima_policy_path ]]; then
+			echo "$ima_policy_path doesn't exist"
+			exit 1
+		fi
+		;;
+	--reinstall_threshold=*)
+		reinstall_threshold=${_opt#*=}
+		;;
+	*)
+		usage
+		;;
+	esac
+done
+
+if [[ $# -eq 0 ]]; then
+	usage
+fi
+
+echo "Installing prerequisite package rpm-plugin-ima"
+if ! dnf install rpm-plugin-ima -yq; then
+	echo "Failed to install rpm-plugin-ima, abort"
+	exit 1
+fi
+
+# Add IMA signatures
+if test -f /run/ostree-booted; then
+	echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
+else
+	echo "Adding IMA signatures to installed package files"
+	if ! ima-add-sigs --reinstall_threshold="$reinstall_threshold"; then
+		echo "Failed to add IMA signatures, abort"
+		exit 1
+	fi
+fi
+
+load_ima_keys() {
+	local _key_loaded
+
+	if line=$(keyctl describe %keyring:.ima); then
+		_ima_id=${line%%:*}
+	else
+		echo "Failed to get ID of the .ima  keyring"
+		exit 1
+	fi
+
+	for i in /etc/keys/ima/*; do
+		if [ ! -f "${i}" ]; then
+			echo "No IMA key exist"
+			exit 1
+		fi
+
+		if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then
+			echo "Failed to load IMA key ${i}"
+		else
+			_key_loaded=yes
+		fi
+	done
+
+	if [[ $_key_loaded != yes ]]; then
+		echo "No IMA key loaded"
+		exit 1
+	fi
+}
+
+load_ima_policy() {
+	local ima_policy_path
+
+	ima_policy_path=$1
+
+	if ! test -f "$ima_policy_path"; then
+		echo "$ima_policy_path doesn't exist"
+		return 1
+	fi
+	if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then
+		echo "$ima_policy_path can't be loaded"
+		return 1
+	fi
+	# Let systemd load the IMA policy which will load LSM rules first so IMA
+	# policy containing rules like "appraise obj_type=ifconfig_exec_t" can be
+	# loaded
+	[[ -e /etc/ima ]] || mkdir -p /etc/ima/
+	if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then
+		echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY"
+		return 1
+	fi
+}
+
+echo "Loading IMA keys"
+load_ima_keys
+
+# Include the dracut integrity module to load the IMA keys and policy
+# automatically when there is a system reboot
+if ! lsinitrd --mod | grep -q integrity; then
+	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
+	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
+	dracut -f
+
+	if command -v grubby >/dev/null; then
+		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
+		if [[ $_default_kernel != $(uname -r) ]]; then
+			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
+			dracut -f --kver "$_default_kernel"
+		fi
+	fi
+	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
+fi
+
+if ! load_ima_policy "$ima_policy_path"; then
+	echo "Failed to load IMA policy $ima_policy_path!"
+	exit 1
+fi

policy-01-appraise-executable-and-lib-signatures

@@ -0,0 +1,28 @@
+# Skip some unsupported filesystems
+# This list of the filesystems can be found on
+# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BINFMTFS_MAGIC
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUX_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# CGROUP_SUPER_MAGIC
+dont_appraise fsmagic=0x27e0eb
+# NSFS_MAGIC
+dont_appraise fsmagic=0x6e736673
+
+appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
+appraise func=BPRM_CHECK appraise_type=imasig

policy-02-keylime-remote-attestation

@@ -0,0 +1,37 @@
+# PROC_SUPER_MAGIC
+dont_measure fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_measure fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_measure fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_measure fsmagic=0x01021994
+# DEVPTS_SUPER_MAGIC
+dont_measure fsmagic=0x1cd1
+# BINFMTFS_MAGIC
+dont_measure fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_measure fsmagic=0x73636673
+# SELINUX_MAGIC
+dont_measure fsmagic=0xf97cff8c
+# SMACK_MAGIC
+dont_measure fsmagic=0x43415d53
+# CGROUP_SUPER_MAGIC
+dont_measure fsmagic=0x27e0eb
+# CGROUP2_SUPER_MAGIC
+dont_measure fsmagic=0x63677270
+# NSFS_MAGIC
+dont_measure fsmagic=0x6e736673
+# EFIVARFS_MAGIC
+dont_measure fsmagic=0xde5e81e4
+# OVERLAYFS_MAGIC
+# when containers are used we almost always want to ignore them
+dont_measure fsmagic=0x794c7630
+
+
+# Measure and log keys loaded onto the .ima keyring
+measure func=KEY_CHECK keyrings=.ima
+# Measure and log executables
+measure func=BPRM_CHECK
+# Measure and log shared libraries
+measure func=FILE_MMAP mask=MAY_EXEC

policy_list

@@ -0,0 +1,2 @@
+01-appraise-executable-and-lib-signatures
+02-keylime-remote-attestation

sources

@@ -0,0 +1,3 @@
+SHA512 (centosimarelease-10.der) = 8ee9a0107a7fe12078c1a82e4accbecca4d1246eadc60692880b5c2e6617c2ace27114d79ec6cc5fef11296fa11765145fcfbd8e2092fa96c56b13af925e5444
+SHA512 (ima-evm-utils-1.6.2.tar.gz) = dfd82ba7c48c14fd31d687214a2b0cfcf269bdea42d4a0ebc872a72205f880c509ed5c5cd55dec7e94444e6f3bdc3c071ec6c2e3eba1e6579edb8ef11aa158a1
+SHA512 (redhatimarelease-10.der) = 910b39fe16c2d8675c45c360797e6fb4a61d423b2c45a5a49aabc29a21b8dca44d50772353c3b4e557af25a2253d2ad2a2a3825a07cab556fd4eb154013c90de