import UBI ima-evm-utils-1.6.2-3.el10

import UBI ima-evm-utils-1.6.2-1.el10
2025-11-11 21:59:37 +00:00 · 2025-05-14 19:03:05 +00:00
16 changed files with 678 additions and 363 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
-SOURCES/ima-evm-utils-1.1.tar.gz
+centosimarelease-10.der
-SOURCES/ima-evm-utils-1.3.2.tar.gz
+ima-evm-utils-1.6.2.tar.gz
 redhatimarelease-10.der
--- a/.ima-evm-utils.metadata
+++ b/.ima-evm-utils.metadata
@ -1,2 +0,0 @@
 58705b3544ae6e650042374dba535c0b3837b8fc SOURCES/ima-evm-utils-1.1.tar.gz
 034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz
--- a/SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
+++ b/SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
@ -1,38 +0,0 @@
 From ea10a33d26572eebde59565179f622b6fb240d04 Mon Sep 17 00:00:00 2001
 From: Patrick Uiterwijk <patrick@puiterwijk.org>
 Date: Wed, 6 Jan 2021 10:43:34 +0100
 Subject: [PATCH] Fix sign_hash not observing the hashalgo argument
 This fixes sign_hash not using the correct algorithm for creating the
 signature, by ensuring it uses the passed in variable value.
 Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
 ---
 src/libimaevm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/libimaevm.c b/src/libimaevm.c
 index fa6c27858d0f..72d5e67f6fdd 100644
 --- a/src/libimaevm.c
 +++ b/src/libimaevm.c
@@ -916,7 +916,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
 		return -1;
 	}
 -	log_info("hash(%s): ", imaevm_params.hash_algo);
 +	log_info("hash(%s): ", algo);
 	log_dump(hash, size);
 	pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
@@ -942,7 +942,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
 	if (!EVP_PKEY_sign_init(ctx))
 		goto err;
 	st = "EVP_get_digestbyname";
 -	if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
 +	if (!(md = EVP_get_digestbyname(algo)))
 		goto err;
 	st = "EVP_PKEY_CTX_set_signature_md";
 	if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
 -- 
 2.29.2
--- a/SOURCES/annocheck-opt-flag.patch
+++ b/SOURCES/annocheck-opt-flag.patch
@ -1,19 +0,0 @@
 diff --git a/configure.ac b/configure.ac
 index 6822f39..34e4a81 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -36,9 +36,9 @@ AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You n
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
 -	CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe"
 +	CFLAGS="$CFLAGS -g -O2 -Wall -Wstrict-prototypes -pipe"
 else
 -	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
 +	CFLAGS="$CFLAGS -O2 -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
 fi
 # for gcov
 -- 
 2.14.4
--- a/SOURCES/covscan-memory-leaks.patch
+++ b/SOURCES/covscan-memory-leaks.patch
@ -1,45 +0,0 @@
 diff --git a/src/evmctl.c b/src/evmctl.c
 index 2ffee78..b80a1c9 100644
 --- a/src/evmctl.c
 +++ b/src/evmctl.c
@@ -1716,7 +1716,7 @@ static char *get_password(void)
 	if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
 		perror("tcsetattr");
 -		return NULL;
 +		goto get_pwd_err;
 	}
 	printf("PEM password: ");
@@ -1725,10 +1725,14 @@ static char *get_password(void)
 	/* restore terminal */
 	if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
 		perror("tcsetattr");
 -		return NULL;
 +		goto get_pwd_err;
 	}
 +	free(password);
 	return pwd;
 +get_pwd_err:
 +	free(password);
 +	return NULL;
 }
 int main(int argc, char *argv[])
 diff --git a/src/libimaevm.c b/src/libimaevm.c
 index 6fa0ed4..39582f2 100644
 --- a/src/libimaevm.c
 +++ b/src/libimaevm.c
@@ -466,6 +466,8 @@ void init_public_keys(const char *keyfiles)
 		entry->next = public_keys;
 		public_keys = entry;
 	}
 +
 +	free(tmp_keyfiles);
 }
 int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 -- 
 2.14.4
--- a/SOURCES/docbook-xsl-path.patch
+++ b/SOURCES/docbook-xsl-path.patch
@ -1,12 +0,0 @@
 diff -urNp ima-evm-utils-1.0-orig/Makefile.am ima-evm-utils-1.0/Makefile.am
 --- ima-evm-utils-1.0-orig/Makefile.am	2015-07-30 15:28:53.000000000 -0300
 +++ ima-evm-utils-1.0/Makefile.am	2017-11-20 16:20:04.245591165 -0200
@@ -24,7 +24,7 @@ rpm: $(tarname)
 	rpmbuild -ba --nodeps $(SPEC)
 # requires asciidoc, xslproc, docbook-xsl
 -MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
 +MANPAGE_DOCBOOK_XSL = /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl
 evmctl.1.html: README
 	@asciidoc -o $@ $<
--- a/SOURCES/libimaevm-keydesc-import.patch
+++ b/SOURCES/libimaevm-keydesc-import.patch
@ -1,37 +0,0 @@
 diff --git a/src/libimaevm.c b/src/libimaevm.c
 index 6fa0ed4..b6f9b9f 100644
 --- a/src/libimaevm.c
 +++ b/src/libimaevm.c
@@ -672,12 +672,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 	memcpy(keyid, sha1 + 12, 8);
 	log_debug("keyid: ");
 	log_debug_dump(keyid, 8);
 +	id = __be64_to_cpup((__be64 *) keyid);
 +	sprintf(str, "%llX", (unsigned long long)id);
 -	if (params.verbose > LOG_INFO) {
 -		id = __be64_to_cpup((__be64 *) keyid);
 -		sprintf(str, "%llX", (unsigned long long)id);
 +	if (params.verbose > LOG_INFO)
 		log_info("keyid-v1: %s\n", str);
 -	}
 }
 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
@@ -694,11 +693,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
 	memcpy(keyid, sha1 + 16, 4);
 	log_debug("keyid: ");
 	log_debug_dump(keyid, 4);
 +	sprintf(str, "%x", __be32_to_cpup(keyid));
 -	if (params.verbose > LOG_INFO) {
 -		sprintf(str, "%x", __be32_to_cpup(keyid));
 +	if (params.verbose > LOG_INFO)
 		log_info("keyid: %s\n", str);
 -	}
 	free(pkey);
 }
 -- 
 2.19.1
--- a/SPECS/ima-evm-utils.spec
+++ b/SPECS/ima-evm-utils.spec
@ -1,208 +0,0 @@
 %global compat_soversion 0
 Name:    ima-evm-utils
 Version: 1.3.2
 Release: 12%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
 Source:  http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz
 Source10: ima-evm-utils-1.1.tar.gz
 Patch0: 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
 # compat patches
 Patch1: docbook-xsl-path.patch
 Patch2: covscan-memory-leaks.patch
 Patch3: annocheck-opt-flag.patch
 Patch4: libimaevm-keydesc-import.patch
 BuildRequires: asciidoc
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: gcc
 BuildRequires: keyutils-libs-devel
 BuildRequires: libtool
 BuildRequires: libxslt
 BuildRequires: openssl-devel
 BuildRequires: tpm2-tss-devel
 # compat requirement
 BuildRequires: libattr-devel
 #Requires: tpm2-tss
 %description
 The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
 (IMA) maintains a list of hash values of executables and other sensitive
 system files, as they are read or executed. These are stored in the file
 systems extended attributes. The Extended Verification Module (EVM) prevents
 unauthorized changes to these extended attributes on the file system.
 ima-evm-utils is used to prepare the file system for these extended attributes.
 %package devel
 Summary: Development files for %{name}
 Requires: %{name} = %{version}-%{release}
 %description devel
 This package provides the header files for %{name}
 %package -n %{name}%{compat_soversion}
 Summary: Compatibility package of %{name}
 %description -n %{name}%{compat_soversion}
 This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.1
 %prep
 %setup -q
 %patch0 -p1
 mkdir compat/
 tar -zxf %{SOURCE10} --strip-components=1 -C compat/
 cd compat/
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %build
 # build compat version of the package
 pushd compat/
 autoreconf -vif
 %configure --disable-static
 %make_build
 popd
 autoreconf -vif
 %configure --disable-static
 %make_build
 %install
 %make_install
 find %{buildroot}%{_libdir} -type f -name "*.la" -print -delete
 # install compat libs
 pushd compat/src/.libs/
 install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
 popd
 %ldconfig_scriptlets
 %files
 %license COPYING
 %doc NEWS README AUTHORS
 %{_bindir}/*
 # if you need to bump the soname version, coordinate with dependent packages
 %{_libdir}/libimaevm.so.2
 %{_libdir}/libimaevm.so.2.0.0
 %{_mandir}/man1/*
 %files devel
 %{_pkgdocdir}/*.sh
 %{_includedir}/*
 %{_libdir}/libimaevm.so
 %files -n %{name}%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 %changelog
 * Thu Feb 18 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-12
 - Add compat subpackage for keeping the API stability in userspace
 * Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-11
 - Bump release number for yet another rebuild
 * Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-10
 - Add patch for fixing hash algorithm used through libimaevm
 * Fri Jan 15 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-9
 - Add tpm2-tss as a runtime dependency
 * Sun Jan 10 2021 Michal Domonkos <mdomonko@redhat.com> - 1.3.2-8
 - Bump release number for yet another couple of rebuilds
 * Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-4
 - Bump release number for yet another build for solving wrong target usage
 * Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-3
 - Bump release number for another build, handling build issues
 * Tue Dec 01 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-2
 - Bump release number for forcing a new build
 * Mon Nov 09 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
 - Rebase to upstream v1.3.2 version
 - Sync specfile with Fedora's version
 * Thu Mar 28 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-5
 - Add patch to correctly handle key description on keyring during importation
 * Mon Oct 29 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-4
 - Solve a single memory leak not handled by the last patch
 * Thu Oct 25 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-3
 - Solve memory leaks pointed by covscan tool
 - Add optimization flag O2 during compilation to satisfy annocheck tool
 * Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
 - Remove libtool files
 - Run ldconfig scriptlets after un/installing
 - Add -devel subpackage to handle include files and examples
 - Disable any static file in the package
 * Fri Feb 16 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-1
 - New upstream release
 - Support for OpenSSL 1.1 was added directly to the source code in upstream,
  thus removing specific patch for it
 - Docbook xsl stylesheet updated to a local path
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0-4
 - Switch to %%ldconfig_scriptlets
 * Fri Dec 01 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-3
 - Add OpenSSL 1.1 API support for the package, avoiding the need of
  compat-openssl10-devel package
 * Mon Nov 20 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-2
 - Adjusted docbook xsl path to match the correct stylesheet
 - Remove only *.la files, considering there aren't any *.a files
 * Tue Sep 05 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-1
 - New upstream release
 - Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1
 - Remove libtool files
 - Run ldconfig after un/installation to update *.so files
 - Add -devel subpackage to handle include files and examples
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Tue Jan 26 2016 Lubomir Rintel <lkundrak@v3.sk> - 0.9-3
 - Fix FTBFS
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Fri Oct 31 2014 Avesh Agarwal <avagarwa@redhat.com> - 0.9-1
 - New upstream release
 - Applied a patch to fix man page issues.
 - Updated spec file
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 * Tue Aug 27 2013 Vivek Goyal <vgoyal@redhat.com> - 0.6-1
 - Initial package
--- a/dracut-98-integrity.conf
+++ b/dracut-98-integrity.conf
@ -0,0 +1 @@
 add_dracutmodules+=" integrity "
--- a/ima-add-sigs.sh
+++ b/ima-add-sigs.sh
@ -0,0 +1,141 @@
 #!/bin/bash
 #
 # This script add IMA signatures to installed RPM package files
 usage() {
 	echo "Add IMA signatures to installed packages."
 	cat <<EOF
 usage: $0 [--package=PACKAGE_NAME|ALL] [--ima_cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
       --package
       By default, it will add IMA sigantures to all installed package files.
       Or you can provide a package name to only add IMA signature for files of
       specicifed package.
       --reinstall_threshold
       When there are >reinstall_threshold (=20 by default) packages in the RPM
       DB missing IMA signatures, reinstalling the packages to add IMA
       signatures to the packages.  By default, IMA sigatures will be obtained
       from the RPM DB. However the RPM DB may not have the signatures. Dectect
       this case by checking if there are >reinstall_threshold package missing
       IMA signatures.
       --ima_cert
       With the signing IMA cert path specified, it will also try to verify the
       added IMA signature.
 EOF
 	exit 1
 }
 for _opt in "$@"; do
 	case "$_opt" in
 	--reinstall_threshold=*)
 		reinstall_threshold=${_opt#*=}
 		;;
 	--package=*)
 		package=${_opt#*=}
 		;;
 	--ima_cert=*)
 		ima_cert=${_opt#*=}
 		;;
 	*)
 		[[ -n $1 ]] && usage
 		;;
 	esac
 done
 if [[ -z $package ]] || [[ $package == ALL ]]; then
 	package="--all"
 fi
 abort() {
 	echo "$1"
 	exit 1
 }
 get_system_ima_key() {
 	source /etc/os-release
 	local -A name_map=(['Fedora Linux']="fedora" ['Red Hat Enterprise Linux']="redhatimarelease" ['CentOS Stream']='centosimarelease')
 	local version_id
 	key_name=${name_map[$NAME]}
 	version_id=${VERSION_ID/.?/}
 	[[ $key_name == fedora ]] && name_suffix=-ima
 	key_path=/etc/keys/ima/${key_name}-${version_id}${name_suffix}.der
 	if [[ ! -e $key_path ]]; then
 		echo "Failed to get system IMA code verification key"
 		exit 1
 	fi
 	echo -n "$key_path"
 }
 # Add IMA signatures from RPM database
 add_from_rpm_db() {
 	if ! command -v setfattr &>/dev/null; then
 		abort "Please install attr"
 	fi
 	if [[ -e "$ima_cert" ]]; then
 		verify_ima_cert=$ima_cert
 	else
 		verify_ima_cert=$(get_system_ima_key)
 	fi
 	# use "|" as deliminator since it won't be used in a filename or signature
 	while IFS="|" read -r path sig; do
 		# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
 		# signatures. This may be a issue of rpm
 		if [[ "$sig" != "0"* ]]; then
 			continue
 		fi
 		# Skip directory, soft links, non-existent files and vfat fs
 		if [[ -d "$path" || -L "$path" || ! -f "$path" || "$path" == "/boot/efi/EFI/"* ]]; then
 			continue
 		fi
 		# Skip some files that are created on the fly
 		if [[ $path == "/usr/share/mime/"* || $path == "/etc/pki/ca-trust/extracted/"* ]]; then
 			continue
 		fi
 		if ! setfattr -n security.ima "$path" -v "0x$sig"; then
 			echo "Failed to add IMA sig for $path"
 		fi
 		if ! evmctl ima_verify -k "$verify_ima_cert" "$path" &>/dev/null; then
 			setfattr -x security.ima "$path"
 			# When ima_cert is set, shows the verfication result for users
 			[[ -e "$ima_cert" ]] && "Failed to verify $path"
 			continue
 		fi
 	done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
 }
 # Add IMA signatures by reinstalling all packages
 add_by_reinstall() {
 	[[ $package == "--all" ]] && package='*'
 	dnf reinstall "$package" -yq >/dev/null
 }
 if [[ -z $reinstall_threshold ]]; then
 	if [[ $package == "--all" ]]; then
 		reinstall_threshold=20
 	else
 		if ! rpm -q --quiet "$package"; then
 			dnf install "$package" -yq >/dev/null
 			exit 0
 		fi
 		reinstall_threshold=1
 	fi
 fi
 unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$")
 if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
 	add_by_reinstall
 else
 	add_from_rpm_db
 fi
--- a/ima-evm-utils.spec
+++ b/ima-evm-utils.spec
@ -0,0 +1,318 @@
 # If the soname gets bumped we need to ship a compat library to be able
 # to bootstrap and rebuild rpm else we end up with chicken and egg problem.
 %global bootstrap 0
 %if 0%{bootstrap}
 %global compat_soversion 4
 %endif
 Name:    ima-evm-utils
 Version: 1.6.2
 Release: 3%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
 Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
 # IMA setup tools
 Source2: dracut-98-integrity.conf
 Source3: ima-add-sigs.sh
 Source4: ima-setup.sh
 Source100: policy-01-appraise-executable-and-lib-signatures
 Source101: policy-02-keylime-remote-attestation
 Source200: policy_list
 Source300: redhatimarelease-10.der
 Source301: centosimarelease-10.der
 %if 0%{bootstrap}
 # compat source and patches
 Source10: ima-evm-utils-1.5.tar.gz
 %endif
 BuildRequires: asciidoc
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: gcc
 BuildRequires: keyutils-libs-devel
 BuildRequires: libtool
 BuildRequires: libxslt
 BuildRequires: make
 BuildRequires: openssl-devel
 BuildRequires: tpm2-tss-devel
 Requires: keyutils
 Requires: attr
 %description
 The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
 (IMA) maintains a list of hash values of executables and other sensitive
 system files, as they are read or executed. These are stored in the file
 systems extended attributes. The Extended Verification Module (EVM) prevents
 unauthorized changes to these extended attributes on the file system.
 ima-evm-utils is used to prepare the file system for these extended attributes.
 %package devel
 Summary: Development files for %{name}
 Requires: %{name} = %{version}-%{release}
 %description devel
 This package provides the header files for %{name}
 %prep
 %setup -q
 %if 0%{bootstrap}
 mkdir compat/
 pushd compat/
 tar -zxf %{SOURCE10} --strip-components=1
 popd
 %endif
 %build
 autoreconf -vif
 %configure --disable-static --disable-engine
 %make_build
 %if 0%{bootstrap}
 pushd compat/
 autoreconf -vif
 %configure --disable-static --disable-engine
 %make_build
 popd
 %endif
 %install
 %make_install
 find %{buildroot} -type f -name "*.la" -delete
 %if 0%{bootstrap}
 pushd compat/src/.libs/
 install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
 popd
 %endif
 %ldconfig_scriptlets
 # IMA setup tools
 install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/ima/dracut-98-integrity.conf
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/ima/policies
 while IFS= read -r policy_file
 do
  install -m 644 %{_sourcedir}/policy-"$policy_file" $RPM_BUILD_ROOT%{_datadir}/ima/policies/"$policy_file"
 done < %{SOURCE200}
 install -D %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ima-add-sigs
 install -D %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/ima-setup
 # IMA code-signing certs
 install -d -m 755 $RPM_BUILD_ROOT/etc/keys/ima
 install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
 %files
 %license COPYING
 %doc NEWS README AUTHORS
 %{_bindir}/evmctl
 %{_mandir}/man1/evmctl*
 # IMA setup tools
 %{_datadir}/ima/policies
 %{_datadir}/ima/dracut-98-integrity.conf
 %{_bindir}/ima-add-sigs
 %{_bindir}/ima-setup
 # if you need to bump the soname version, coordinate with dependent packages
 %{_libdir}/libimaevm.so.5*
 %if 0%{bootstrap}
 %{_libdir}/libimaevm.so.%{compat_soversion}
 %{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 %endif
 # IMA code-signing certs
 /etc/keys/ima/*.der
 %files devel
 %{_pkgdocdir}/*.sh
 %{_includedir}/imaevm.h
 %{_libdir}/libimaevm.so
 %changelog
 * Thu Jul 31 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-3
 - Verify IMA signature to make sure it's correct
 * Mon Mar 10 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-2
 - ima-setup: run zipl after building initramfs for s390x (RHEL-82392)
 * Wed Jan 15 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-1
 - Disable compat lib (RHEL-65376)
 * Fri Nov 15 2024 Coiby Xu <coxu@redhat.com> - 1.6.2-0.1
 - Update to upstream 1.6 (RHEL-65376)
 * Fri Nov 08 2024 Coiby Xu <coxu@redhat.com> - 1.5-7
 - add some IMA setup tools (RHEL-34778)
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.5-6
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5-5
 - Bump release for June 2024 mass rebuild
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Thu Jun 08 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 1.5-1
 - Disable bootstrap
 * Wed Jun 07 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 1.5-0.1
 - Update to 1.5
 - Streamline bootstrap process a little
 - Bootstrap mode
 - Update download URL
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Thu Jan 20 2022 Björn Esser <besser82@fedoraproject.org> - 1.4-4
 - Build without compat bootstrap sub package
 * Thu Jan 20 2022 Björn Esser <besser82@fedoraproject.org> - 1.4-3
 - Build with compat bootstrap sub package
 * Tue Jan 18 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4-2
 - Add compat bootstrap sub package
 * Mon Nov 08 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 1.4-1
 - Update to 1.4
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.3.2-4
 - Rebuilt with OpenSSL 3.0.0
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Wed Oct 28 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
 - Rebase to new upstream v1.3.2 minor release
 * Tue Aug 11 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.1-1
 - Rebase to new upstream v1.3.1 minor release
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-2
 - Fix devel deps
 * Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-1
 - Update to 1.3
 - Use tpm2-tss instead of tss2
 - Minor spec cleanups
 * Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.2.1-4
 - Use make macros
 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-2
 - Add pull request to correct lib soname version, wich was bumped to 1.0.0
 * Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-1
 - Rebase to upstream v1.2.1
 - Remove both patches that were already solved in upstream version
 - Add runtime dependency of tss2 to retrieve PCR bank data from TPM2.0
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jul 20 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-4
 - Add patch to remove dependency from libattr-devel package
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
 - Remove libtool files
 - Run ldconfig scriptlets after un/installing
 - Add -devel subpackage to handle include files and examples
 - Disable any static file in the package
 * Fri Feb 16 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-1
 - New upstream release
 - Support for OpenSSL 1.1 was added directly to the source code in upstream,
  thus removing specific patch for it
 - Docbook xsl stylesheet updated to a local path
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Fri Feb 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0-4
 - Switch to %%ldconfig_scriptlets
 * Fri Dec 01 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-3
 - Add OpenSSL 1.1 API support for the package, avoiding the need of
  compat-openssl10-devel package
 * Mon Nov 20 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-2
 - Adjusted docbook xsl path to match the correct stylesheet
 - Remove only *.la files, considering there aren't any *.a files
 * Tue Sep 05 2017 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.0-1
 - New upstream release
 - Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1
 - Remove libtool files
 - Run ldconfig after un/installation to update *.so files
 - Add -devel subpackage to handle include files and examples
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Tue Jan 26 2016 Lubomir Rintel <lkundrak@v3.sk> - 0.9-3
 - Fix FTBFS
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Fri Oct 31 2014 Avesh Agarwal <avagarwa@redhat.com> - 0.9-1
 - New upstream release
 - Applied a patch to fix man page issues.
 - Updated spec file
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 * Tue Aug 27 2013 Vivek Goyal <vgoyal@redhat.com> - 0.6-1
 - Initial package
--- a/ima-setup.sh
+++ b/ima-setup.sh
@ -0,0 +1,145 @@
 #!/bin/bash
 #
 # This script helps set up IMA.
 #
 IMA_SYSTEMD_POLICY=/etc/ima/ima-policy
 IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
 usage() {
 	echo "Set up IMA."
 	cat <<EOF
 usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
       --policy
       The path of IMA policy to be loaded. Sample polices are inside
       /usr/share/ima/policies or you can use your own IMA policy
       The path of IMA policy to be loaded.  Sample polices are inside
       /usr/share/ima/policies or you can use your own IMA policy
       --reinstall_threshold
       When there are >reinstall_threshold packages in the RPM DB missing IMA
       signatures, reinstalling the packages to add IMA signatures to the
       packages.  By default, IMA sigatures will be obtained from the RPM DB.
       However the RPM DB may not have the signatures. Dectect this case by
       checking if there are >reinstall_threshold package missing IMA
       signatures.
 EOF
 	exit 1
 }
 for _opt in "$@"; do
 	case "$_opt" in
 	--policy=*)
 		ima_policy_path=${_opt#*=}
 		if [[ ! -e $ima_policy_path ]]; then
 			echo "$ima_policy_path doesn't exist"
 			exit 1
 		fi
 		;;
 	--reinstall_threshold=*)
 		reinstall_threshold=${_opt#*=}
 		;;
 	*)
 		usage
 		;;
 	esac
 done
 if [[ $# -eq 0 ]]; then
 	usage
 fi
 echo "Installing prerequisite package rpm-plugin-ima"
 if ! dnf install rpm-plugin-ima -yq; then
 	echo "Failed to install rpm-plugin-ima, abort"
 	exit 1
 fi
 # Add IMA signatures
 if test -f /run/ostree-booted; then
 	echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
 else
 	echo "Adding IMA signatures to installed package files"
 	if ! ima-add-sigs --reinstall_threshold="$reinstall_threshold"; then
 		echo "Failed to add IMA signatures, abort"
 		exit 1
 	fi
 fi
 load_ima_keys() {
 	local _key_loaded
 	if line=$(keyctl describe %keyring:.ima); then
 		_ima_id=${line%%:*}
 	else
 		echo "Failed to get ID of the .ima  keyring"
 		exit 1
 	fi
 	for i in /etc/keys/ima/*; do
 		if [ ! -f "${i}" ]; then
 			echo "No IMA key exist"
 			exit 1
 		fi
 		if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then
 			echo "Failed to load IMA key ${i}"
 		else
 			_key_loaded=yes
 		fi
 	done
 	if [[ $_key_loaded != yes ]]; then
 		echo "No IMA key loaded"
 		exit 1
 	fi
 }
 load_ima_policy() {
 	local ima_policy_path
 	ima_policy_path=$1
 	if ! test -f "$ima_policy_path"; then
 		echo "$ima_policy_path doesn't exist"
 		return 1
 	fi
 	if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then
 		echo "$ima_policy_path can't be loaded"
 		return 1
 	fi
 	# Let systemd load the IMA policy which will load LSM rules first so IMA
 	# policy containing rules like "appraise obj_type=ifconfig_exec_t" can be
 	# loaded
 	[[ -e /etc/ima ]] || mkdir -p /etc/ima/
 	if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then
 		echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY"
 		return 1
 	fi
 }
 echo "Loading IMA keys"
 load_ima_keys
 # Include the dracut integrity module to load the IMA keys and policy
 # automatically when there is a system reboot
 if ! lsinitrd --mod | grep -q integrity; then
 	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
 	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
 	dracut -f
 	if command -v grubby >/dev/null; then
 		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
 		if [[ $_default_kernel != $(uname -r) ]]; then
 			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
 			dracut -f --kver "$_default_kernel"
 		fi
 	fi
 	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
 fi
 if ! load_ima_policy "$ima_policy_path"; then
 	echo "Failed to load IMA policy $ima_policy_path!"
 	exit 1
 fi
--- a/28
+++ b/28
@ -0,0 +1,28 @@
 # Skip some unsupported filesystems
 # This list of the filesystems can be found on
 # https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
 # PROC_SUPER_MAGIC
 dont_appraise fsmagic=0x9fa0
 # SYSFS_MAGIC
 dont_appraise fsmagic=0x62656572
 # DEBUGFS_MAGIC
 dont_appraise fsmagic=0x64626720
 # TMPFS_MAGIC
 dont_appraise fsmagic=0x01021994
 # RAMFS_MAGIC
 dont_appraise fsmagic=0x858458f6
 # DEVPTS_SUPER_MAGIC
 dont_appraise fsmagic=0x1cd1
 # BINFMTFS_MAGIC
 dont_appraise fsmagic=0x42494e4d
 # SECURITYFS_MAGIC
 dont_appraise fsmagic=0x73636673
 # SELINUX_MAGIC
 dont_appraise fsmagic=0xf97cff8c
 # CGROUP_SUPER_MAGIC
 dont_appraise fsmagic=0x27e0eb
 # NSFS_MAGIC
 dont_appraise fsmagic=0x6e736673
 appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
 appraise func=BPRM_CHECK appraise_type=imasig
--- a/37
+++ b/37
@ -0,0 +1,37 @@
 # PROC_SUPER_MAGIC
 dont_measure fsmagic=0x9fa0
 # SYSFS_MAGIC
 dont_measure fsmagic=0x62656572
 # DEBUGFS_MAGIC
 dont_measure fsmagic=0x64626720
 # TMPFS_MAGIC
 dont_measure fsmagic=0x01021994
 # DEVPTS_SUPER_MAGIC
 dont_measure fsmagic=0x1cd1
 # BINFMTFS_MAGIC
 dont_measure fsmagic=0x42494e4d
 # SECURITYFS_MAGIC
 dont_measure fsmagic=0x73636673
 # SELINUX_MAGIC
 dont_measure fsmagic=0xf97cff8c
 # SMACK_MAGIC
 dont_measure fsmagic=0x43415d53
 # CGROUP_SUPER_MAGIC
 dont_measure fsmagic=0x27e0eb
 # CGROUP2_SUPER_MAGIC
 dont_measure fsmagic=0x63677270
 # NSFS_MAGIC
 dont_measure fsmagic=0x6e736673
 # EFIVARFS_MAGIC
 dont_measure fsmagic=0xde5e81e4
 # OVERLAYFS_MAGIC
 # when containers are used we almost always want to ignore them
 dont_measure fsmagic=0x794c7630
 # Measure and log keys loaded onto the .ima keyring
 measure func=KEY_CHECK keyrings=.ima
 # Measure and log executables
 measure func=BPRM_CHECK
 # Measure and log shared libraries
 measure func=FILE_MMAP mask=MAY_EXEC
--- a/2
+++ b/2
@ -0,0 +1,2 @@
 01-appraise-executable-and-lib-signatures
 02-keylime-remote-attestation
--- a/3
+++ b/3
@ -0,0 +1,3 @@
 SHA512 (centosimarelease-10.der) = 8ee9a0107a7fe12078c1a82e4accbecca4d1246eadc60692880b5c2e6617c2ace27114d79ec6cc5fef11296fa11765145fcfbd8e2092fa96c56b13af925e5444
 SHA512 (ima-evm-utils-1.6.2.tar.gz) = dfd82ba7c48c14fd31d687214a2b0cfcf269bdea42d4a0ebc872a72205f880c509ed5c5cd55dec7e94444e6f3bdc3c071ec6c2e3eba1e6579edb8ef11aa158a1
 SHA512 (redhatimarelease-10.der) = 910b39fe16c2d8675c45c360797e6fb4a61d423b2c45a5a49aabc29a21b8dca44d50772353c3b4e557af25a2253d2ad2a2a3825a07cab556fd4eb154013c90de
Author	SHA1	Message	Date
eabdullin	c29eac902a	import UBI ima-evm-utils-1.6.2-3.el10	2025-11-11 21:59:37 +00:00
eabdullin	8796348da7	import UBI ima-evm-utils-1.6.2-1.el10	2025-05-14 19:03:05 +00:00
		`@ -1,2 +0,0 @@`
			`58705b3544ae6e650042374dba535c0b3837b8fc SOURCES/ima-evm-utils-1.1.tar.gz`
			`034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz`
		`@ -0,0 +1,2 @@`
							`01-appraise-executable-and-lib-signatures`
							`02-keylime-remote-attestation`