Ok everything solved :) , Thank you for support


2013/8/6 Mimi Zohar <zohar@linux.vnet.ibm.com>
On Tue, 2013-08-06 at 16:32 +0200, JL_N_ wrote:
> Then have you any Idea why .evm is lost after reboot ?
>
> PS: last message, forgot to join mailing list sorry
> --------------------------
> CONFIG_EVM_HMAC_VERSION=2 -> thanks that solved me the problem with using
> -u when creating evmctl
> I'm wondering if my config works well ...
> I create a script file
>
> root@bt:~/Desktop# getfattr -m . -d test.sh
> # file: test.sh
> security.evm=0x0209d445f479df7502820651291221beb7029d982c
> security.ima=0x0174e66832f8a97698ca7b44c036eb39ca00ac5d7a
>
>
> I sign with your command
> root@bt:~/Desktop# evmctl sign -u - -x --imasig test.sh
> # file: test.sh
> security.evm=0x0302025e61f96500808ba2575fd577b9c31edf1ca994bddd16ab6395402c2bd4c7b8b6d5f8cc948114afc7ba6b06180f433c1f4060fcf0c00002ce26b27d1dbeba1302356fa89969e416444bf60caeaf4f18dd8247e214f1b21f17ce3444ec9addb6a088efa0f24face99ff7ef1d5c664fcaabe887261851507fabe1562ec9942cbb632e4ab1ac6180
> security.ima=0x0302025e61f965008069138b19c5be04b27eb95fa9d27ff49f6565630217bbee3e368f37915f92114c9d4343a8508ef0c5e2a3f8bfaecb0ff10130647d4cb50f8d04a147fbb41b5d798f35ee4ed2fba072336d381529375b0ad84e3dd39c93867d9fb24ca9d9fab42945b29a296189c142a5cfed77fde8fa9e85934de2b908749903159fd81d634ffc
>
>
> I REBOOT
>
> Script still executable but I lost .evm signature ???
>
> root@bt:~/Desktop# getfattr -m . -e hex -d great.sh
> # file: test.sh
> security.evm=0x02c7728ccbad9f579e9219c2acbf0cb34a2a41650b
> security.ima=0x0302025e61f965008069138b19c5be04b27eb95fa9d27ff49f6565630217bbee3e368f37915f92114c9d4343a8508ef0c5e2a3f8bfaecb0ff10130647d4cb50f8d04a147fbb41b5d798f35ee4ed2fba072336d381529375b0ad84e3dd39c93867d9fb24ca9d9fab42945b29a296189c142a5cfed77fde8fa9e85934de2b908749903159fd81d634ffc
>
>
> .ima works very well with enforce mode (i did a test tryng to echo
> "aaa">>test.sh gives Permission denied).
> But .evm looks lost ... is it normal ?

At some point, we might want to revisit this decision.  At least for
now, replacing the 'security.evm' signature with an HMAC, is normal
behavior.

Mimi