Re: [ptxdist] [APPLIED] ima-evm-utils: version bump 1.1 -> 1.3.2

[Michael Olbrich <m.olbrich@pengutronix.de>]

Thanks, applied as 1024453d64fbae7fec6b7942bbc557805126dc53.

Michael

[sent from post-receive hook]

On Tue, 29 Jun 2021 07:09:11 +0200, Roland Hieber <rhi@pengutronix.de> wrote:
> Changes to the patch queue:
> 
> * (old 0002) "Makefile.am: rename INCLUDES -> AM_CPPFLAGS":
>   replaced by upstream commit 8acbae598b39a421b5d0 ("replace INCLUDES
>   with AM_CPPFLAGS")
> 
> * (old 0006) "use EVP_MAX_MD_SIZE for hash size instead of open …":
>   replaced by upstream commit 1d9c27927932f2e750e3 ("Define hash and sig
>   buffer sizes and add asserts")
> 
> * (old 0008) "evmctl: add parameter -e to set evm hash algo":
>   replaced by upstream commit ae1319eeabd6e0798003 ("Remove hardcoding
>   of SHA1 in EVM signatures"), which uses the already existing -a
>   parameter for this functionality now too.
> 
> * (old 0009) "evmctl: add support for offline image preparation":
>   port the refactoring from upstream commit c317d4618f92d4dd65
>   ("Namespace some too generic object names"). Also _GNU_SOURCE is now
>   already defined by configure, and will generate a warning when
>   redefined, so drop its definition here.
> 
> * (old 0011, new 0009) "HACK: don't generate the man page":
>   expand patch to make sure the manpages are really not built and
>   generate an error looking for "asciidoc", even when the XSL stylesheet
>   is detected on the build host
> 
> * (old 0013) "evmctl: use correct include for xattr.h":
>   replaced by upstream commit 6aea54d2ad2287b3e889 ("evmctl: use correct
>   include for xattr.h")
> 
> Link: https://sf.net/p/linux-ima/ima-evm-utils/ci/8acbae598b39a421b5d0
> Link: https://sf.net/p/linux-ima/ima-evm-utils/ci/1d9c27927932f2e750e3
> Link: https://sf.net/p/linux-ima/ima-evm-utils/ci/ae1319eeabd6e0798003
> Link: https://sf.net/p/linux-ima/ima-evm-utils/ci/c317d4618f92d4dd6570
> Link: https://sf.net/p/linux-ima/ima-evm-utils/ci/6aea54d2ad2287b3e889
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> Message-Id: <20210616161655.15480-2-rhi@pengutronix.de>
> [mol: use ac_cv_path_XMLCATALOG= instead of a patch, drop unnecessary INSTALL patch]
> [mol: make sure libtss2-esys/libtss2-rc are not used]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/ima-evm-utils-1.1/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch b/patches/ima-evm-utils-1.1/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch
> deleted file mode 100644
> index c035197d9cc7..000000000000
> --- a/patches/ima-evm-utils-1.1/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch
> +++ /dev/null
> @@ -1,389 +0,0 @@
> -From: Marc Kleine-Budde <mkl@pengutronix.de>
> -Date: Wed, 18 Nov 2015 15:15:15 +0100
> -Subject: [PATCH] INSTALL: remove file, at it's autogenerated by autotools
> -
> -This patch remove the file "INSTALL" which is autogenerated during
> -./autogen.sh.
> -
> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ----
> - INSTALL | 370 ----------------------------------------------------------------
> - 1 file changed, 370 deletions(-)
> - delete mode 100644 INSTALL
> -
> -diff --git a/INSTALL b/INSTALL
> -deleted file mode 100644
> -index 007e9396d0a2..000000000000
> ---- a/INSTALL
> -+++ /dev/null
> -@@ -1,370 +0,0 @@
> --Installation Instructions
> --*************************
> --
> --Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
> --Inc.
> --
> --   Copying and distribution of this file, with or without modification,
> --are permitted in any medium without royalty provided the copyright
> --notice and this notice are preserved.  This file is offered as-is,
> --without warranty of any kind.
> --
> --Basic Installation
> --==================
> --
> --   Briefly, the shell commands `./configure; make; make install' should
> --configure, build, and install this package.  The following
> --more-detailed instructions are generic; see the `README' file for
> --instructions specific to this package.  Some packages provide this
> --`INSTALL' file but do not implement all of the features documented
> --below.  The lack of an optional feature in a given package is not
> --necessarily a bug.  More recommendations for GNU packages can be found
> --in *note Makefile Conventions: (standards)Makefile Conventions.
> --
> --   The `configure' shell script attempts to guess correct values for
> --various system-dependent variables used during compilation.  It uses
> --those values to create a `Makefile' in each directory of the package.
> --It may also create one or more `.h' files containing system-dependent
> --definitions.  Finally, it creates a shell script `config.status' that
> --you can run in the future to recreate the current configuration, and a
> --file `config.log' containing compiler output (useful mainly for
> --debugging `configure').
> --
> --   It can also use an optional file (typically called `config.cache'
> --and enabled with `--cache-file=config.cache' or simply `-C') that saves
> --the results of its tests to speed up reconfiguring.  Caching is
> --disabled by default to prevent problems with accidental use of stale
> --cache files.
> --
> --   If you need to do unusual things to compile the package, please try
> --to figure out how `configure' could check whether to do them, and mail
> --diffs or instructions to the address given in the `README' so they can
> --be considered for the next release.  If you are using the cache, and at
> --some point `config.cache' contains results you don't want to keep, you
> --may remove or edit it.
> --
> --   The file `configure.ac' (or `configure.in') is used to create
> --`configure' by a program called `autoconf'.  You need `configure.ac' if
> --you want to change it or regenerate `configure' using a newer version
> --of `autoconf'.
> --
> --   The simplest way to compile this package is:
> --
> --  1. `cd' to the directory containing the package's source code and type
> --     `./configure' to configure the package for your system.
> --
> --     Running `configure' might take a while.  While running, it prints
> --     some messages telling which features it is checking for.
> --
> --  2. Type `make' to compile the package.
> --
> --  3. Optionally, type `make check' to run any self-tests that come with
> --     the package, generally using the just-built uninstalled binaries.
> --
> --  4. Type `make install' to install the programs and any data files and
> --     documentation.  When installing into a prefix owned by root, it is
> --     recommended that the package be configured and built as a regular
> --     user, and only the `make install' phase executed with root
> --     privileges.
> --
> --  5. Optionally, type `make installcheck' to repeat any self-tests, but
> --     this time using the binaries in their final installed location.
> --     This target does not install anything.  Running this target as a
> --     regular user, particularly if the prior `make install' required
> --     root privileges, verifies that the installation completed
> --     correctly.
> --
> --  6. You can remove the program binaries and object files from the
> --     source code directory by typing `make clean'.  To also remove the
> --     files that `configure' created (so you can compile the package for
> --     a different kind of computer), type `make distclean'.  There is
> --     also a `make maintainer-clean' target, but that is intended mainly
> --     for the package's developers.  If you use it, you may have to get
> --     all sorts of other programs in order to regenerate files that came
> --     with the distribution.
> --
> --  7. Often, you can also type `make uninstall' to remove the installed
> --     files again.  In practice, not all packages have tested that
> --     uninstallation works correctly, even though it is required by the
> --     GNU Coding Standards.
> --
> --  8. Some packages, particularly those that use Automake, provide `make
> --     distcheck', which can by used by developers to test that all other
> --     targets like `make install' and `make uninstall' work correctly.
> --     This target is generally not run by end users.
> --
> --Compilers and Options
> --=====================
> --
> --   Some systems require unusual options for compilation or linking that
> --the `configure' script does not know about.  Run `./configure --help'
> --for details on some of the pertinent environment variables.
> --
> --   You can give `configure' initial values for configuration parameters
> --by setting variables in the command line or in the environment.  Here
> --is an example:
> --
> --     ./configure CC=c99 CFLAGS=-g LIBS=-lposix
> --
> --   *Note Defining Variables::, for more details.
> --
> --Compiling For Multiple Architectures
> --====================================
> --
> --   You can compile the package for more than one kind of computer at the
> --same time, by placing the object files for each architecture in their
> --own directory.  To do this, you can use GNU `make'.  `cd' to the
> --directory where you want the object files and executables to go and run
> --the `configure' script.  `configure' automatically checks for the
> --source code in the directory that `configure' is in and in `..'.  This
> --is known as a "VPATH" build.
> --
> --   With a non-GNU `make', it is safer to compile the package for one
> --architecture at a time in the source code directory.  After you have
> --installed the package for one architecture, use `make distclean' before
> --reconfiguring for another architecture.
> --
> --   On MacOS X 10.5 and later systems, you can create libraries and
> --executables that work on multiple system types--known as "fat" or
> --"universal" binaries--by specifying multiple `-arch' options to the
> --compiler but only a single `-arch' option to the preprocessor.  Like
> --this:
> --
> --     ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
> --                 CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
> --                 CPP="gcc -E" CXXCPP="g++ -E"
> --
> --   This is not guaranteed to produce working output in all cases, you
> --may have to build one architecture at a time and combine the results
> --using the `lipo' tool if you have problems.
> --
> --Installation Names
> --==================
> --
> --   By default, `make install' installs the package's commands under
> --`/usr/local/bin', include files under `/usr/local/include', etc.  You
> --can specify an installation prefix other than `/usr/local' by giving
> --`configure' the option `--prefix=PREFIX', where PREFIX must be an
> --absolute file name.
> --
> --   You can specify separate installation prefixes for
> --architecture-specific files and architecture-independent files.  If you
> --pass the option `--exec-prefix=PREFIX' to `configure', the package uses
> --PREFIX as the prefix for installing programs and libraries.
> --Documentation and other data files still use the regular prefix.
> --
> --   In addition, if you use an unusual directory layout you can give
> --options like `--bindir=DIR' to specify different values for particular
> --kinds of files.  Run `configure --help' for a list of the directories
> --you can set and what kinds of files go in them.  In general, the
> --default for these options is expressed in terms of `${prefix}', so that
> --specifying just `--prefix' will affect all of the other directory
> --specifications that were not explicitly provided.
> --
> --   The most portable way to affect installation locations is to pass the
> --correct locations to `configure'; however, many packages provide one or
> --both of the following shortcuts of passing variable assignments to the
> --`make install' command line to change installation locations without
> --having to reconfigure or recompile.
> --
> --   The first method involves providing an override variable for each
> --affected directory.  For example, `make install
> --prefix=/alternate/directory' will choose an alternate location for all
> --directory configuration variables that were expressed in terms of
> --`${prefix}'.  Any directories that were specified during `configure',
> --but not in terms of `${prefix}', must each be overridden at install
> --time for the entire installation to be relocated.  The approach of
> --makefile variable overrides for each directory variable is required by
> --the GNU Coding Standards, and ideally causes no recompilation.
> --However, some platforms have known limitations with the semantics of
> --shared libraries that end up requiring recompilation when using this
> --method, particularly noticeable in packages that use GNU Libtool.
> --
> --   The second method involves providing the `DESTDIR' variable.  For
> --example, `make install DESTDIR=/alternate/directory' will prepend
> --`/alternate/directory' before all installation names.  The approach of
> --`DESTDIR' overrides is not required by the GNU Coding Standards, and
> --does not work on platforms that have drive letters.  On the other hand,
> --it does better at avoiding recompilation issues, and works well even
> --when some directory options were not specified in terms of `${prefix}'
> --at `configure' time.
> --
> --Optional Features
> --=================
> --
> --   If the package supports it, you can cause programs to be installed
> --with an extra prefix or suffix on their names by giving `configure' the
> --option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
> --
> --   Some packages pay attention to `--enable-FEATURE' options to
> --`configure', where FEATURE indicates an optional part of the package.
> --They may also pay attention to `--with-PACKAGE' options, where PACKAGE
> --is something like `gnu-as' or `x' (for the X Window System).  The
> --`README' should mention any `--enable-' and `--with-' options that the
> --package recognizes.
> --
> --   For packages that use the X Window System, `configure' can usually
> --find the X include and library files automatically, but if it doesn't,
> --you can use the `configure' options `--x-includes=DIR' and
> --`--x-libraries=DIR' to specify their locations.
> --
> --   Some packages offer the ability to configure how verbose the
> --execution of `make' will be.  For these packages, running `./configure
> ----enable-silent-rules' sets the default to minimal output, which can be
> --overridden with `make V=1'; while running `./configure
> ----disable-silent-rules' sets the default to verbose, which can be
> --overridden with `make V=0'.
> --
> --Particular systems
> --==================
> --
> --   On HP-UX, the default C compiler is not ANSI C compatible.  If GNU
> --CC is not installed, it is recommended to use the following options in
> --order to use an ANSI C compiler:
> --
> --     ./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
> --
> --and if that doesn't work, install pre-built binaries of GCC for HP-UX.
> --
> --   HP-UX `make' updates targets which have the same time stamps as
> --their prerequisites, which makes it generally unusable when shipped
> --generated files such as `configure' are involved.  Use GNU `make'
> --instead.
> --
> --   On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
> --parse its `<wchar.h>' header file.  The option `-nodtk' can be used as
> --a workaround.  If GNU CC is not installed, it is therefore recommended
> --to try
> --
> --     ./configure CC="cc"
> --
> --and if that doesn't work, try
> --
> --     ./configure CC="cc -nodtk"
> --
> --   On Solaris, don't put `/usr/ucb' early in your `PATH'.  This
> --directory contains several dysfunctional programs; working variants of
> --these programs are available in `/usr/bin'.  So, if you need `/usr/ucb'
> --in your `PATH', put it _after_ `/usr/bin'.
> --
> --   On Haiku, software installed for all users goes in `/boot/common',
> --not `/usr/local'.  It is recommended to use the following options:
> --
> --     ./configure --prefix=/boot/common
> --
> --Specifying the System Type
> --==========================
> --
> --   There may be some features `configure' cannot figure out
> --automatically, but needs to determine by the type of machine the package
> --will run on.  Usually, assuming the package is built to be run on the
> --_same_ architectures, `configure' can figure that out, but if it prints
> --a message saying it cannot guess the machine type, give it the
> --`--build=TYPE' option.  TYPE can either be a short name for the system
> --type, such as `sun4', or a canonical name which has the form:
> --
> --     CPU-COMPANY-SYSTEM
> --
> --where SYSTEM can have one of these forms:
> --
> --     OS
> --     KERNEL-OS
> --
> --   See the file `config.sub' for the possible values of each field.  If
> --`config.sub' isn't included in this package, then this package doesn't
> --need to know the machine type.
> --
> --   If you are _building_ compiler tools for cross-compiling, you should
> --use the option `--target=TYPE' to select the type of system they will
> --produce code for.
> --
> --   If you want to _use_ a cross compiler, that generates code for a
> --platform different from the build platform, you should specify the
> --"host" platform (i.e., that on which the generated programs will
> --eventually be run) with `--host=TYPE'.
> --
> --Sharing Defaults
> --================
> --
> --   If you want to set default values for `configure' scripts to share,
> --you can create a site shell script called `config.site' that gives
> --default values for variables like `CC', `cache_file', and `prefix'.
> --`configure' looks for `PREFIX/share/config.site' if it exists, then
> --`PREFIX/etc/config.site' if it exists.  Or, you can set the
> --`CONFIG_SITE' environment variable to the location of the site script.
> --A warning: not all `configure' scripts look for a site script.
> --
> --Defining Variables
> --==================
> --
> --   Variables not defined in a site shell script can be set in the
> --environment passed to `configure'.  However, some packages may run
> --configure again during the build, and the customized values of these
> --variables may be lost.  In order to avoid this problem, you should set
> --them in the `configure' command line, using `VAR=value'.  For example:
> --
> --     ./configure CC=/usr/local2/bin/gcc
> --
> --causes the specified `gcc' to be used as the C compiler (unless it is
> --overridden in the site shell script).
> --
> --Unfortunately, this technique does not work for `CONFIG_SHELL' due to
> --an Autoconf limitation.  Until the limitation is lifted, you can use
> --this workaround:
> --
> --     CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
> --
> --`configure' Invocation
> --======================
> --
> --   `configure' recognizes the following options to control how it
> --operates.
> --
> --`--help'
> --`-h'
> --     Print a summary of all of the options to `configure', and exit.
> --
> --`--help=short'
> --`--help=recursive'
> --     Print a summary of the options unique to this package's
> --     `configure', and exit.  The `short' variant lists options used
> --     only in the top level, while the `recursive' variant lists options
> --     also present in any nested packages.
> --
> --`--version'
> --`-V'
> --     Print the version of Autoconf used to generate the `configure'
> --     script, and exit.
> --
> --`--cache-file=FILE'
> --     Enable the cache: use and save the results of the tests in FILE,
> --     traditionally `config.cache'.  FILE defaults to `/dev/null' to
> --     disable caching.
> --
> --`--config-cache'
> --`-C'
> --     Alias for `--cache-file=config.cache'.
> --
> --`--quiet'
> --`--silent'
> --`-q'
> --     Do not print messages saying which checks are being made.  To
> --     suppress all normal output, redirect it to `/dev/null' (any error
> --     messages will still be shown).
> --
> --`--srcdir=DIR'
> --     Look for the package's source code in directory DIR.  Usually
> --     `configure' can determine that directory automatically.
> --
> --`--prefix=DIR'
> --     Use DIR as the installation prefix.  *note Installation Names::
> --     for more details, including other options available for fine-tuning
> --     the installation locations.
> --
> --`--no-create'
> --`-n'
> --     Run the configure checks, but stop before creating any output
> --     files.
> --
> --`configure' also accepts some other, not widely useful, options.  Run
> --`configure --help' for more details.
> diff --git a/patches/ima-evm-utils-1.1/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch b/patches/ima-evm-utils-1.1/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch
> deleted file mode 100644
> index cb09b8d78f8a..000000000000
> --- a/patches/ima-evm-utils-1.1/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -From: Marc Kleine-Budde <mkl@pengutronix.de>
> -Date: Wed, 27 May 2015 10:41:27 +0200
> -Subject: [PATCH] Makefile.am: rename INCLUDES -> AM_CPPFLAGS
> -
> -This patch fixes the following warning during autoreconf:
> -
> -| src/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
> -
> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ----
> - src/Makefile.am | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/Makefile.am b/src/Makefile.am
> -index deb18fb09dc7..9f547283d535 100644
> ---- a/src/Makefile.am
> -+++ b/src/Makefile.am
> -@@ -1,7 +1,7 @@
> - lib_LTLIBRARIES = libimaevm.la
> - 
> - libimaevm_la_SOURCES = libimaevm.c
> --libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
> -+libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS)
> - # current[:revision[:age]]
> - # result: [current-age].age.revision
> - libimaevm_la_LDFLAGS = -version-info 0:0:0
> -@@ -12,11 +12,11 @@ include_HEADERS = imaevm.h
> - bin_PROGRAMS = evmctl
> - 
> - evmctl_SOURCES = evmctl.c
> --evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
> -+evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS)
> - evmctl_LDFLAGS = $(LDFLAGS_READLINE)
> - evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils libimaevm.la
> - 
> --INCLUDES = -I$(top_srcdir) -include config.h
> -+AM_CPPFLAGS = -I$(top_srcdir) -include config.h
> - 
> - DISTCLEANFILES = @DISTCLEANFILES@
> - 
> diff --git a/patches/ima-evm-utils-1.1/0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch b/patches/ima-evm-utils-1.1/0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch
> deleted file mode 100644
> index a3cd597f82d6..000000000000
> --- a/patches/ima-evm-utils-1.1/0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch
> +++ /dev/null
> @@ -1,73 +0,0 @@
> -From: Marc Kleine-Budde <mkl@pengutronix.de>
> -Date: Sat, 26 Mar 2016 22:58:07 +0100
> -Subject: [PATCH] evmctl, libimaevm: use EVP_MAX_MD_SIZE for hash size instead
> - of open coding it
> -
> -Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
> ----
> - src/evmctl.c    | 10 +++++-----
> - src/libimaevm.c |  2 +-
> - 2 files changed, 6 insertions(+), 6 deletions(-)
> -
> -diff --git a/src/evmctl.c b/src/evmctl.c
> -index de53be37b69b..b0f3b6362528 100644
> ---- a/src/evmctl.c
> -+++ b/src/evmctl.c
> -@@ -495,7 +495,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> - 
> - static int sign_evm(const char *file, const char *key)
> - {
> --	unsigned char hash[20];
> -+	unsigned char hash[EVP_MAX_MD_SIZE];
> - 	unsigned char sig[1024];
> - 	int len, err;
> - 
> -@@ -533,7 +533,7 @@ static int sign_evm(const char *file, const char *key)
> - 
> - static int hash_ima(const char *file)
> - {
> --	unsigned char hash[66]; /* MAX hash size + 2 */
> -+	unsigned char hash[EVP_MAX_MD_SIZE + 2]; /* MAX hash size + 2 */
> - 	int len, err, offset;
> - 	int algo = get_hash_algo(params.hash_algo);
> - 
> -@@ -571,7 +571,7 @@ static int hash_ima(const char *file)
> - 
> - static int sign_ima(const char *file, const char *key)
> - {
> --	unsigned char hash[64];
> -+	unsigned char hash[EVP_MAX_MD_SIZE];
> - 	unsigned char sig[1024];
> - 	int len, err;
> - 
> -@@ -751,7 +751,7 @@ static int cmd_sign_evm(struct command *cmd)
> - 
> - static int verify_evm(const char *file)
> - {
> --	unsigned char hash[20];
> -+	unsigned char hash[EVP_MAX_MD_SIZE];
> - 	unsigned char sig[1024];
> - 	int len;
> - 
> -@@ -1119,7 +1119,7 @@ out:
> - 
> - static int hmac_evm(const char *file, const char *key)
> - {
> --	unsigned char hash[20];
> -+	unsigned char hash[EVP_MAX_MD_SIZE];
> - 	unsigned char sig[1024];
> - 	int len, err;
> - 
> -diff --git a/src/libimaevm.c b/src/libimaevm.c
> -index 6fa0ed4a1c74..8fc23be08bd7 100644
> ---- a/src/libimaevm.c
> -+++ b/src/libimaevm.c
> -@@ -590,7 +590,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
> - int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
> - 			 unsigned char *digest, int digestlen)
> - {
> --	unsigned char hash[64];
> -+	unsigned char hash[EVP_MAX_MD_SIZE];
> - 	int hashlen, sig_hash_algo;
> - 
> - 	if (sig[0] != 0x03) {
> diff --git a/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch b/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch
> deleted file mode 100644
> index 488dfa822286..000000000000
> --- a/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch
> +++ /dev/null
> @@ -1,133 +0,0 @@
> -From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> -Date: Tue, 8 Mar 2016 13:46:14 +0100
> -Subject: [PATCH] evmctl: add parameter -e to set evm hash algo
> -
> -The paramter -a sets the hash algorithm only for IMA. To not break
> -anything, add a new parameter -e to be able to change the hash for
> -EVM, too.
> -
> -Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> ----
> - src/evmctl.c    | 27 +++++++++++++++++++++++----
> - src/imaevm.h    |  1 +
> - src/libimaevm.c |  1 +
> - 3 files changed, 25 insertions(+), 4 deletions(-)
> -
> -diff --git a/src/evmctl.c b/src/evmctl.c
> -index b0f3b6362528..5d664005e915 100644
> ---- a/src/evmctl.c
> -+++ b/src/evmctl.c
> -@@ -336,6 +336,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> - #else
> - 	pctx = EVP_MD_CTX_new();
> - #endif
> -+	const EVP_MD *md;
> - 
> - 	if (lstat(file, &st)) {
> - 		log_err("Failed to stat: %s\n", file);
> -@@ -379,7 +380,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> - 		return -1;
> - 	}
> - 
> --	err = EVP_DigestInit(pctx, EVP_sha1());
> -+	md = EVP_get_digestbyname(params.evm_hash_algo);
> -+	if (!md) {
> -+		log_err("EVP_get_digestbyname() failed\n");
> -+		return 1;
> -+	}
> -+
> -+	err = EVP_DigestInit(pctx, md);
> - 	if (!err) {
> - 		log_err("EVP_DigestInit() failed\n");
> - 		return 1;
> -@@ -503,7 +510,7 @@ static int sign_evm(const char *file, const char *key)
> - 	if (len <= 1)
> - 		return len;
> - 
> --	len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
> -+	len = sign_hash(params.evm_hash_algo, hash, len, key, NULL, sig + 1);
> - 	if (len <= 1)
> - 		return len;
> - 
> -@@ -992,6 +999,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> - #else
> - 	pctx = HMAC_CTX_new();
> - #endif
> -+	const EVP_MD *md;
> - 
> - 	key = file2bin(keyfile, NULL, &keylen);
> - 	if (!key) {
> -@@ -1038,7 +1046,13 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> - 		goto out;
> - 	}
> - 
> --	err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL);
> -+	md = EVP_get_digestbyname(params.evm_hash_algo);
> -+	if (!md) {
> -+		log_err("EVP_get_digestbyname() failed\n");
> -+		return 1;
> -+	}
> -+
> -+	err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), md, NULL);
> - 	if (err) {
> - 		log_err("HMAC_Init() failed\n");
> - 		goto out;
> -@@ -1635,6 +1649,7 @@ static void usage(void)
> - 	printf(
> - 		"\n"
> - 		"  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512\n"
> -+		"  -e, --evmhashalgo  sha1 (default), sha224, sha256, sha384, sha512\n"
> - 		"  -s, --imasig       make IMA signature\n"
> - 		"  -d, --imahash      make IMA hash\n"
> - 		"  -f, --sigfile      store IMA signature in .sig file instead of xattr\n"
> -@@ -1691,6 +1706,7 @@ static struct option opts[] = {
> - 	{"imasig", 0, 0, 's'},
> - 	{"imahash", 0, 0, 'd'},
> - 	{"hashalgo", 1, 0, 'a'},
> -+	{"evmhashalgo", 1, 0, 'e'},
> - 	{"pass", 2, 0, 'p'},
> - 	{"sigfile", 0, 0, 'f'},
> - 	{"uuid", 2, 0, 'u'},
> -@@ -1758,7 +1774,7 @@ int main(int argc, char *argv[])
> - 	g_argc = argc;
> - 
> - 	while (1) {
> --		c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:ri", opts, &lind);
> -+		c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:ri", opts, &lind);
> - 		if (c == -1)
> - 			break;
> - 
> -@@ -1784,6 +1800,9 @@ int main(int argc, char *argv[])
> - 		case 'a':
> - 			params.hash_algo = optarg;
> - 			break;
> -+		case 'e':
> -+			params.evm_hash_algo = optarg;
> -+			break;
> - 		case 'p':
> - 			if (optarg)
> - 				params.keypass = optarg;
> -diff --git a/src/imaevm.h b/src/imaevm.h
> -index 1bafaad0f4ab..ed92e4d8981d 100644
> ---- a/src/imaevm.h
> -+++ b/src/imaevm.h
> -@@ -179,6 +179,7 @@ struct libevm_params {
> - 	int verbose;
> - 	int x509;
> - 	const char *hash_algo;
> -+	const char *evm_hash_algo;
> - 	const char *keyfile;
> - 	const char *keypass;
> - };
> -diff --git a/src/libimaevm.c b/src/libimaevm.c
> -index b6c328801708..4c093a038b72 100644
> ---- a/src/libimaevm.c
> -+++ b/src/libimaevm.c
> -@@ -129,6 +129,7 @@ struct libevm_params params = {
> - 	.verbose = LOG_INFO - 1,
> - 	.x509 = 1,
> - 	.hash_algo = "sha1",
> -+	.evm_hash_algo = "sha1",
> - };
> - 
> - static void __attribute__ ((constructor)) libinit(void);
> diff --git a/patches/ima-evm-utils-1.1/0011-HACK-don-t-generate-man-page.patch b/patches/ima-evm-utils-1.1/0011-HACK-don-t-generate-man-page.patch
> deleted file mode 100644
> index bb44e8d6c2be..000000000000
> --- a/patches/ima-evm-utils-1.1/0011-HACK-don-t-generate-man-page.patch
> +++ /dev/null
> @@ -1,19 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Wed, 3 Jun 2015 16:08:51 +0200
> -Subject: [PATCH] HACK: don't generate man page
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - Makefile.am | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/Makefile.am b/Makefile.am
> -index 06ebf59ea4aa..e527f34f1faa 100644
> ---- a/Makefile.am
> -+++ b/Makefile.am
> -@@ -1,5 +1,4 @@
> - SUBDIRS = src
> --dist_man_MANS = evmctl.1
> - 
> - doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
> - EXTRA_DIST = autogen.sh $(doc_DATA)
> diff --git a/patches/ima-evm-utils-1.1/0013-evmctl-use-correct-include-for-xattr.h.patch b/patches/ima-evm-utils-1.1/0013-evmctl-use-correct-include-for-xattr.h.patch
> deleted file mode 100644
> index 3157c711a065..000000000000
> --- a/patches/ima-evm-utils-1.1/0013-evmctl-use-correct-include-for-xattr.h.patch
> +++ /dev/null
> @@ -1,80 +0,0 @@
> -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
> -Date: Mon, 17 Oct 2016 12:45:32 +0100
> -Subject: [PATCH] evmctl: use correct include for xattr.h
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -The xattr API/ABI is provided by both the c-library, as well as by the
> -libattr package. The c-library's header file is sys/xattr.h, whereas
> -libattr's header file can be found in attr/xattr.h.
> -
> -Given none of the code here *links* against the libattr.so shared library, it
> -is wrong to *compile* against libattr's API (header file).
> -
> -Doing so avoids confusion as to which xattr.h is used as the least problem,
> -and potential ABI differences as the worst problem due the mismatching header
> -file used.
> -
> -So make sure we compile and link against the same thing, the c-library in
> -both cases.
> -
> -Signed-off-by: André Draszik <git@andred.net>
> -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ----
> - configure.ac                    | 2 +-
> - packaging/ima-evm-utils.spec    | 1 -
> - packaging/ima-evm-utils.spec.in | 1 -
> - src/evmctl.c                    | 2 +-
> - 4 files changed, 2 insertions(+), 4 deletions(-)
> -
> -diff --git a/configure.ac b/configure.ac
> -index 6822f39cff69..06d061bc94ea 100644
> ---- a/configure.ac
> -+++ b/configure.ac
> -@@ -30,7 +30,7 @@ AC_SUBST(OPENSSL_LIBS)
> - AC_CHECK_HEADER(unistd.h)
> - AC_CHECK_HEADERS(openssl/conf.h)
> - 
> --AC_CHECK_HEADERS(attr/xattr.h, , [AC_MSG_ERROR([attr/xattr.h header not found. You need the libattr development package.])])
> -+AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
> - AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
> - 
> - #debug support - yes for a while
> -diff --git a/packaging/ima-evm-utils.spec b/packaging/ima-evm-utils.spec
> -index a11a27a18815..63388d2b444b 100644
> ---- a/packaging/ima-evm-utils.spec
> -+++ b/packaging/ima-evm-utils.spec
> -@@ -11,7 +11,6 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
> - BuildRequires:    autoconf
> - BuildRequires:    automake
> - BuildRequires:    openssl-devel
> --BuildRequires:    libattr-devel
> - BuildRequires:    keyutils-libs-devel
> - 
> - %description
> -diff --git a/packaging/ima-evm-utils.spec.in b/packaging/ima-evm-utils.spec.in
> -index 7ca6c6fb3b0d..65c32f9e6445 100644
> ---- a/packaging/ima-evm-utils.spec.in
> -+++ b/packaging/ima-evm-utils.spec.in
> -@@ -11,7 +11,6 @@ BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
> - BuildRequires:    autoconf
> - BuildRequires:    automake
> - BuildRequires:    openssl-devel
> --BuildRequires:    libattr-devel
> - BuildRequires:    keyutils-libs-devel
> - 
> - %description
> -diff --git a/src/evmctl.c b/src/evmctl.c
> -index 4422c0e84d4a..02eb84d4c341 100644
> ---- a/src/evmctl.c
> -+++ b/src/evmctl.c
> -@@ -49,7 +49,7 @@
> - #include <stdint.h>
> - #include <string.h>
> - #include <dirent.h>
> --#include <attr/xattr.h>
> -+#include <sys/xattr.h>
> - #include <linux/xattr.h>
> - #include <getopt.h>
> - #include <keyutils.h>
> diff --git a/patches/ima-evm-utils-1.1/series b/patches/ima-evm-utils-1.1/series
> deleted file mode 100644
> index 6fb042465042..000000000000
> --- a/patches/ima-evm-utils-1.1/series
> +++ /dev/null
> @@ -1,16 +0,0 @@
> -# generated by git-ptx-patches
> -#tag:base --start-number 1
> -0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch
> -0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch
> -0003-evmctl-find-add-missing-closedir-dir-on-error.patch
> -0004-evmctl-find-add-missing-error-handling-and-propagate.patch
> -0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> -0006-evmctl-libimaevm-use-EVP_MAX_MD_SIZE-for-hash-size-i.patch
> -0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> -0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch
> -0009-evmctl-add-support-for-offline-image-preparation.patch
> -0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> -0011-HACK-don-t-generate-man-page.patch
> -0012-Fix-warning-for-non-debug-use-case.patch
> -0013-evmctl-use-correct-include-for-xattr.h.patch
> -# 5032e96fb6da7cb77f053c2b5a6edc44  - git-ptx-patches magic
> diff --git a/patches/ima-evm-utils-1.1/0003-evmctl-find-add-missing-closedir-dir-on-error.patch b/patches/ima-evm-utils-1.3.2/0001-evmctl-find-add-missing-closedir-dir-on-error.patch
> similarity index 79%
> rename from patches/ima-evm-utils-1.1/0003-evmctl-find-add-missing-closedir-dir-on-error.patch
> rename to patches/ima-evm-utils-1.3.2/0001-evmctl-find-add-missing-closedir-dir-on-error.patch
> index 4b1c84584479..5c91c4621a76 100644
> --- a/patches/ima-evm-utils-1.1/0003-evmctl-find-add-missing-closedir-dir-on-error.patch
> +++ b/patches/ima-evm-utils-1.3.2/0001-evmctl-find-add-missing-closedir-dir-on-error.patch
> @@ -10,10 +10,10 @@ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
>   1 file changed, 2 insertions(+)
>  
>  diff --git a/src/evmctl.c b/src/evmctl.c
> -index 2ffee786865b..20eccfa93b2b 100644
> +index 1815f55d73e0..cca2fabdb2a6 100644
>  --- a/src/evmctl.c
>  +++ b/src/evmctl.c
> -@@ -1229,6 +1229,7 @@ static int find(const char *path, int dts, find_cb_t func)
> +@@ -1331,6 +1331,7 @@ static int find(const char *path, int dts, find_cb_t func)
>   
>   	if (fchdir(dirfd(dir))) {
>   		log_err("Failed to chdir %s\n", path);
> @@ -21,7 +21,7 @@ index 2ffee786865b..20eccfa93b2b 100644
>   		return -1;
>   	}
>   
> -@@ -1244,6 +1245,7 @@ static int find(const char *path, int dts, find_cb_t func)
> +@@ -1346,6 +1347,7 @@ static int find(const char *path, int dts, find_cb_t func)
>   
>   	if (chdir("..")) {
>   		log_err("Failed to chdir: %s\n", path);
> diff --git a/patches/ima-evm-utils-1.1/0004-evmctl-find-add-missing-error-handling-and-propagate.patch b/patches/ima-evm-utils-1.3.2/0002-evmctl-find-add-missing-error-handling-and-propagate.patch
> similarity index 87%
> rename from patches/ima-evm-utils-1.1/0004-evmctl-find-add-missing-error-handling-and-propagate.patch
> rename to patches/ima-evm-utils-1.3.2/0002-evmctl-find-add-missing-error-handling-and-propagate.patch
> index 68660d95eda0..62471489a9f2 100644
> --- a/patches/ima-evm-utils-1.1/0004-evmctl-find-add-missing-error-handling-and-propagate.patch
> +++ b/patches/ima-evm-utils-1.3.2/0002-evmctl-find-add-missing-error-handling-and-propagate.patch
> @@ -12,10 +12,10 @@ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
>   1 file changed, 16 insertions(+), 4 deletions(-)
>  
>  diff --git a/src/evmctl.c b/src/evmctl.c
> -index 20eccfa93b2b..55fc619f5990 100644
> +index cca2fabdb2a6..e6761f2ae5e4 100644
>  --- a/src/evmctl.c
>  +++ b/src/evmctl.c
> -@@ -1234,13 +1234,20 @@ static int find(const char *path, int dts, find_cb_t func)
> +@@ -1336,13 +1336,20 @@ static int find(const char *path, int dts, find_cb_t func)
>   	}
>   
>   	while ((de = readdir(dir))) {
> @@ -38,7 +38,7 @@ index 20eccfa93b2b..55fc619f5990 100644
>   	}
>   
>   	if (chdir("..")) {
> -@@ -1249,8 +1256,13 @@ static int find(const char *path, int dts, find_cb_t func)
> +@@ -1351,8 +1358,13 @@ static int find(const char *path, int dts, find_cb_t func)
>   		return -1;
>   	}
>   
> diff --git a/patches/ima-evm-utils-1.1/0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch b/patches/ima-evm-utils-1.3.2/0003-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> similarity index 80%
> rename from patches/ima-evm-utils-1.1/0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> rename to patches/ima-evm-utils-1.3.2/0003-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> index 69aadb377668..0de24af6a0e7 100644
> --- a/patches/ima-evm-utils-1.1/0005-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> +++ b/patches/ima-evm-utils-1.3.2/0003-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> @@ -10,12 +10,12 @@ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
>   1 file changed, 5 insertions(+)
>  
>  diff --git a/src/evmctl.c b/src/evmctl.c
> -index 55fc619f5990..de53be37b69b 100644
> +index e6761f2ae5e4..a1fd9feaea78 100644
>  --- a/src/evmctl.c
>  +++ b/src/evmctl.c
> -@@ -62,6 +62,11 @@
> - #include <openssl/err.h>
> - #include <openssl/rsa.h>
> +@@ -72,6 +72,11 @@
> + #define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
> + #endif
>   
>  +#ifndef XATTR_NAME_IMA
>  +#define XATTR_IMA_SUFFIX "ima"
> diff --git a/patches/ima-evm-utils-1.1/0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch b/patches/ima-evm-utils-1.3.2/0004-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> similarity index 76%
> rename from patches/ima-evm-utils-1.1/0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> rename to patches/ima-evm-utils-1.3.2/0004-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> index 2164c6238e78..e20cfaa826df 100644
> --- a/patches/ima-evm-utils-1.1/0007-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> +++ b/patches/ima-evm-utils-1.3.2/0004-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> @@ -8,10 +8,10 @@ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
>   1 file changed, 2 insertions(+), 2 deletions(-)
>  
>  diff --git a/src/libimaevm.c b/src/libimaevm.c
> -index 8fc23be08bd7..b6c328801708 100644
> +index fa6c27858d0f..002b0657337c 100644
>  --- a/src/libimaevm.c
>  +++ b/src/libimaevm.c
> -@@ -379,7 +379,7 @@ int verify_hash_v1(const char *file, const unsigned char *hash, int size,
> +@@ -382,7 +382,7 @@ static int verify_hash_v1(const char *file, const unsigned char *hash, int size,
>   	SHA_CTX ctx;
>   	unsigned char out[1024];
>   	RSA *key;
> @@ -20,7 +20,7 @@ index 8fc23be08bd7..b6c328801708 100644
>   	struct signature_hdr *hdr = (struct signature_hdr *)sig;
>   
>   	log_info("hash-v1: ");
> -@@ -744,7 +744,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
> +@@ -805,7 +805,7 @@ static int sign_hash_v1(const char *hashalgo, const unsigned char *hash,
>   	unsigned char pub[1024];
>   	RSA *key;
>   	char name[20];
> diff --git a/patches/ima-evm-utils-1.1/0009-evmctl-add-support-for-offline-image-preparation.patch b/patches/ima-evm-utils-1.3.2/0005-evmctl-add-support-for-offline-image-preparation.patch
> similarity index 78%
> rename from patches/ima-evm-utils-1.1/0009-evmctl-add-support-for-offline-image-preparation.patch
> rename to patches/ima-evm-utils-1.3.2/0005-evmctl-add-support-for-offline-image-preparation.patch
> index 6d9b40fc5b43..75d92734190c 100644
> --- a/patches/ima-evm-utils-1.1/0009-evmctl-add-support-for-offline-image-preparation.patch
> +++ b/patches/ima-evm-utils-1.3.2/0005-evmctl-add-support-for-offline-image-preparation.patch
> @@ -33,29 +33,29 @@ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
>  ---
>   src/evmctl.c    | 57 +++++++++++++++++++++++++++++++++++++++++++++++++--------
>   src/imaevm.h    |  1 +
> - src/libimaevm.c | 25 ++++++++++++++++++++++++-
> - 3 files changed, 74 insertions(+), 9 deletions(-)
> + src/libimaevm.c | 24 +++++++++++++++++++++++-
> + 3 files changed, 73 insertions(+), 9 deletions(-)
>  
>  diff --git a/src/evmctl.c b/src/evmctl.c
> -index 5d664005e915..9003f7640c0f 100644
> +index a1fd9feaea78..a4d784a5bfb6 100644
>  --- a/src/evmctl.c
>  +++ b/src/evmctl.c
> -@@ -337,6 +337,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> +@@ -352,6 +352,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> + #else
>   	pctx = EVP_MD_CTX_new();
>   #endif
> - 	const EVP_MD *md;
>  +	ino_t ino;
>   
>   	if (lstat(file, &st)) {
>   		log_err("Failed to stat: %s\n", file);
> -@@ -371,9 +372,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> +@@ -386,9 +387,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
>   			}
>   			close(fd);
>   		}
>  -		log_info("generation: %u\n", generation);
>   	}
>   
> -+	if (params.image_mode) {
> ++	if (imaevm_params.image_mode) {
>  +		char buf[128] = { };
>  +
>  +		err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1);
> @@ -75,7 +75,7 @@ index 5d664005e915..9003f7640c0f 100644
>   	list_size = llistxattr(file, list, sizeof(list));
>   	if (list_size < 0) {
>   		log_err("llistxattr() failed\n");
> -@@ -439,7 +456,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> +@@ -470,7 +487,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
>   
>   		hmac_size = sizeof(*hmac);
>   		if (!evm_portable) {
> @@ -84,7 +84,7 @@ index 5d664005e915..9003f7640c0f 100644
>   			hmac->generation = generation;
>   		}
>   		hmac->uid = st.st_uid;
> -@@ -450,7 +467,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> +@@ -481,7 +498,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
>   
>   		hmac_size = sizeof(*hmac);
>   		if (!evm_portable) {
> @@ -93,7 +93,7 @@ index 5d664005e915..9003f7640c0f 100644
>   			hmac->generation = generation;
>   		}
>   		hmac->uid = st.st_uid;
> -@@ -461,7 +478,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> +@@ -492,7 +509,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
>   
>   		hmac_size = sizeof(*hmac);
>   		if (!evm_portable) {
> @@ -102,19 +102,19 @@ index 5d664005e915..9003f7640c0f 100644
>   			hmac->generation = generation;
>   		}
>   		hmac->uid = st.st_uid;
> -@@ -1000,6 +1017,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> +@@ -1085,6 +1102,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> + #else
>   	pctx = HMAC_CTX_new();
>   #endif
> - 	const EVP_MD *md;
>  +	ino_t ino;
>   
>   	key = file2bin(keyfile, NULL, &keylen);
>   	if (!key) {
> -@@ -1038,10 +1056,26 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> +@@ -1123,10 +1141,26 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
>   		close(fd);
>   	}
>   
> -+	if (params.image_mode) {
> ++	if (imaevm_params.image_mode) {
>  +		char buf[128] = { };
>  +
>  +		err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1);
> @@ -137,7 +137,7 @@ index 5d664005e915..9003f7640c0f 100644
>   		log_err("llistxattr() failed: %s\n", file);
>   		goto out;
>   	}
> -@@ -1084,7 +1118,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> +@@ -1170,7 +1204,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
>   		struct h_misc *hmac = (struct h_misc *)&hmac_misc;
>   
>   		hmac_size = sizeof(*hmac);
> @@ -146,7 +146,7 @@ index 5d664005e915..9003f7640c0f 100644
>   		hmac->generation = generation;
>   		hmac->uid = st.st_uid;
>   		hmac->gid = st.st_gid;
> -@@ -1093,7 +1127,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> +@@ -1179,7 +1213,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
>   		struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc;
>   
>   		hmac_size = sizeof(*hmac);
> @@ -155,7 +155,7 @@ index 5d664005e915..9003f7640c0f 100644
>   		hmac->generation = generation;
>   		hmac->uid = st.st_uid;
>   		hmac->gid = st.st_gid;
> -@@ -1102,7 +1136,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> +@@ -1188,7 +1222,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
>   		struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc;
>   
>   		hmac_size = sizeof(*hmac);
> @@ -164,7 +164,7 @@ index 5d664005e915..9003f7640c0f 100644
>   		hmac->generation = generation;
>   		hmac->uid = st.st_uid;
>   		hmac->gid = st.st_gid;
> -@@ -1666,6 +1700,9 @@ static void usage(void)
> +@@ -2476,6 +2510,9 @@ static void usage(void)
>   		"      --smack        use extra SMACK xattrs for EVM\n"
>   		"      --m32          force EVM hmac/signature for 32 bit target system\n"
>   		"      --m64          force EVM hmac/signature for 64 bit target system\n"
> @@ -174,7 +174,7 @@ index 5d664005e915..9003f7640c0f 100644
>   		"      --ino          use custom inode for EVM\n"
>   		"      --uid          use custom UID for EVM\n"
>   		"      --gid          use custom GID for EVM\n"
> -@@ -1716,6 +1753,7 @@ static struct option opts[] = {
> +@@ -2528,6 +2565,7 @@ static struct option opts[] = {
>   	{"recursive", 0, 0, 'r'},
>   	{"m32", 0, 0, '3'},
>   	{"m64", 0, 0, '6'},
> @@ -182,31 +182,31 @@ index 5d664005e915..9003f7640c0f 100644
>   	{"portable", 0, 0, 'o'},
>   	{"smack", 0, 0, 128},
>   	{"version", 0, 0, 129},
> -@@ -1774,7 +1812,7 @@ int main(int argc, char *argv[])
> +@@ -2600,7 +2638,7 @@ int main(int argc, char *argv[])
>   	g_argc = argc;
>   
>   	while (1) {
> --		c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:ri", opts, &lind);
> -+		c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:rim", opts, &lind);
> +-		c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:ri", opts, &lind);
> ++		c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:rim", opts, &lind);
>   		if (c == -1)
>   			break;
>   
> -@@ -1847,6 +1885,9 @@ int main(int argc, char *argv[])
> +@@ -2670,6 +2708,9 @@ int main(int argc, char *argv[])
>   		case '6':
>   			msize = 64;
>   			break;
>  +		case 'm':
> -+			params.image_mode = true;
> ++			imaevm_params.image_mode = true;
>  +			break;
>   		case 128:
>   			evm_config_xattrnames = evm_extra_smack_xattrs;
>   			break;
>  diff --git a/src/imaevm.h b/src/imaevm.h
> -index ed92e4d8981d..7e32d09c6538 100644
> +index 45039199ab31..2f78a31ab438 100644
>  --- a/src/imaevm.h
>  +++ b/src/imaevm.h
> -@@ -182,6 +182,7 @@ struct libevm_params {
> - 	const char *evm_hash_algo;
> +@@ -196,6 +196,7 @@ struct libimaevm_params {
> + 	const char *hash_algo;
>   	const char *keyfile;
>   	const char *keypass;
>  +	bool image_mode;
> @@ -214,31 +214,23 @@ index ed92e4d8981d..7e32d09c6538 100644
>   
>   struct RSA_ASN1_template {
>  diff --git a/src/libimaevm.c b/src/libimaevm.c
> -index 4c093a038b72..866f74b39b41 100644
> +index 002b0657337c..1cdf1dc590cc 100644
>  --- a/src/libimaevm.c
>  +++ b/src/libimaevm.c
> -@@ -40,6 +40,7 @@
> - 
> - /* should we use logger instead for library? */
> - #define USE_FPRINTF
> -+#define _GNU_SOURCE
> - 
> - #include <sys/types.h>
> - #include <sys/param.h>
> -@@ -49,6 +50,7 @@
> - #include <dirent.h>
> - #include <string.h>
> +@@ -51,6 +51,7 @@
>   #include <stdio.h>
> + #include <assert.h>
> + #include <ctype.h>
>  +#include <sys/xattr.h>
>   
> + #include <openssl/crypto.h>
>   #include <openssl/pem.h>
> - #include <openssl/evp.h>
> -@@ -224,7 +226,28 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
> +@@ -193,7 +194,28 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
>   	}
>   
>   	while ((de = readdir(dir))) {
>  -		ino = de->d_ino;
> -+		if (params.image_mode) {
> ++		if (imaevm_params.image_mode) {
>  +			char *name;
>  +			char buf[128] = { };
>  +
> diff --git a/patches/ima-evm-utils-1.1/0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch b/patches/ima-evm-utils-1.3.2/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> similarity index 86%
> rename from patches/ima-evm-utils-1.1/0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> rename to patches/ima-evm-utils-1.3.2/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> index 12b77a132002..251f7136b42b 100644
> --- a/patches/ima-evm-utils-1.1/0010-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> +++ b/patches/ima-evm-utils-1.3.2/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> @@ -15,16 +15,16 @@ Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>   1 file changed, 3 insertions(+)
>  
>  diff --git a/src/libimaevm.c b/src/libimaevm.c
> -index 866f74b39b41..834b738426bf 100644
> +index 1cdf1dc590cc..6bb0b0757c42 100644
>  --- a/src/libimaevm.c
>  +++ b/src/libimaevm.c
> -@@ -226,6 +226,9 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
> +@@ -194,6 +194,9 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
>   	}
>   
>   	while ((de = readdir(dir))) {
>  +		if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, ".."))
>  +			continue;
>  +
> - 		if (params.image_mode) {
> + 		if (imaevm_params.image_mode) {
>   			char *name;
>   			char buf[128] = { };
> diff --git a/patches/ima-evm-utils-1.1/0012-Fix-warning-for-non-debug-use-case.patch b/patches/ima-evm-utils-1.3.2/0007-Fix-warning-for-non-debug-use-case.patch
> similarity index 86%
> rename from patches/ima-evm-utils-1.1/0012-Fix-warning-for-non-debug-use-case.patch
> rename to patches/ima-evm-utils-1.3.2/0007-Fix-warning-for-non-debug-use-case.patch
> index 80073f19aaf5..2cddf569a91d 100644
> --- a/patches/ima-evm-utils-1.1/0012-Fix-warning-for-non-debug-use-case.patch
> +++ b/patches/ima-evm-utils-1.3.2/0007-Fix-warning-for-non-debug-use-case.patch
> @@ -14,10 +14,10 @@ Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
>   1 file changed, 1 insertion(+), 1 deletion(-)
>  
>  diff --git a/src/evmctl.c b/src/evmctl.c
> -index 9003f7640c0f..4422c0e84d4a 100644
> +index a4d784a5bfb6..7c1f15082615 100644
>  --- a/src/evmctl.c
>  +++ b/src/evmctl.c
> -@@ -1191,7 +1191,7 @@ static int hmac_evm(const char *file, const char *key)
> +@@ -1279,7 +1279,7 @@ static int hmac_evm(const char *file, const char *key)
>   	return 0;
>   }
>   
> diff --git a/patches/ima-evm-utils-1.1/autogen.sh b/patches/ima-evm-utils-1.3.2/autogen.sh
> similarity index 100%
> rename from patches/ima-evm-utils-1.1/autogen.sh
> rename to patches/ima-evm-utils-1.3.2/autogen.sh
> diff --git a/patches/ima-evm-utils-1.3.2/series b/patches/ima-evm-utils-1.3.2/series
> new file mode 100644
> index 000000000000..36781ea6bb6f
> --- /dev/null
> +++ b/patches/ima-evm-utils-1.3.2/series
> @@ -0,0 +1,10 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-evmctl-find-add-missing-closedir-dir-on-error.patch
> +0002-evmctl-find-add-missing-error-handling-and-propagate.patch
> +0003-evmctl-add-fallback-definitions-for-XATTR_NAME_IMA.patch
> +0004-libimaevm-use-SHA_DIGEST_LENGTH-instead-of-open-codi.patch
> +0005-evmctl-add-support-for-offline-image-preparation.patch
> +0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
> +0007-Fix-warning-for-non-debug-use-case.patch
> +# f8ecfd002cf2ee8244984a1757a1bfea  - git-ptx-patches magic
> diff --git a/rules/ima-evm-utils.make b/rules/ima-evm-utils.make
> index 3a0ce4660c87..fb500fb169aa 100644
> --- a/rules/ima-evm-utils.make
> +++ b/rules/ima-evm-utils.make
> @@ -1,7 +1,7 @@
>  # -*-makefile-*-
>  #
>  # Copyright (C) 2013 by Michael Grzeschik <mgr@pengutronix.de>
> -#               2015 by Marc Kleine-Budde <mkl@pengutronix.de>
> +#               2015, 2020 by Marc Kleine-Budde <mkl@pengutronix.de>
>  #               2021 Roland Hieber, Pengutronix <rhi@pengutronix.de>
>  #
>  # For further information about the PTXdist project and license conditions
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_IMA_EVM_UTILS) += ima-evm-utils
>  #
>  # Paths and names
>  #
> -IMA_EVM_UTILS_VERSION	:= 1.1
> -IMA_EVM_UTILS_MD5	:= 77455aeee54fdc7a70c733bcb65d33cc
> +IMA_EVM_UTILS_VERSION	:= 1.3.2
> +IMA_EVM_UTILS_MD5	:= 55cc0e2c77a725f722833c3b4a36038c
>  IMA_EVM_UTILS		:= ima-evm-utils-$(IMA_EVM_UTILS_VERSION)
>  IMA_EVM_UTILS_SUFFIX	:= tar.gz
>  IMA_EVM_UTILS_URL	:= $(call ptx/mirror, SF, linux-ima/ima-evm-utils/$(IMA_EVM_UTILS).$(IMA_EVM_UTILS_SUFFIX))
> @@ -32,9 +32,16 @@ IMA_EVM_UTILS_LICENSE_FILES	:= \
>  # Prepare
>  # ----------------------------------------------------------------------------
>  
> +IMA_EVM_UTILS_CONF_ENV := \
> +	$(CROSS_ENV) \
> +	ac_cv_lib_tss2_esys_Esys_Free=no \
> +	ac_cv_lib_tss2_rc_Tss2_RC_Decode=no \
> +	ac_cv_path_XMLCATALOG=
> +
>  IMA_EVM_UTILS_CONF_TOOL := autoconf
>  IMA_EVM_UTILS_AUTOCONF := \
>  	$(CROSS_AUTOCONF_USR) \
> +	--enable-openssl-conf \
>  	--disable-debug
>  
>  # ----------------------------------------------------------------------------

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de