From dc3260fb393cdf1163fc8b8b3e3532ead800a686 Mon Sep 17 00:00:00 2001
From: xucee <xuce10@h-partners.com>
Date: Thu, 28 Nov 2024 21:01:12 +0800
Subject: Add example of how to import digest list when using IMA
 appraise

---
 secconf/gen/gen_ima | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 6436c78..0657cdf 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -155,7 +155,14 @@ fi
 
 if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
     echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
-    echo "IMA appraise has been successfully enabled!"
+    echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to 
+1)generate digest list by gen_digest_lists
+2)sign it with evmctl
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_del.
+Here is an example:
+1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1  -m immutable -i I:/usr/bin/ls -d ./
+2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>
+3)echo <DIGEST_LIST_PATH> > /sys/kernel/security/ima/digest_list_data"
 fi
 
 if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
-- 
2.33.0