From ce23f01656f6abbed6c663c2f8d023a23d950180 Mon Sep 17 00:00:00 2001
From: xuce <xuce10@h-partners.com>
Date: Thu, 28 Nov 2024 21:36:23 +0800
Subject: [PATCH] Add example of how to import digest list when using IMA
 appraise

Signed-off-by: xuce <xuce10@h-partners.com>
---
 secpaver-secconf-1.0.0/secconf/gen/gen_ima | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/secpaver-secconf-1.0.0/secconf/gen/gen_ima b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
index 6436c78..a657614 100644
--- a/secpaver-secconf-1.0.0/secconf/gen/gen_ima
+++ b/secpaver-secconf-1.0.0/secconf/gen/gen_ima
@@ -155,7 +155,15 @@ fi
 
 if [[ ${#common_list[@]} -gt 0 || ${#appraise_list[@]} -gt 0 ]]; then
     echo "appraise func=DIGEST_LIST_CHECK appraise_type=imasig|modsig" >> $tmp_policy
-    echo "IMA appraise has been successfully enabled!"
+    echo "IMA appraise has been successfully enabled! If you want to run some executable file which appraised by IMA, you need to 
+1)generate digest list by gen_digest_lists
+2)sign it with evmctl
+3)import it to /sys/kernel/security/digest_list_data. Correspondingly, if you don't want it to be executed, import it to /sys/kernel/security/digest_list_data_d
+el.
+Here is an example:
+1)gen_digest_lists -t metadata -f compact -i l:policy -o add -p -1  -m immutable -i I:/usr/bin/ls -d ./
+2)evmctl ima_sign --key /path/to/ima.key -a sha256 <DIGEST_LIST_PATH>
+3)echo <DIGEST_LIST_PATH> > /sys/kernel/security/ima/digest_list_data"
 fi
 
 if [[ ${#common_list[@]} -gt 0 || ${#measure_list[@]} -gt 0 ]]; then
-- 
2.33.0