ima-evm-utils: version bump to 1.0

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

9 files changed, 825 insertions, 0 deletions

diff --git a/patches/ima-evm-utils-1.0/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch b/patches/ima-evm-utils-1.0/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch
new file mode 100644
index 000000000..c035197d9
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch
@@ -0,0 +1,389 @@
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 18 Nov 2015 15:15:15 +0100
+Subject: [PATCH] INSTALL: remove file, at it's autogenerated by autotools
+
+This patch remove the file "INSTALL" which is autogenerated during
+./autogen.sh.
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+---
+ INSTALL | 370 ----------------------------------------------------------------
+ 1 file changed, 370 deletions(-)
+ delete mode 100644 INSTALL
+
+diff --git a/INSTALL b/INSTALL
+deleted file mode 100644
+index 007e9396d0a2..000000000000
+--- a/INSTALL
++++ /dev/null
+@@ -1,370 +0,0 @@
+-Installation Instructions
+-*************************
+-
+-Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
+-Inc.
+-
+-   Copying and distribution of this file, with or without modification,
+-are permitted in any medium without royalty provided the copyright
+-notice and this notice are preserved.  This file is offered as-is,
+-without warranty of any kind.
+-
+-Basic Installation
+-==================
+-
+-   Briefly, the shell commands `./configure; make; make install' should
+-configure, build, and install this package.  The following
+-more-detailed instructions are generic; see the `README' file for
+-instructions specific to this package.  Some packages provide this
+-`INSTALL' file but do not implement all of the features documented
+-below.  The lack of an optional feature in a given package is not
+-necessarily a bug.  More recommendations for GNU packages can be found
+-in *note Makefile Conventions: (standards)Makefile Conventions.
+-
+-   The `configure' shell script attempts to guess correct values for
+-various system-dependent variables used during compilation.  It uses
+-those values to create a `Makefile' in each directory of the package.
+-It may also create one or more `.h' files containing system-dependent
+-definitions.  Finally, it creates a shell script `config.status' that
+-you can run in the future to recreate the current configuration, and a
+-file `config.log' containing compiler output (useful mainly for
+-debugging `configure').
+-
+-   It can also use an optional file (typically called `config.cache'
+-and enabled with `--cache-file=config.cache' or simply `-C') that saves
+-the results of its tests to speed up reconfiguring.  Caching is
+-disabled by default to prevent problems with accidental use of stale
+-cache files.
+-
+-   If you need to do unusual things to compile the package, please try
+-to figure out how `configure' could check whether to do them, and mail
+-diffs or instructions to the address given in the `README' so they can
+-be considered for the next release.  If you are using the cache, and at
+-some point `config.cache' contains results you don't want to keep, you
+-may remove or edit it.
+-
+-   The file `configure.ac' (or `configure.in') is used to create
+-`configure' by a program called `autoconf'.  You need `configure.ac' if
+-you want to change it or regenerate `configure' using a newer version
+-of `autoconf'.
+-
+-   The simplest way to compile this package is:
+-
+-  1. `cd' to the directory containing the package's source code and type
+-     `./configure' to configure the package for your system.
+-
+-     Running `configure' might take a while.  While running, it prints
+-     some messages telling which features it is checking for.
+-
+-  2. Type `make' to compile the package.
+-
+-  3. Optionally, type `make check' to run any self-tests that come with
+-     the package, generally using the just-built uninstalled binaries.
+-
+-  4. Type `make install' to install the programs and any data files and
+-     documentation.  When installing into a prefix owned by root, it is
+-     recommended that the package be configured and built as a regular
+-     user, and only the `make install' phase executed with root
+-     privileges.
+-
+-  5. Optionally, type `make installcheck' to repeat any self-tests, but
+-     this time using the binaries in their final installed location.
+-     This target does not install anything.  Running this target as a
+-     regular user, particularly if the prior `make install' required
+-     root privileges, verifies that the installation completed
+-     correctly.
+-
+-  6. You can remove the program binaries and object files from the
+-     source code directory by typing `make clean'.  To also remove the
+-     files that `configure' created (so you can compile the package for
+-     a different kind of computer), type `make distclean'.  There is
+-     also a `make maintainer-clean' target, but that is intended mainly
+-     for the package's developers.  If you use it, you may have to get
+-     all sorts of other programs in order to regenerate files that came
+-     with the distribution.
+-
+-  7. Often, you can also type `make uninstall' to remove the installed
+-     files again.  In practice, not all packages have tested that
+-     uninstallation works correctly, even though it is required by the
+-     GNU Coding Standards.
+-
+-  8. Some packages, particularly those that use Automake, provide `make
+-     distcheck', which can by used by developers to test that all other
+-     targets like `make install' and `make uninstall' work correctly.
+-     This target is generally not run by end users.
+-
+-Compilers and Options
+-=====================
+-
+-   Some systems require unusual options for compilation or linking that
+-the `configure' script does not know about.  Run `./configure --help'
+-for details on some of the pertinent environment variables.
+-
+-   You can give `configure' initial values for configuration parameters
+-by setting variables in the command line or in the environment.  Here
+-is an example:
+-
+-     ./configure CC=c99 CFLAGS=-g LIBS=-lposix
+-
+-   *Note Defining Variables::, for more details.
+-
+-Compiling For Multiple Architectures
+-====================================
+-
+-   You can compile the package for more than one kind of computer at the
+-same time, by placing the object files for each architecture in their
+-own directory.  To do this, you can use GNU `make'.  `cd' to the
+-directory where you want the object files and executables to go and run
+-the `configure' script.  `configure' automatically checks for the
+-source code in the directory that `configure' is in and in `..'.  This
+-is known as a "VPATH" build.
+-
+-   With a non-GNU `make', it is safer to compile the package for one
+-architecture at a time in the source code directory.  After you have
+-installed the package for one architecture, use `make distclean' before
+-reconfiguring for another architecture.
+-
+-   On MacOS X 10.5 and later systems, you can create libraries and
+-executables that work on multiple system types--known as "fat" or
+-"universal" binaries--by specifying multiple `-arch' options to the
+-compiler but only a single `-arch' option to the preprocessor.  Like
+-this:
+-
+-     ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
+-                 CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
+-                 CPP="gcc -E" CXXCPP="g++ -E"
+-
+-   This is not guaranteed to produce working output in all cases, you
+-may have to build one architecture at a time and combine the results
+-using the `lipo' tool if you have problems.
+-
+-Installation Names
+-==================
+-
+-   By default, `make install' installs the package's commands under
+-`/usr/local/bin', include files under `/usr/local/include', etc.  You
+-can specify an installation prefix other than `/usr/local' by giving
+-`configure' the option `--prefix=PREFIX', where PREFIX must be an
+-absolute file name.
+-
+-   You can specify separate installation prefixes for
+-architecture-specific files and architecture-independent files.  If you
+-pass the option `--exec-prefix=PREFIX' to `configure', the package uses
+-PREFIX as the prefix for installing programs and libraries.
+-Documentation and other data files still use the regular prefix.
+-
+-   In addition, if you use an unusual directory layout you can give
+-options like `--bindir=DIR' to specify different values for particular
+-kinds of files.  Run `configure --help' for a list of the directories
+-you can set and what kinds of files go in them.  In general, the
+-default for these options is expressed in terms of `${prefix}', so that
+-specifying just `--prefix' will affect all of the other directory
+-specifications that were not explicitly provided.
+-
+-   The most portable way to affect installation locations is to pass the
+-correct locations to `configure'; however, many packages provide one or
+-both of the following shortcuts of passing variable assignments to the
+-`make install' command line to change installation locations without
+-having to reconfigure or recompile.
+-
+-   The first method involves providing an override variable for each
+-affected directory.  For example, `make install
+-prefix=/alternate/directory' will choose an alternate location for all
+-directory configuration variables that were expressed in terms of
+-`${prefix}'.  Any directories that were specified during `configure',
+-but not in terms of `${prefix}', must each be overridden at install
+-time for the entire installation to be relocated.  The approach of
+-makefile variable overrides for each directory variable is required by
+-the GNU Coding Standards, and ideally causes no recompilation.
+-However, some platforms have known limitations with the semantics of
+-shared libraries that end up requiring recompilation when using this
+-method, particularly noticeable in packages that use GNU Libtool.
+-
+-   The second method involves providing the `DESTDIR' variable.  For
+-example, `make install DESTDIR=/alternate/directory' will prepend
+-`/alternate/directory' before all installation names.  The approach of
+-`DESTDIR' overrides is not required by the GNU Coding Standards, and
+-does not work on platforms that have drive letters.  On the other hand,
+-it does better at avoiding recompilation issues, and works well even
+-when some directory options were not specified in terms of `${prefix}'
+-at `configure' time.
+-
+-Optional Features
+-=================
+-
+-   If the package supports it, you can cause programs to be installed
+-with an extra prefix or suffix on their names by giving `configure' the
+-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+-
+-   Some packages pay attention to `--enable-FEATURE' options to
+-`configure', where FEATURE indicates an optional part of the package.
+-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+-is something like `gnu-as' or `x' (for the X Window System).  The
+-`README' should mention any `--enable-' and `--with-' options that the
+-package recognizes.
+-
+-   For packages that use the X Window System, `configure' can usually
+-find the X include and library files automatically, but if it doesn't,
+-you can use the `configure' options `--x-includes=DIR' and
+-`--x-libraries=DIR' to specify their locations.
+-
+-   Some packages offer the ability to configure how verbose the
+-execution of `make' will be.  For these packages, running `./configure
+---enable-silent-rules' sets the default to minimal output, which can be
+-overridden with `make V=1'; while running `./configure
+---disable-silent-rules' sets the default to verbose, which can be
+-overridden with `make V=0'.
+-
+-Particular systems
+-==================
+-
+-   On HP-UX, the default C compiler is not ANSI C compatible.  If GNU
+-CC is not installed, it is recommended to use the following options in
+-order to use an ANSI C compiler:
+-
+-     ./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
+-
+-and if that doesn't work, install pre-built binaries of GCC for HP-UX.
+-
+-   HP-UX `make' updates targets which have the same time stamps as
+-their prerequisites, which makes it generally unusable when shipped
+-generated files such as `configure' are involved.  Use GNU `make'
+-instead.
+-
+-   On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
+-parse its `<wchar.h>' header file.  The option `-nodtk' can be used as
+-a workaround.  If GNU CC is not installed, it is therefore recommended
+-to try
+-
+-     ./configure CC="cc"
+-
+-and if that doesn't work, try
+-
+-     ./configure CC="cc -nodtk"
+-
+-   On Solaris, don't put `/usr/ucb' early in your `PATH'.  This
+-directory contains several dysfunctional programs; working variants of
+-these programs are available in `/usr/bin'.  So, if you need `/usr/ucb'
+-in your `PATH', put it _after_ `/usr/bin'.
+-
+-   On Haiku, software installed for all users goes in `/boot/common',
+-not `/usr/local'.  It is recommended to use the following options:
+-
+-     ./configure --prefix=/boot/common
+-
+-Specifying the System Type
+-==========================
+-
+-   There may be some features `configure' cannot figure out
+-automatically, but needs to determine by the type of machine the package
+-will run on.  Usually, assuming the package is built to be run on the
+-_same_ architectures, `configure' can figure that out, but if it prints
+-a message saying it cannot guess the machine type, give it the
+-`--build=TYPE' option.  TYPE can either be a short name for the system
+-type, such as `sun4', or a canonical name which has the form:
+-
+-     CPU-COMPANY-SYSTEM
+-
+-where SYSTEM can have one of these forms:
+-
+-     OS
+-     KERNEL-OS
+-
+-   See the file `config.sub' for the possible values of each field.  If
+-`config.sub' isn't included in this package, then this package doesn't
+-need to know the machine type.
+-
+-   If you are _building_ compiler tools for cross-compiling, you should
+-use the option `--target=TYPE' to select the type of system they will
+-produce code for.
+-
+-   If you want to _use_ a cross compiler, that generates code for a
+-platform different from the build platform, you should specify the
+-"host" platform (i.e., that on which the generated programs will
+-eventually be run) with `--host=TYPE'.
+-
+-Sharing Defaults
+-================
+-
+-   If you want to set default values for `configure' scripts to share,
+-you can create a site shell script called `config.site' that gives
+-default values for variables like `CC', `cache_file', and `prefix'.
+-`configure' looks for `PREFIX/share/config.site' if it exists, then
+-`PREFIX/etc/config.site' if it exists.  Or, you can set the
+-`CONFIG_SITE' environment variable to the location of the site script.
+-A warning: not all `configure' scripts look for a site script.
+-
+-Defining Variables
+-==================
+-
+-   Variables not defined in a site shell script can be set in the
+-environment passed to `configure'.  However, some packages may run
+-configure again during the build, and the customized values of these
+-variables may be lost.  In order to avoid this problem, you should set
+-them in the `configure' command line, using `VAR=value'.  For example:
+-
+-     ./configure CC=/usr/local2/bin/gcc
+-
+-causes the specified `gcc' to be used as the C compiler (unless it is
+-overridden in the site shell script).
+-
+-Unfortunately, this technique does not work for `CONFIG_SHELL' due to
+-an Autoconf limitation.  Until the limitation is lifted, you can use
+-this workaround:
+-
+-     CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
+-
+-`configure' Invocation
+-======================
+-
+-   `configure' recognizes the following options to control how it
+-operates.
+-
+-`--help'
+-`-h'
+-     Print a summary of all of the options to `configure', and exit.
+-
+-`--help=short'
+-`--help=recursive'
+-     Print a summary of the options unique to this package's
+-     `configure', and exit.  The `short' variant lists options used
+-     only in the top level, while the `recursive' variant lists options
+-     also present in any nested packages.
+-
+-`--version'
+-`-V'
+-     Print the version of Autoconf used to generate the `configure'
+-     script, and exit.
+-
+-`--cache-file=FILE'
+-     Enable the cache: use and save the results of the tests in FILE,
+-     traditionally `config.cache'.  FILE defaults to `/dev/null' to
+-     disable caching.
+-
+-`--config-cache'
+-`-C'
+-     Alias for `--cache-file=config.cache'.
+-
+-`--quiet'
+-`--silent'
+-`-q'
+-     Do not print messages saying which checks are being made.  To
+-     suppress all normal output, redirect it to `/dev/null' (any error
+-     messages will still be shown).
+-
+-`--srcdir=DIR'
+-     Look for the package's source code in directory DIR.  Usually
+-     `configure' can determine that directory automatically.
+-
+-`--prefix=DIR'
+-     Use DIR as the installation prefix.  *note Installation Names::
+-     for more details, including other options available for fine-tuning
+-     the installation locations.
+-
+-`--no-create'
+-`-n'
+-     Run the configure checks, but stop before creating any output
+-     files.
+-
+-`configure' also accepts some other, not widely useful, options.  Run
+-`configure --help' for more details.
diff --git a/patches/ima-evm-utils-1.0/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch b/patches/ima-evm-utils-1.0/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch
new file mode 100644
index 000000000..cb09b8d78
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch
@@ -0,0 +1,40 @@
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 27 May 2015 10:41:27 +0200
+Subject: [PATCH] Makefile.am: rename INCLUDES -> AM_CPPFLAGS
+
+This patch fixes the following warning during autoreconf:
+
+| src/Makefile.am:19: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS')
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+---
+ src/Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index deb18fb09dc7..9f547283d535 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,7 +1,7 @@
+ lib_LTLIBRARIES = libimaevm.la
+ 
+ libimaevm_la_SOURCES = libimaevm.c
+-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
++libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS)
+ # current[:revision[:age]]
+ # result: [current-age].age.revision
+ libimaevm_la_LDFLAGS = -version-info 0:0:0
+@@ -12,11 +12,11 @@ include_HEADERS = imaevm.h
+ bin_PROGRAMS = evmctl
+ 
+ evmctl_SOURCES = evmctl.c
+-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
++evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) $(AM_CPPFLAGS)
+ evmctl_LDFLAGS = $(LDFLAGS_READLINE)
+ evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils libimaevm.la
+ 
+-INCLUDES = -I$(top_srcdir) -include config.h
++AM_CPPFLAGS = -I$(top_srcdir) -include config.h
+ 
+ DISTCLEANFILES = @DISTCLEANFILES@
+ 
diff --git a/patches/ima-evm-utils-1.0/0003-evmctl-find-add-missing-closedir-dir-on-error.patch b/patches/ima-evm-utils-1.0/0003-evmctl-find-add-missing-closedir-dir-on-error.patch
new file mode 100644
index 000000000..77e9f5fc6
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0003-evmctl-find-add-missing-closedir-dir-on-error.patch
@@ -0,0 +1,31 @@
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 13 Nov 2015 14:02:42 +0100
+Subject: [PATCH] evmctl: find(): add missing closedir(dir) on error
+
+If a failure in find() happens the directory stream is not closed.
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+---
+ src/evmctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index c20cbfe80ab6..19f5f3bc87b0 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -1092,6 +1092,7 @@ static int find(const char *path, int dts, find_cb_t func)
+ 
+ 	if (fchdir(dirfd(dir))) {
+ 		log_err("Failed to chdir %s\n", path);
++		closedir(dir);
+ 		return -1;
+ 	}
+ 
+@@ -1107,6 +1108,7 @@ static int find(const char *path, int dts, find_cb_t func)
+ 
+ 	if (chdir("..")) {
+ 		log_err("Failed to chdir: %s\n", path);
++		closedir(dir);
+ 		return -1;
+ 	}
+ 
diff --git a/patches/ima-evm-utils-1.0/0004-evmctl-find-add-missing-error-handling-and-propagate.patch b/patches/ima-evm-utils-1.0/0004-evmctl-find-add-missing-error-handling-and-propagate.patch
new file mode 100644
index 000000000..1eee4f1bf
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0004-evmctl-find-add-missing-error-handling-and-propagate.patch
@@ -0,0 +1,40 @@
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 13 Nov 2015 14:04:37 +0100
+Subject: [PATCH] evmctl: find(): add missing error handling and propagate
+ error
+
+This patch adds the missing error handling to the while() loop in the find()
+function, so that evmctl properly fails on errors.
+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+---
+ src/evmctl.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 19f5f3bc87b0..6606e4958080 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -1097,13 +1097,20 @@ static int find(const char *path, int dts, find_cb_t func)
+ 	}
+ 
+ 	while ((de = readdir(dir))) {
++		int err;
++
+ 		if (!strcmp(de->d_name, "..") || !strcmp(de->d_name, "."))
+ 			continue;
+ 		log_debug("path: %s, type: %u\n", de->d_name, de->d_type);
+ 		if (de->d_type == DT_DIR)
+-			find(de->d_name, dts, func);
++			err = find(de->d_name, dts, func);
+ 		else if (dts & (1 << de->d_type))
+-			func(de->d_name);
++			err = func(de->d_name);
++
++		if (err) {
++			closedir(dir);
++			return -1;
++		}
+ 	}
+ 
+ 	if (chdir("..")) {
diff --git a/patches/ima-evm-utils-1.0/0005-evmctl-add-support-for-offline-image-preparation.patch b/patches/ima-evm-utils-1.0/0005-evmctl-add-support-for-offline-image-preparation.patch
new file mode 100644
index 000000000..b31e750ff
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0005-evmctl-add-support-for-offline-image-preparation.patch
@@ -0,0 +1,265 @@
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Mon, 1 Dec 2014 15:23:21 +0100
+Subject: [PATCH] evmctl: add support for offline image preparation
+
+With this patch it's possible to sign a directory hierarchy, so that a
+filesystem image (e.g. an ubifs) can be generated.
+
+Creating the ima and evm signatues for an images with evmctl has to problems:
+1) The inode-numbers of the files are different in the to be created image and
+   in the current filesystem.
+2) The inode generation can be different, too.
+
+These problems are solved in a 4-step process:
+
+1) evmctl generates signatures and writes them to the extended attributed
+   (the usual process so far).
+2) The image, for example an ubifs image, is generted. mkfs.ubifs generates
+   the image (including extended attributes) and stores the used inode number
+   in an extended attribute "user.image-inode-number".
+3) evmct is started again to generate the signatures, this time with the
+   additional paramter "--image". Instead of using an ioctl to get the inode
+   number and generation, the inode is read from the extended attribute
+   "user.image-inode-number", the generation is set to "0".
+4) The image (omitting the exteneded attribute "user.image-inode-number") is
+   generated.
+
+This patch adds the command line parameter "--image" to read the inode number
+from the extended attribute "user.image-inode-number" instead of using an
+ioctl(). The inode generation is set to 0, too.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+---
+ src/evmctl.c    | 57 +++++++++++++++++++++++++++++++++++++++++++++++++--------
+ src/imaevm.h    |  1 +
+ src/libimaevm.c | 25 ++++++++++++++++++++++++-
+ 3 files changed, 74 insertions(+), 9 deletions(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 6606e4958080..d66e6b06ad23 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -314,6 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ 	char uuid[16];
+ 	struct h_misc_64 hmac_misc;
+ 	int hmac_size;
++	ino_t ino;
+ 
+ 	if (lstat(file, &st)) {
+ 		log_err("Failed to stat: %s\n", file);
+@@ -336,9 +337,25 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ 			}
+ 			close(fd);
+ 		}
+-		log_info("generation: %u\n", generation);
+ 	}
+ 
++	if (params.image_mode) {
++		char buf[128] = { };
++
++		err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1);
++		if (err < 0) {
++			log_err("image mode: xattr 'user.image-inode-number' not found.\n");
++			return -1;
++		}
++		ino = strtoull(buf, NULL, 10);
++		generation = 0;
++	} else {
++		ino = st.st_ino;
++	}
++
++	log_info("inode-number: %llu\n", (unsigned long long)ino);
++	log_info("generation: %u\n", generation);
++
+ 	list_size = llistxattr(file, list, sizeof(list));
+ 	if (list_size < 0) {
+ 		log_err("llistxattr() failed\n");
+@@ -384,7 +401,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ 		struct h_misc *hmac = (struct h_misc *)&hmac_misc;
+ 
+ 		hmac_size = sizeof(*hmac);
+-		hmac->ino = st.st_ino;
++		hmac->ino = ino;
+ 		hmac->generation = generation;
+ 		hmac->uid = st.st_uid;
+ 		hmac->gid = st.st_gid;
+@@ -393,7 +410,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ 		struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc;
+ 
+ 		hmac_size = sizeof(*hmac);
+-		hmac->ino = st.st_ino;
++		hmac->ino = ino;
+ 		hmac->generation = generation;
+ 		hmac->uid = st.st_uid;
+ 		hmac->gid = st.st_gid;
+@@ -402,7 +419,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ 		struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc;
+ 
+ 		hmac_size = sizeof(*hmac);
+-		hmac->ino = st.st_ino;
++		hmac->ino = ino;
+ 		hmac->generation = generation;
+ 		hmac->uid = st.st_uid;
+ 		hmac->gid = st.st_gid;
+@@ -855,6 +872,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
+ 	ssize_t list_size;
+ 	struct h_misc_64 hmac_misc;
+ 	int hmac_size;
++	ino_t ino;
+ 
+ 	key = file2bin(keyfile, NULL, &keylen);
+ 	if (!key) {
+@@ -892,10 +910,26 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
+ 		close(fd);
+ 	}
+ 
++	if (params.image_mode) {
++		char buf[128] = { };
++
++		err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1);
++		if (err < 0) {
++			log_err("image mode: xattr 'user.image-inode-number' not found.\n");
++			goto out;
++		}
++		ino = strtoull(buf, NULL, 10);
++		generation = 0;
++	} else {
++		ino = st.st_ino;
++	}
++
++	log_info("inode-number: %llu\n", (unsigned long long)ino);
+ 	log_info("generation: %u\n", generation);
+ 
+ 	list_size = llistxattr(file, list, sizeof(list));
+ 	if (list_size <= 0) {
++		err = -1;
+ 		log_err("llistxattr() failed: %s\n", file);
+ 		goto out;
+ 	}
+@@ -932,7 +966,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
+ 		struct h_misc *hmac = (struct h_misc *)&hmac_misc;
+ 
+ 		hmac_size = sizeof(*hmac);
+-		hmac->ino = st.st_ino;
++		hmac->ino = ino;
+ 		hmac->generation = generation;
+ 		hmac->uid = st.st_uid;
+ 		hmac->gid = st.st_gid;
+@@ -941,7 +975,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
+ 		struct h_misc_64 *hmac = (struct h_misc_64 *)&hmac_misc;
+ 
+ 		hmac_size = sizeof(*hmac);
+-		hmac->ino = st.st_ino;
++		hmac->ino = ino;
+ 		hmac->generation = generation;
+ 		hmac->uid = st.st_uid;
+ 		hmac->gid = st.st_gid;
+@@ -950,7 +984,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
+ 		struct h_misc_32 *hmac = (struct h_misc_32 *)&hmac_misc;
+ 
+ 		hmac_size = sizeof(*hmac);
+-		hmac->ino = st.st_ino;
++		hmac->ino = ino;
+ 		hmac->generation = generation;
+ 		hmac->uid = st.st_uid;
+ 		hmac->gid = st.st_gid;
+@@ -1469,6 +1503,9 @@ static void usage(void)
+ 		"      --smack        use extra SMACK xattrs for EVM\n"
+ 		"      --m32          force EVM hmac/signature for 32 bit target system\n"
+ 		"      --m64          force EVM hmac/signature for 64 bit target system\n"
++		"  -m, --image        image generation mode:\n"
++		"                     Read inode number from xattr 'user.image-inode-number',\n"
++		"                     and force inode generation to 0.\n"
+ 		"  -v                 increase verbosity level\n"
+ 		"  -h, --help         display this help and exit\n"
+ 		"\n");
+@@ -1507,6 +1544,7 @@ static struct option opts[] = {
+ 	{"recursive", 0, 0, 'r'},
+ 	{"m32", 0, 0, '3'},
+ 	{"m64", 0, 0, '6'},
++	{"image", 0, 0, 'm'},
+ 	{"smack", 0, 0, 256},
+ 	{"version", 0, 0, 257},
+ 	{}
+@@ -1555,7 +1593,7 @@ int main(int argc, char *argv[])
+ 	g_argc = argc;
+ 
+ 	while (1) {
+-		c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:ri", opts, &lind);
++		c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:rim", opts, &lind);
+ 		if (c == -1)
+ 			break;
+ 
+@@ -1619,6 +1657,9 @@ int main(int argc, char *argv[])
+ 		case '6':
+ 			msize = 64;
+ 			break;
++		case 'm':
++			params.image_mode = true;
++			break;
+ 		case 256:
+ 			evm_config_xattrnames = evm_extra_smack_xattrs;
+ 			break;
+diff --git a/src/imaevm.h b/src/imaevm.h
+index 711596c3f3fa..84632a487074 100644
+--- a/src/imaevm.h
++++ b/src/imaevm.h
+@@ -180,6 +180,7 @@ struct libevm_params {
+ 	const char *hash_algo;
+ 	const char *keyfile;
+ 	const char *keypass;
++	bool image_mode;
+ };
+ 
+ struct RSA_ASN1_template {
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index 575f0535fe07..6b81e7e2d7aa 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -40,6 +40,7 @@
+ 
+ /* should we use logger instead for library? */
+ #define USE_FPRINTF
++#define _GNU_SOURCE
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -49,6 +50,7 @@
+ #include <dirent.h>
+ #include <string.h>
+ #include <stdio.h>
++#include <attr/xattr.h>
+ 
+ #include <openssl/pem.h>
+ #include <openssl/evp.h>
+@@ -222,7 +224,28 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
+ 	}
+ 
+ 	while ((de = readdir(dir))) {
+-		ino = de->d_ino;
++		if (params.image_mode) {
++			char *name;
++			char buf[128] = { };
++
++			err = asprintf(&name, "%s/%s", file, de->d_name);
++			if (err == -1) {
++				log_err("failed to allocate mem\n");
++				return err;
++			}
++
++			err = lgetxattr(file, "user.image-inode-number", buf, sizeof(buf) - 1);
++			if (err < 0) {
++				log_err("image mode: xattr 'user.image-inode-number' not found.\n");
++				return -1;
++			}
++			ino = strtoull(buf, NULL, 10);
++
++			free(name);
++		} else {
++			ino = de->d_ino;
++		}
++
+ 		off = de->d_off;
+ 		type = de->d_type;
+ 		log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n",
diff --git a/patches/ima-evm-utils-1.0/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch b/patches/ima-evm-utils-1.0/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
new file mode 100644
index 000000000..734994a31
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
@@ -0,0 +1,30 @@
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Mon, 1 Dec 2014 15:22:19 +0100
+Subject: [PATCH] evmctl: Do not account '.' and '..' for directory hash
+ generation
+
+The '.' and '..' directories are in different order depending on the
+filesystem, so the calculated hash for the directories differ aswell.
+This means an image generated from an ext4 host filesystem won't be
+usable on the target if it uses another order for the special directories.
+Ignore the entries since they do not add to the security anyway.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+---
+ src/libimaevm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index 6b81e7e2d7aa..4eb37e2bf167 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -224,6 +224,9 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
+ 	}
+ 
+ 	while ((de = readdir(dir))) {
++		if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, ".."))
++			continue;
++
+ 		if (params.image_mode) {
+ 			char *name;
+ 			char buf[128] = { };
diff --git a/patches/ima-evm-utils-1.0/0007-HACK-don-t-generate-man-page.patch b/patches/ima-evm-utils-1.0/0007-HACK-don-t-generate-man-page.patch
new file mode 100644
index 000000000..bb44e8d6c
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/0007-HACK-don-t-generate-man-page.patch
@@ -0,0 +1,19 @@
+From: Michael Olbrich <m.olbrich@pengutronix.de>
+Date: Wed, 3 Jun 2015 16:08:51 +0200
+Subject: [PATCH] HACK: don't generate man page
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 06ebf59ea4aa..e527f34f1faa 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,5 +1,4 @@
+ SUBDIRS = src
+-dist_man_MANS = evmctl.1
+ 
+ doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+ EXTRA_DIST = autogen.sh $(doc_DATA)
diff --git a/patches/ima-evm-utils-1.0/autogen.sh b/patches/ima-evm-utils-1.0/autogen.sh
new file mode 120000
index 000000000..9f8a4cb7d
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/autogen.sh
@@ -0,0 +1 @@
+../autogen.sh
\ No newline at end of file
diff --git a/patches/ima-evm-utils-1.0/series b/patches/ima-evm-utils-1.0/series
new file mode 100644
index 000000000..d979204ae
--- /dev/null
+++ b/patches/ima-evm-utils-1.0/series
@@ -0,0 +1,10 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-INSTALL-remove-file-at-it-s-autogenerated-by-autotoo.patch
+0002-Makefile.am-rename-INCLUDES-AM_CPPFLAGS.patch
+0003-evmctl-find-add-missing-closedir-dir-on-error.patch
+0004-evmctl-find-add-missing-error-handling-and-propagate.patch
+0005-evmctl-add-support-for-offline-image-preparation.patch
+0006-evmctl-Do-not-account-.-and-.-for-directory-hash-gen.patch
+0007-HACK-don-t-generate-man-page.patch
+# dd0364c455ca5a28b5a5de995af71285  - git-ptx-patches magic