From 7d3a39f16dd04c0124bbef36c866ae32dcf7dfa9 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 15 Jun 2026 13:28:54 -0500 Subject: [PATCH 1/3] tests: kernel: Display evmctl error messages Capture evmctl error message in err variable and display it if needed. Signed-off-by: Stefan Berger --- tests/kernel/functions_kernel.sh | 2 +- tests/kernel/mmap_check.test | 5 ++-- tests/kernel/portable_signatures.test | 39 ++++++++++++++++++++------- 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/tests/kernel/functions_kernel.sh b/tests/kernel/functions_kernel.sh index 856ab2d5..b1d30397 100755 --- a/tests/kernel/functions_kernel.sh +++ b/tests/kernel/functions_kernel.sh @@ -68,7 +68,7 @@ check_load_ima_rule() { fi echo "$new_rule" > "$new_policy" - if ! evmctl sign -o -a sha256 --imasig --key "$key_path" "$new_policy" &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imasig --key "$key_path" "$new_policy" 2>&1); then echo "${RED}Failed to sign IMA policy${NORM}" return "$FAIL" fi diff --git a/tests/kernel/mmap_check.test b/tests/kernel/mmap_check.test index b6c875d7..36fe4d32 100755 --- a/tests/kernel/mmap_check.test +++ b/tests/kernel/mmap_check.test @@ -142,7 +142,7 @@ check_mmap() { check_deny() { local hook="$1" local arg="$2" - local test_file fowner rule result + local test_file fowner rule result err echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")" @@ -156,8 +156,9 @@ check_deny() { return "$FAIL" fi - if ! evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" &> /dev/null; then + if ! err=$(evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" 2>&1); then echo "${RED}Cannot sign $test_file${NORM}" + echo "${RED}${err}${NORM}" return "$HARDFAIL" fi diff --git a/tests/kernel/portable_signatures.test b/tests/kernel/portable_signatures.test index d907d5ac..eff84625 100755 --- a/tests/kernel/portable_signatures.test +++ b/tests/kernel/portable_signatures.test @@ -72,6 +72,7 @@ METADATA_CHANGE_FOWNER_2=3002 # current behavior (IMA signatures still satisfy the imasig requirement). check_ima_sig_appraisal() { local result + local err echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -85,8 +86,9 @@ check_ima_sig_appraisal() { return "$FAIL" fi - if ! evmctl ima_sign -a sha256 --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl ima_sign -a sha256 --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -130,6 +132,7 @@ check_ima_sig_ima_measurement_list() { local result local ima_sig_fs local ima_sig_list + local err echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -138,8 +141,9 @@ check_ima_sig_ima_measurement_list() { return "$FAIL" fi - if ! evmctl ima_sign -a sha256 --imasig --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl ima_sign -a sha256 --imasig --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -220,6 +224,8 @@ cleanup_create_file() { # metadata to copied one by one, even if the portable signature verification # temporarily fails until the copy is completed. check_cp_preserve_xattrs() { + local err + echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then @@ -232,8 +238,9 @@ check_cp_preserve_xattrs() { return "$FAIL" fi - if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -262,6 +269,8 @@ cleanup_cp_preserve_xattrs() { # incrementally test the patches without 'evm: Allow setxattr() and setattr() # for unmodified metadata'. check_tar_extract_xattrs_different_owner() { + local err + echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then @@ -289,8 +298,9 @@ check_tar_extract_xattrs_different_owner() { return "$FAIL" fi - if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -330,6 +340,8 @@ cleanup_tar_extract_xattrs_different_owner() { # the same owner as the current one. Thus, this test requires 'evm: Allow # setxattr() and setattr() for unmodified metadata'. check_tar_extract_xattrs_same_owner() { + local err + echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then @@ -347,8 +359,9 @@ check_tar_extract_xattrs_same_owner() { return "$FAIL" fi - if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -393,6 +406,7 @@ check_metadata_change() { local label local last_char local msg + local err echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -421,8 +435,9 @@ check_metadata_change() { return "$FAIL" fi - if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -560,6 +575,7 @@ check_evm_revalidate() { local label local last_char local msg + local err echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -581,8 +597,9 @@ check_evm_revalidate() { # We need to defer setting the correct owner, as there could be # already an IMA policy rule preventing evmctl from reading the # file to calculate the digest. - if ! evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -767,6 +784,7 @@ check_evm_portable_sig_ima_appraisal() { local xattr local mode local owner + local err echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -788,8 +806,9 @@ check_evm_portable_sig_ima_appraisal() { # We need to defer setting the correct owner, as there could be # already an IMA policy rule preventing evmctl from reading the # file to calculate the digest. - if ! evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi @@ -887,6 +906,7 @@ check_evm_portable_sig_ima_measurement_list() { local result local evm_sig_fs local evm_sig_list + local err echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -900,8 +920,9 @@ check_evm_portable_sig_ima_measurement_list() { return "$FAIL" fi - if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file &> /dev/null; then + if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi From e38d23e7dfdd5f373d934ca7e17306e2998f2c29 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 15 Jun 2026 15:33:40 -0500 Subject: [PATCH 2/3] tests: kernel: Pass --v3 to evmctl when ML-DSA keys are used for signing Pass --v3 to evmctl when ML-DSA keys are used for signing. Signed-off-by: Stefan Berger --- tests/kernel/functions_kernel.sh | 15 +++++- tests/kernel/mmap_check.test | 6 ++- tests/kernel/portable_signatures.test | 78 +++++++++++++-------------- 3 files changed, 54 insertions(+), 45 deletions(-) diff --git a/tests/kernel/functions_kernel.sh b/tests/kernel/functions_kernel.sh index b1d30397..520a632e 100755 --- a/tests/kernel/functions_kernel.sh +++ b/tests/kernel/functions_kernel.sh @@ -32,11 +32,21 @@ get_xattr() { print v}' } +# Determine whether the given key requires --v3 to be passed to evmctl +keyalgo_opt_v3() { + local key_path=$1 + + if openssl pkey -in "$key_path" -noout -text | grep -q ML-DSA; then + echo "--v3" + fi +} + check_load_ima_rule() { local result new_policy color local new_rule="$1" local key_path="$2" local mountpoint="$3" + local opt_v3 echo -e "$new_rule\n$(cat /sys/kernel/security/ima/policy)" | ima_policy_check.awk result=$? @@ -68,8 +78,11 @@ check_load_ima_rule() { fi echo "$new_rule" > "$new_policy" - if ! err=$(evmctl sign -o -a sha256 --imasig --key "$key_path" "$new_policy" 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$key_path") + if ! err=$(evmctl sign -o -a sha256 --imasig \ + --key "$key_path" "$new_policy" ${opt_v3:+${opt_v3}} 2>&1); then echo "${RED}Failed to sign IMA policy${NORM}" + echo "${RED}${err}${NORM}" return "$FAIL" fi diff --git a/tests/kernel/mmap_check.test b/tests/kernel/mmap_check.test index 36fe4d32..8094f1e6 100755 --- a/tests/kernel/mmap_check.test +++ b/tests/kernel/mmap_check.test @@ -142,7 +142,7 @@ check_mmap() { check_deny() { local hook="$1" local arg="$2" - local test_file fowner rule result err + local test_file fowner rule result err opt_v3 echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")" @@ -156,7 +156,9 @@ check_deny() { return "$FAIL" fi - if ! err=$(evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl ima_sign -a sha256 \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} "$test_file" 2>&1); then echo "${RED}Cannot sign $test_file${NORM}" echo "${RED}${err}${NORM}" return "$HARDFAIL" diff --git a/tests/kernel/portable_signatures.test b/tests/kernel/portable_signatures.test index eff84625..1c55788d 100755 --- a/tests/kernel/portable_signatures.test +++ b/tests/kernel/portable_signatures.test @@ -71,8 +71,7 @@ METADATA_CHANGE_FOWNER_2=3002 # requirement to be satisfied by EVM portable signatures' didn't break the # current behavior (IMA signatures still satisfy the imasig requirement). check_ima_sig_appraisal() { - local result - local err + local result err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -86,7 +85,9 @@ check_ima_sig_appraisal() { return "$FAIL" fi - if ! err=$(evmctl ima_sign -a sha256 --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl ima_sign -a sha256 \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -129,10 +130,7 @@ cleanup_ima_sig_appraisal() { # field evmsig and write to field sig as fallback' still allows IMA signatures # to be displayed in the measurement list. check_ima_sig_ima_measurement_list() { - local result - local ima_sig_fs - local ima_sig_list - local err + local result ima_sig_fs ima_sig_list err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -141,7 +139,9 @@ check_ima_sig_ima_measurement_list() { return "$FAIL" fi - if ! err=$(evmctl ima_sign -a sha256 --imasig --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl ima_sign -a sha256 --imasig \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -224,7 +224,7 @@ cleanup_create_file() { # metadata to copied one by one, even if the portable signature verification # temporarily fails until the copy is completed. check_cp_preserve_xattrs() { - local err + local err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -238,7 +238,9 @@ check_cp_preserve_xattrs() { return "$FAIL" fi - if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -269,7 +271,7 @@ cleanup_cp_preserve_xattrs() { # incrementally test the patches without 'evm: Allow setxattr() and setattr() # for unmodified metadata'. check_tar_extract_xattrs_different_owner() { - local err + local err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -298,7 +300,9 @@ check_tar_extract_xattrs_different_owner() { return "$FAIL" fi - if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} in/test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -340,7 +344,7 @@ cleanup_tar_extract_xattrs_different_owner() { # the same owner as the current one. Thus, this test requires 'evm: Allow # setxattr() and setattr() for unmodified metadata'. check_tar_extract_xattrs_same_owner() { - local err + local err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -359,7 +363,9 @@ check_tar_extract_xattrs_same_owner() { return "$FAIL" fi - if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} in/test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -402,11 +408,7 @@ cleanup_tar_extract_xattrs_same_owner() { # commands to set the same or different metadata. Setting the same metadata # should be allowed, setting different metadata should be denied. check_metadata_change() { - local ima_xattr - local label - local last_char - local msg - local err + local ima_xattr label last_char msg err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -435,7 +437,9 @@ check_metadata_change() { return "$FAIL" fi - if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -567,15 +571,7 @@ cleanup_metadata_change() { # verifies that IMA grants access again to the file after restoring the correct # metadata. check_evm_revalidate() { - local result - local ima_xattr - local ima_xattr_new - local evm_xattr - local evm_xattr_new - local label - local last_char - local msg - local err + local result ima_xattr ima_xattr_new evm_xattr evm_xattr_new label last_char msg err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -597,7 +593,9 @@ check_evm_revalidate() { # We need to defer setting the correct owner, as there could be # already an IMA policy rule preventing evmctl from reading the # file to calculate the digest. - if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -779,12 +777,7 @@ cleanup_evm_revalidate() { # written to new files after adding the signature and files can be accessed # when the imasig requirement is specified in the IMA policy. check_evm_portable_sig_ima_appraisal() { - local result - local xattr_orig - local xattr - local mode - local owner - local err + local result xattr_orig xattr mode owner err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -806,7 +799,9 @@ check_evm_portable_sig_ima_appraisal() { # We need to defer setting the correct owner, as there could be # already an IMA policy rule preventing evmctl from reading the # file to calculate the digest. - if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" @@ -903,10 +898,7 @@ cleanup_evm_portable_sig_ima_appraisal() { # The purpose of this test is to verify that the EVM portable signature is # displayed in the measurement list. check_evm_portable_sig_ima_measurement_list() { - local result - local evm_sig_fs - local evm_sig_list - local err + local result evm_sig_fs evm_sig_list err opt_v3 echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)" @@ -920,7 +912,9 @@ check_evm_portable_sig_ima_measurement_list() { return "$FAIL" fi - if ! err=$(evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file 2>&1); then + opt_v3=$(keyalgo_opt_v3 "$g_key_path") + if ! err=$(evmctl sign -o -a sha256 --imahash \ + --key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then echo "${RED}Cannot sign test-file${NORM}" echo "${RED}${err}${NORM}" return "$FAIL" From 0aa3d6c9deb51ffa6e609ea6137e5d5d7821a1bb Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 15 Jun 2026 16:20:23 -0500 Subject: [PATCH 3/3] tests: kernel: Increase ext4 block size to not run out of space Increase the ext4 block size to 8kb to not run out of space when trying to write ML-DSA signatures. Signed-off-by: Stefan Berger --- tests/kernel/creds_check.test | 2 +- tests/kernel/mmap_check.test | 2 +- tests/kernel/non_action_rule_flags.test | 2 +- tests/kernel/portable_signatures.test | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/kernel/creds_check.test b/tests/kernel/creds_check.test index d757c8ab..8caeaf60 100755 --- a/tests/kernel/creds_check.test +++ b/tests/kernel/creds_check.test @@ -173,7 +173,7 @@ fi [ "$VERBOSE" -ge 2 ] && echo "INFO: loop device for $g_image is $g_dev" [ "$VERBOSE" -ge 1 ] && echo "INFO: formatting $g_dev with ext4 and UUID $IMA_UUID" -if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then +if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then echo "${RED}Cannot format $g_dev${NORM}" exit "$FAIL" fi diff --git a/tests/kernel/mmap_check.test b/tests/kernel/mmap_check.test index 8094f1e6..ca92e429 100755 --- a/tests/kernel/mmap_check.test +++ b/tests/kernel/mmap_check.test @@ -291,7 +291,7 @@ if [ -z "$g_dev" ]; then exit "$FAIL" fi -if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then +if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then echo "${RED}Cannot format $g_dev${NORM}" exit "$FAIL" fi diff --git a/tests/kernel/non_action_rule_flags.test b/tests/kernel/non_action_rule_flags.test index b393a377..6b779bf6 100755 --- a/tests/kernel/non_action_rule_flags.test +++ b/tests/kernel/non_action_rule_flags.test @@ -157,7 +157,7 @@ fi [ "$VERBOSE" -ge 2 ] && echo "INFO: loop device for $g_image is $g_dev" [ "$VERBOSE" -ge 1 ] && echo "INFO: formatting $g_dev with ext4 and UUID $IMA_UUID" -if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then +if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then echo "${RED}Cannot format $g_dev${NORM}" exit "$FAIL" fi diff --git a/tests/kernel/portable_signatures.test b/tests/kernel/portable_signatures.test index 1c55788d..5a6c1b0f 100755 --- a/tests/kernel/portable_signatures.test +++ b/tests/kernel/portable_signatures.test @@ -1020,7 +1020,7 @@ if [ -z "$g_dev" ]; then exit "$FAIL" fi -if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then +if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then echo "${RED}Cannot format $g_dev${NORM}" exit "$FAIL" fi