diff --git a/0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch b/0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4f82308c5255f4b573d02e796d4b8aefe050c542
--- /dev/null
+++ b/0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch
@@ -0,0 +1,130 @@
+From a5f5dd7c8e128b226dc8dc5c49562e7ec6bb386b Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Wed, 21 Jul 2021 11:16:59 +0800
+Subject: [PATCH] ima-evm-utils: Support SM2/3 algorithm for sign and verify
+
+Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
+algorithm combination. Because in the current version of OpenSSL 1.1.1,
+the SM2 algorithm and the public key using the EC algorithm share the
+same ID 'EVP_PKEY_EC', and the specific algorithm can only be
+distinguished by the curve name used. This patch supports this feature.
+
+Secondly, the openssl 1.1.1 tool does not fully support the signature
+of SM2/3 algorithm combination, so the openssl3 tool is used in the
+test case, and there is no this problem with directly calling the
+openssl 1.1.1 API in evmctl.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+
+[Yilin: drop yaml test files and rebase ima-evm-utils 1.3.2]
+Signed-off-by: Yilin Li <YiLin.Li@linux.alibaba.com>
+---
+ src/libimaevm.c        | 20 ++++++++++++++++++++
+ tests/gen-keys.sh      | 22 ++++++++++++++++++++++
+ tests/ima_hash.test    |  3 +--
+ tests/sign_verify.test |  2 ++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index fa6c278..589dd09 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
+ 		return -1;
+ 	}
+ 
++#ifdef EVP_PKEY_SM2
++	/* If EC key are used, check whether it is SM2 key */
++	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
++		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
++		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
++		if (curve == NID_sm2)
++			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
++	}
++#endif
++
+ 	st = "EVP_PKEY_CTX_new";
+ 	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
+ 		goto err;
+@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
+ 		return -1;
+ 	}
+ 
++#ifdef EVP_PKEY_SM2
++	/* If EC key are used, check whether it is SM2 key */
++	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
++		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
++		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
++		if (curve == NID_sm2)
++			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
++	}
++#endif
++
+ 	calc_keyid_v2(&keyid, name, pkey);
+ 	hdr->keyid = keyid;
+ 
+diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
+index 407876b..d609b54 100755
+--- a/tests/gen-keys.sh
++++ b/tests/gen-keys.sh
+@@ -92,6 +92,28 @@ for m in \
+     fi
+ done
+ 
++# SM2
++for curve in sm2; do
++  if [ "$1" = clean ] || [ "$1" = force ]; then
++    rm -f test-$curve.cer test-$curve.key test-$curve.pub
++  fi
++  if [ "$1" = clean ]; then
++    continue
++  fi
++  if [ ! -e test-$curve.key ]; then
++    log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
++      -sm3 -sigopt "distid:1234567812345678" \
++      -config test-ca.conf \
++      -copy_extensions copyall \
++      -newkey $curve \
++      -out test-$curve.cer -outform DER \
++      -keyout test-$curve.key
++    if [ -s test-$curve.key ]; then
++      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
++    fi
++  fi
++done
++
+ # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
+ # They are never deleted except by `make distclean'.
+ 
+diff --git a/tests/ima_hash.test b/tests/ima_hash.test
+index 8d66e59..46de4c9 100755
+--- a/tests/ima_hash.test
++++ b/tests/ima_hash.test
+@@ -70,8 +70,7 @@ expect_pass check  sha256     0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649
+ expect_pass check  sha384     0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
+ expect_pass check  sha512     0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
+ expect_pass check  rmd160     0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
+-expect_fail check  sm3        0x01
+-expect_fail check  sm3-256    0x01
++expect_pass check  sm3        0x01 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
+ _enable_gost_engine
+ expect_pass check  md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
+ expect_pass check  streebog256   0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
+diff --git a/tests/sign_verify.test b/tests/sign_verify.test
+index 288e133..8ee2487 100755
+--- a/tests/sign_verify.test
++++ b/tests/sign_verify.test
+@@ -366,6 +366,8 @@ sign_verify  rsa1024  sha384  0x030205:K:0080
+ sign_verify  rsa1024  sha512  0x030206:K:0080
+ sign_verify  rsa1024  rmd160  0x030203:K:0080
+ 
++sign_verify  sm2        sm3    0x030211:K:004[345678]
++
+ # Test v2 signatures with EC-RDSA
+ _enable_gost_engine
+ sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
+-- 
+1.8.3.1
+
diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec
index af59d3bc2137e9ceff7fb103b14b650fd318313d..749c224c5cb686c04c34cdcb603052dc533f39e4 100644
--- a/ima-evm-utils.spec
+++ b/ima-evm-utils.spec
@@ -1,8 +1,9 @@
+%define anolis_release .0.1
 %global compat_soversion 0
 
 Name:    ima-evm-utils
 Version: 1.3.2
-Release: 12%{?dist}
+Release: 12.%{?anolis_release}%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
@@ -16,6 +17,9 @@ Patch2: covscan-memory-leaks.patch
 Patch3: annocheck-opt-flag.patch
 Patch4: libimaevm-keydesc-import.patch
 
+# upstream patches
+Patch10001: 0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch 
+
 BuildRequires: asciidoc
 BuildRequires: autoconf
 BuildRequires: automake
@@ -54,6 +58,9 @@ This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1
 %prep
 %setup -q
 %patch0 -p1
+# Upstream patch
+%patch10001 -p1
+
 mkdir compat/
 tar -zxf %{SOURCE10} --strip-components=1 -C compat/
 cd compat/
@@ -104,6 +111,10 @@ popd
 %{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 
 %changelog
+* Sun Jul 11 2021 Yilin Li <YiLin.Li@linux.alibaba.com> - 1.3.2-12.0.1
+- Support SM2 algorithm for sign and verify
+- Use upstream SM2 patch to replace anolis patch
+
 * Thu Feb 18 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-12
 - Add compat subpackage for keeping the API stability in userspace