Re: [PATCH 1/3] ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH 1/3] ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures
Date: Mon, 30 Mar 2026 13:13:36 -0700	[thread overview]
Message-ID: <20260330201336.GE4303@sol> (raw)
In-Reply-To: <20260324203929.2475782-2-zohar@linux.ibm.com>

On Tue, Mar 24, 2026 at 04:39:27PM -0400, Mimi Zohar wrote:
> + * IMA signature version 3 disambiguates the data that is signed by
> + * indirectly signing the hash of the ima_file_id structure data.

The right way to think about it is that it's the ima_file_id itself that
is being signed and verified, and taking the hash of it is only a
workaround for legacy algorithms that can only sign and verify hashes.
With modern algorithms like Ed25519 and ML-DSA that accept
arbitrary-length messages, that workaround won't be needed.

- Eric

next prev parent reply	other threads:[~2026-03-30 20:14 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-24 20:39 [PATCH 0/3] ima: add regular file data hash support for sigv3 Mimi Zohar
2026-03-24 20:39 ` [PATCH 1/3] ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures Mimi Zohar
2026-03-30 20:13   ` Eric Biggers [this message]
2026-04-05  9:46     ` Mimi Zohar
2026-03-24 20:39 ` [PATCH 2/3] ima: add regular file data hash signature version 3 support Mimi Zohar
2026-03-24 20:39 ` [PATCH 3/3] ima: add support to require IMA sigv3 signatures Mimi Zohar
2026-03-25  0:15 ` [PATCH 0/3] ima: add regular file data hash support for sigv3 Stefan Berger
2026-03-30 20:16 ` Eric Biggers
2026-04-27 12:57 ` Kamlesh Kumar
2026-04-27 13:30   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260330201336.GE4303@sol \
    --to=ebiggers@kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=stefanb@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.