[ima-evm-utils: PATCH 2/8] Implement support for IMA signatures V3 signing scheme

public inbox for linux-integrity@vger.kernel.org
 help / color / mirror / Atom feed

From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com,
	Stefan Berger <stefanb@linux.ibm.com>
Subject: [ima-evm-utils: PATCH 2/8] Implement support for IMA signatures V3 signing scheme
Date: Tue, 24 Mar 2026 18:03:08 -0400	[thread overview]
Message-ID: <20260324220314.743709-3-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20260324220314.743709-1-stefanb@linux.ibm.com>

Add support for creating IMA signatures with the V3 signing scheme.
Introduce a global variable that states which signing scheme to
use and for now set it to SIGNATURE_V2. Implement the SIGNATURE_V3
case where necessary for IMA.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/evmctl.c | 87 ++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 67 insertions(+), 20 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 7c940fa..8b44ee0 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -123,6 +123,13 @@ static bool hwtpm;
 static char *g_hash_algo = DEFAULT_HASH_ALGO;
 static char *g_keypass;
 
+enum signature_version {
+	SIGNATURE_V2 = 2,
+	SIGNATURE_V3,
+};
+
+static enum signature_version g_signature_version = SIGNATURE_V2;
+
 #define HMAC_FLAG_NO_UUID	0x0001
 #define HMAC_FLAG_CAPS_SET	0x0002
 
@@ -652,6 +659,7 @@ static int sign_ima(const char *file, char *hash_algo, const char *key)
 {
 	unsigned char hash[MAX_DIGEST_SIZE];
 	unsigned char sig[MAX_SIGNATURE_SIZE];
+	unsigned char *psig;
 	size_t len;
 	int err;
 
@@ -661,16 +669,35 @@ static int sign_ima(const char *file, char *hash_algo, const char *key)
 	len = (size_t)err;
 	assert(len <= sizeof(hash));
 
-	err = imaevm_signhash(hash_algo, hash, len, key, g_keypass,
-			      sig + 1, sigflags, &access_info, imaevm_keyid);
-	if (err <= 1)
-		return err;
-	len = (size_t)err;
-	assert(len < sizeof(sig));
-
-	/* add header */
-	len++;
-	sig[0] = EVM_IMA_XATTR_DIGSIG;
+	switch (g_signature_version) {
+	case SIGNATURE_V3:
+		psig = sig;
+		err = imaevm_create_sigv3(hash_algo, hash, len, key, g_keypass,
+					  &psig, sizeof(sig), sigflags,
+					  EVM_IMA_XATTR_DIGSIG, &access_info,
+					  imaevm_keyid);
+		if (err <= 1)
+			return err;
+		len = (size_t)err;
+		assert(len <= sizeof(sig));
+		break;
+	case SIGNATURE_V2:
+		err = imaevm_signhash(hash_algo, hash, len, key, g_keypass,
+				      sig + 1, sigflags, &access_info,
+				      imaevm_keyid);
+		if (err <= 1)
+			return err;
+		len = (size_t)err;
+		assert(len < sizeof(sig));
+		/* add header */
+		len++;
+		sig[0] = EVM_IMA_XATTR_DIGSIG;
+		break;
+	default:
+		log_err("Internal error: Unsupported signature version: %d\n",
+			g_signature_version);
+		return -1;
+	}
 
 	if (sigdump || imaevm_params.verbose >= LOG_INFO)
 		imaevm_hexdump(sig, len);
@@ -791,6 +818,7 @@ static int cmd_sign_hash(struct command *cmd)
 	size_t hashlen = 0;
 	int siglen;
 	char *line = NULL, *token, *hashp;
+	unsigned char *psig;
 	size_t line_len = 0;
 	const char *key;
 	char algo[7];	/* Current maximum fsverity hash algo name length */
@@ -863,20 +891,39 @@ static int cmd_sign_hash(struct command *cmd)
 			assert(hashlen / 2 <= sizeof(hash));
 			hex2bin(hash, line, hashlen / 2);
 
-			siglen = imaevm_signhash(g_hash_algo, hash,
-						 hashlen / 2, key, g_keypass,
-						 sig + 1, sigflags,
-						 &access_info, imaevm_keyid);
-			sig[0] = EVM_IMA_XATTR_DIGSIG;
+			switch (g_signature_version) {
+			case SIGNATURE_V3:
+				psig = sig;
+				siglen = imaevm_create_sigv3(g_hash_algo, hash,
+							     hashlen / 2, key, g_keypass,
+							     &psig, sizeof(sig), sigflags,
+							     EVM_IMA_XATTR_DIGSIG,
+							     &access_info, imaevm_keyid);
+				if (siglen <= 1)
+					return siglen;
+				assert(siglen <= (int)sizeof(sig));
+				break;
+			case SIGNATURE_V2:
+				siglen = imaevm_signhash(g_hash_algo, hash,
+							 hashlen / 2, key, g_keypass,
+							 sig + 1, sigflags,
+							 &access_info, imaevm_keyid);
+				if (siglen <= 1)
+					return siglen;
+				assert(siglen < (int)sizeof(sig));
+				siglen++;
+				sig[0] = EVM_IMA_XATTR_DIGSIG;
+				break;
+			default:
+				log_err("Internal error: Unsupported signature version: %d\n",
+					g_signature_version);
+				return -1;
+			}
 		}
 
-		if (siglen <= 1)
-			return siglen;
-		assert(siglen < (int)sizeof(sig));
-
 		fwrite(line, len, 1, stdout);
 		fprintf(stdout, " ");
-		bin2hex(sig, siglen + 1, stdout);
+		bin2hex(sig, siglen, stdout);
 		fprintf(stdout, "\n");
 	}
 
-- 
2.53.0

next prev parent reply	other threads:[~2026-03-24 22:03 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-24 22:03 [ima-evm-utils: PATCH 0/8] Add sigv3 support for IMA and EVM and all key types Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 1/8] Implement imaevm_create_sigv3 for creating V3 signatures Stefan Berger
2026-03-24 22:03 ` Stefan Berger [this message]
2026-03-24 22:03 ` [ima-evm-utils: PATCH 3/8] Implement support for EVM signatures V3 signing scheme Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 4/8] Support v3 IMA and EVM file signatures with --v3 option Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 5/8] Use imaevm_create_sigv3 for fsverity signature creation Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 6/8] tests: Add new --v3 option to sign_verify tests Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 7/8] Allow verification of EVM_XATTR_PORTABLE_DIGSIG with sigv3 Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 8/8] Allow hashing for sigv3 on EVM_XATTR_PORTABLE_DIGSIG Stefan Berger

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7c940fa dfblob:8b44ee0 )
 OR (
bs:"[ima-evm-utils: PATCH 2/8] Implement support for IMA signatures V3 signing scheme" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260324220314.743709-3-stefanb@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox