From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [ima-evm-utils: PATCH 4/8] Support v3 IMA and EVM file signatures with --v3 option.
Date: Tue, 24 Mar 2026 18:03:10 -0400 [thread overview]
Message-ID: <20260324220314.743709-5-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20260324220314.743709-1-stefanb@linux.ibm.com>
Enable both IMA and EVM file signatures with a new --v3 option that sets
the previously introduced global variable that states which signature
version to use.
Similarly, introduce a --v2 option for users to (already) choose old V2
type of signatures.
Update the README with the dump of the evmctl help screen and mention
v3 signature format that is expected for Linux 7.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
README | 6 ++++--
src/evmctl.c | 10 ++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 815b555..34dfddf 100644
--- a/README
+++ b/README
@@ -84,6 +84,8 @@ OPTIONS
--provider p preload OpenSSL provider (such as: pkcs11)
--ignore-violations ignore ToMToU measurement violations
--hmackey path to symmetric key (default: /etc/keys/evm-key-plain)
+ --v2 create V2 signatures; this is the default
+ --v3 create V3 signatures; this requires Linux 7.1 or later
-v increase verbosity level
-h, --help display this help and exit
@@ -139,7 +141,7 @@ evmctl '--smack' options enables that.
Key and signature formats
-------------------------
-Linux integrity subsystem supports two type of signature and respectively two
+Linux integrity subsystem supports three types of signature and respectively two
key formats.
First key format (v1) is pure RSA key encoded in PEM a format and uses own signature
@@ -149,7 +151,7 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
-For v2 signatures x509 certificate (containing the public key) could be appended to the
+For v2 and v3 signatures x509 certificate (containing the public key) could be appended to the
private key (they both are in PEM format) to automatically extract keyid from its Subject
Key Identifier (SKID).
diff --git a/src/evmctl.c b/src/evmctl.c
index aab5af9..2843ff8 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -3017,6 +3017,8 @@ static void usage(void)
#ifdef DEBUG
" --hmackey path to symmetric key (default: /etc/keys/evm-key-plain)\n"
#endif
+ " --v2 create V2 signatures; this is the default\n"
+ " --v3 create V3 signatures; this requires Linux 7.1 or later\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n"
@@ -3092,6 +3094,8 @@ static struct option opts[] = {
#if CONFIG_IMA_EVM_PROVIDER
{"provider", 1, 0, 149},
#endif
+ {"v2", 0, 0, 150},
+ {"v3", 0, 0, 151},
{}
};
@@ -3370,6 +3374,12 @@ int main(int argc, char *argv[])
access_info.type = IMAEVM_OSSL_ACCESS_TYPE_PROVIDER;
break;
#endif
+ case 150: /* --v2 */
+ g_signature_version = SIGNATURE_V2;
+ break;
+ case 151: /* --v3 */
+ g_signature_version = SIGNATURE_V3;
+ break;
case '?':
exit(1);
break;
--
2.53.0
next prev parent reply other threads:[~2026-03-24 22:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 22:03 [ima-evm-utils: PATCH 0/8] Add sigv3 support for IMA and EVM and all key types Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 1/8] Implement imaevm_create_sigv3 for creating V3 signatures Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 2/8] Implement support for IMA signatures V3 signing scheme Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 3/8] Implement support for EVM " Stefan Berger
2026-03-24 22:03 ` Stefan Berger [this message]
2026-03-24 22:03 ` [ima-evm-utils: PATCH 5/8] Use imaevm_create_sigv3 for fsverity signature creation Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 6/8] tests: Add new --v3 option to sign_verify tests Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 7/8] Allow verification of EVM_XATTR_PORTABLE_DIGSIG with sigv3 Stefan Berger
2026-03-24 22:03 ` [ima-evm-utils: PATCH 8/8] Allow hashing for sigv3 on EVM_XATTR_PORTABLE_DIGSIG Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260324220314.743709-5-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox