[PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE

public inbox for linux-integrity@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
@ 2026-03-25  0:10 Stefan Berger
  2026-03-25 14:56 ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Berger @ 2026-03-25  0:10 UTC (permalink / raw)
  To: linux-integrity
  Cc: linux-kernel, ebiggers, zohar, roberto.sassu, Stefan Berger

Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
ECRDSA, and SM2 signatures.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 security/integrity/digsig_asymmetric.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6b21b9bf829e..6e68ec3becbd 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -154,7 +154,8 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
 	size_t file_id_size;
 	int rc;
 
-	if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
+	if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG &&
+	    type != EVM_XATTR_PORTABLE_DIGSIG)
 		return -EINVAL;
 
 	tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);

base-commit: 3fa0dea50084da8279fb4b1175b3a9b4fc16f052
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
  2026-03-25  0:10 [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG Stefan Berger
@ 2026-03-25 14:56 ` Mimi Zohar
  2026-03-25 17:37   ` Stefan Berger
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2026-03-25 14:56 UTC (permalink / raw)
  To: Stefan Berger, linux-integrity; +Cc: linux-kernel, ebiggers, roberto.sassu

On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote:
> Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
> ECRDSA, and SM2 signatures.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks, Stefan.

IMA makes an exception allowing an EVM signature in lieu of an IMA signature,
when there is no IMA signature.  If the IMA policy rule requires an IMA sigv3
type signature, then EVM should also require a sigv3 type signature.

Currently any EVM signature type suffices.

Testing results:

#  EVM v2 type signature, with IMA hash (improperly succeeds)
evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2

#  EVM v2 type signature, with IMA v2 type signature (fails properly)
evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig

# EVM v3 type signature, with IMA file hash (succeeds)
evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3

# EVM v3 type signature, with IMA v3 type signature (succeeds) 
evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig

Mimi


> ---
>  security/integrity/digsig_asymmetric.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index 6b21b9bf829e..6e68ec3becbd 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -154,7 +154,8 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
>  	size_t file_id_size;
>  	int rc;
>  
> -	if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
> +	if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG &&
> +	    type != EVM_XATTR_PORTABLE_DIGSIG)
>  		return -EINVAL;
>  
>  	tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
> 
> base-commit: 3fa0dea50084da8279fb4b1175b3a9b4fc16f052

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
  2026-03-25 14:56 ` Mimi Zohar
@ 2026-03-25 17:37   ` Stefan Berger
  2026-03-25 21:07     ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Stefan Berger @ 2026-03-25 17:37 UTC (permalink / raw)
  To: Mimi Zohar, linux-integrity; +Cc: linux-kernel, ebiggers, roberto.sassu



On 3/25/26 10:56 AM, Mimi Zohar wrote:
> On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote:
>> Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
>> ECRDSA, and SM2 signatures.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> 
> Thanks, Stefan.
> 
> IMA makes an exception allowing an EVM signature in lieu of an IMA signature,
> when there is no IMA signature.  If the IMA policy rule requires an IMA sigv3
> type signature, then EVM should also require a sigv3 type signature.
 > > Currently any EVM signature type suffices.

Agreed, though it seems to be a problem that also exists with EVM 
non-portable signature, which should have a check. I cannot create them 
easily in my environment, so I cannot test with them.

Passing the flags from IMA into EVM is easy. What is a bit more 
challenging is the evm_verify_current_integrity code path...


> 
> Testing results:
> 
> #  EVM v2 type signature, with IMA hash (improperly succeeds)
> evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2
> 
> #  EVM v2 type signature, with IMA v2 type signature (fails properly)
> evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig
> 
> # EVM v3 type signature, with IMA file hash (succeeds)
> evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3
> 
> # EVM v3 type signature, with IMA v3 type signature (succeeds)
> evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig
> 
> Mimi

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
  2026-03-25 17:37   ` Stefan Berger
@ 2026-03-25 21:07     ` Mimi Zohar
  0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2026-03-25 21:07 UTC (permalink / raw)
  To: Stefan Berger, linux-integrity; +Cc: linux-kernel, ebiggers, roberto.sassu

On Wed, 2026-03-25 at 13:37 -0400, Stefan Berger wrote:
> 
> On 3/25/26 10:56 AM, Mimi Zohar wrote:
> > On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote:
> > > Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
> > > ECRDSA, and SM2 signatures.
> > > 
> > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > 
> > Thanks, Stefan.
> > 
> > IMA makes an exception allowing an EVM signature in lieu of an IMA signature,
> > when there is no IMA signature.  If the IMA policy rule requires an IMA sigv3
> > type signature, then EVM should also require a sigv3 type signature.
>  > > Currently any EVM signature type suffices.
> 
> Agreed, though it seems to be a problem that also exists with EVM 
> non-portable signature, which should have a check. I cannot create them 
> easily in my environment, so I cannot test with them.
> 
> Passing the flags from IMA into EVM is easy. What is a bit more 
> challenging is the evm_verify_current_integrity code path...

I've queued this patch in next-integrity-testing with the other sigv3 patches,
since enforcing EVM sigv3 should be upstreamed as separate patch.

thanks,

Mimi

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-25 21:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-25  0:10 [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG Stefan Berger
2026-03-25 14:56 ` Mimi Zohar
2026-03-25 17:37   ` Stefan Berger
2026-03-25 21:07     ` Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox