From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-integrity@vger.kernel.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH 1/3] ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures
Date: Sun, 05 Apr 2026 05:46:11 -0400 [thread overview]
Message-ID: <d57329c163a9e1427206ae1ab60720d7ae7e07d8.camel@linux.ibm.com> (raw)
In-Reply-To: <20260330201336.GE4303@sol>
On Mon, 2026-03-30 at 13:13 -0700, Eric Biggers wrote:
> On Tue, Mar 24, 2026 at 04:39:27PM -0400, Mimi Zohar wrote:
> > + * IMA signature version 3 disambiguates the data that is signed by
> > + * indirectly signing the hash of the ima_file_id structure data.
>
> The right way to think about it is that it's the ima_file_id itself that
> is being signed and verified, and taking the hash of it is only a
> workaround for legacy algorithms that can only sign and verify hashes.
> With modern algorithms like Ed25519 and ML-DSA that accept
> arbitrary-length messages, that workaround won't be needed.
I'll keep that in mind. As previously discussed, the hashes are being
calculated for other purposes, like inclusion in the IMA measurement list and
the audit log. Providing the potentially large, variable sized data so that the
crypto signing/verifying algorithm can recalculate the hash is superfluous.
Your recommendation of signing the ima_file_id works nicely.
thanks!
Mimi
next prev parent reply other threads:[~2026-04-05 9:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 20:39 [PATCH 0/3] ima: add regular file data hash support for sigv3 Mimi Zohar
2026-03-24 20:39 ` [PATCH 1/3] ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures Mimi Zohar
2026-03-30 20:13 ` Eric Biggers
2026-04-05 9:46 ` Mimi Zohar [this message]
2026-03-24 20:39 ` [PATCH 2/3] ima: add regular file data hash signature version 3 support Mimi Zohar
2026-03-24 20:39 ` [PATCH 3/3] ima: add support to require IMA sigv3 signatures Mimi Zohar
2026-03-25 0:15 ` [PATCH 0/3] ima: add regular file data hash support for sigv3 Stefan Berger
2026-03-30 20:16 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d57329c163a9e1427206ae1ab60720d7ae7e07d8.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox