From: Mimi Zohar <zohar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, ebiggers@kernel.org,
roberto.sassu@huawei.com
Subject: Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
Date: Wed, 25 Mar 2026 10:56:00 -0400 [thread overview]
Message-ID: <3f9e7aa4e22ebaf38735a74b1912cf4601535791.camel@linux.ibm.com> (raw)
In-Reply-To: <20260325001051.754093-1-stefanb@linux.ibm.com>
On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote:
> Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
> ECRDSA, and SM2 signatures.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Thanks, Stefan.
IMA makes an exception allowing an EVM signature in lieu of an IMA signature,
when there is no IMA signature. If the IMA policy rule requires an IMA sigv3
type signature, then EVM should also require a sigv3 type signature.
Currently any EVM signature type suffices.
Testing results:
# EVM v2 type signature, with IMA hash (improperly succeeds)
evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2
# EVM v2 type signature, with IMA v2 type signature (fails properly)
evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig
# EVM v3 type signature, with IMA file hash (succeeds)
evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3
# EVM v3 type signature, with IMA v3 type signature (succeeds)
evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig
Mimi
> ---
> security/integrity/digsig_asymmetric.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index 6b21b9bf829e..6e68ec3becbd 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -154,7 +154,8 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
> size_t file_id_size;
> int rc;
>
> - if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
> + if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG &&
> + type != EVM_XATTR_PORTABLE_DIGSIG)
> return -EINVAL;
>
> tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
>
> base-commit: 3fa0dea50084da8279fb4b1175b3a9b4fc16f052
next prev parent reply other threads:[~2026-03-25 14:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 0:10 [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG Stefan Berger
2026-03-25 14:56 ` Mimi Zohar [this message]
2026-03-25 17:37 ` Stefan Berger
2026-03-25 21:07 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3f9e7aa4e22ebaf38735a74b1912cf4601535791.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox