From: Stefan Berger <stefanb@linux.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, ebiggers@kernel.org,
roberto.sassu@huawei.com
Subject: Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG
Date: Wed, 25 Mar 2026 13:37:33 -0400 [thread overview]
Message-ID: <6849d94f-6295-486d-aec2-0f2942539b33@linux.ibm.com> (raw)
In-Reply-To: <3f9e7aa4e22ebaf38735a74b1912cf4601535791.camel@linux.ibm.com>
On 3/25/26 10:56 AM, Mimi Zohar wrote:
> On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote:
>> Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
>> ECRDSA, and SM2 signatures.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
> Thanks, Stefan.
>
> IMA makes an exception allowing an EVM signature in lieu of an IMA signature,
> when there is no IMA signature. If the IMA policy rule requires an IMA sigv3
> type signature, then EVM should also require a sigv3 type signature.
> > Currently any EVM signature type suffices.
Agreed, though it seems to be a problem that also exists with EVM
non-portable signature, which should have a check. I cannot create them
easily in my environment, so I cannot test with them.
Passing the flags from IMA into EVM is easy. What is a bit more
challenging is the evm_verify_current_integrity code path...
>
> Testing results:
>
> # EVM v2 type signature, with IMA hash (improperly succeeds)
> evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2
>
> # EVM v2 type signature, with IMA v2 type signature (fails properly)
> evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig
>
> # EVM v3 type signature, with IMA file hash (succeeds)
> evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3
>
> # EVM v3 type signature, with IMA v3 type signature (succeeds)
> evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig
>
> Mimi
next prev parent reply other threads:[~2026-03-25 17:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 0:10 [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG Stefan Berger
2026-03-25 14:56 ` Mimi Zohar
2026-03-25 17:37 ` Stefan Berger [this message]
2026-03-25 21:07 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6849d94f-6295-486d-aec2-0f2942539b33@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox