Re: [PATCH v4 7/8] ima: support fs-verity file digest based version 3 signatures

From: Mimi Zohar
Date: Thu Feb 10 2022 - 19:20:52 EST

Next message: Pierre-Louis Bossart: "Re: [PATCH 3/9] ASoC: Intel: bytcr_wm5102: use GFP_KERNEL"
Previous message: Yury Norov: "[PATCH 40/49] firmware: pcsi: replace cpumask_weight with cpumask_weight_eq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2022-02-07 at 20:41 -0500, Mimi Zohar wrote:
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 28aca1f9633b..576cbe790e27 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1728,10 +1728,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> break;
> case Opt_digest_type:
> ima_log_string(ab, "digest_type", args[0].from);
> - if ((strcmp(args[0].from, "verity")) == 0)
> + if ((strcmp(args[0].from, "verity")) == 0) {
> entry->flags |= IMA_VERITY_REQUIRED;
> - else
> + if (entry->action == APPRAISE)
> + entry->flags |= IMA_DIGSIG_REQUIRED;

Instead of overloading the "digest_type=verity" to require a signature,
extend the existing "appraise_type" to support signature v3 (e.g.
appraise_type=sigv3). This will simplify IMA signature v3 support in
the future.

> + } else {
> result = -EINVAL;
> + }
> break;
> case Opt_appraise_type:
> ima_log_string(ab, "appraise_type", args[0].from);
>

--
thanks,

Mimi

Next message: Pierre-Louis Bossart: "Re: [PATCH 3/9] ASoC: Intel: bytcr_wm5102: use GFP_KERNEL"
Previous message: Yury Norov: "[PATCH 40/49] firmware: pcsi: replace cpumask_weight with cpumask_weight_eq"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]