Commit 64c658f3 authored Mar 10, 2026 by Mimi Zohar

ima: add regular file data hash signature version 3 support



Instead of directly verifying the signature of a file data hash,
signature v3 verifies the signature of the ima_file_id structure
containing the file data hash.

To disambiguate the signature usage, the ima_file_id structure also
includes the hash algorithm and the type of data (e.g. regular file
hash or fs-verity root hash).

Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

parent dccfbafb

security/integrity/digsig_asymmetric.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -154,7 +154,7 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
		size_t file_id_size;
		int rc;

		if (type != IMA_VERITY_DIGSIG)
		if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
		return -EINVAL;

		tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);

security/integrity/ima/ima_appraise.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -297,7 +297,7 @@ static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
		}

		sig = (typeof(sig))xattr_value;
		if (sig->version >= 3) {
		if (sig->version > 3) {
		*cause = "invalid-signature-version";
		*status = INTEGRITY_FAIL;
		break;