security/integrity/digsig_asymmetric.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
ECRDSA, and SM2 signatures.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
security/integrity/digsig_asymmetric.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6b21b9bf829e..6e68ec3becbd 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -154,7 +154,8 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
size_t file_id_size;
int rc;
- if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
+ if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG &&
+ type != EVM_XATTR_PORTABLE_DIGSIG)
return -EINVAL;
tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
base-commit: 3fa0dea50084da8279fb4b1175b3a9b4fc16f052
--
2.53.0On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote: > Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA, > ECRDSA, and SM2 signatures. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Thanks, Stefan. IMA makes an exception allowing an EVM signature in lieu of an IMA signature, when there is no IMA signature. If the IMA policy rule requires an IMA sigv3 type signature, then EVM should also require a sigv3 type signature. Currently any EVM signature type suffices. Testing results: # EVM v2 type signature, with IMA hash (improperly succeeds) evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2 # EVM v2 type signature, with IMA v2 type signature (fails properly) evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig # EVM v3 type signature, with IMA file hash (succeeds) evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3 # EVM v3 type signature, with IMA v3 type signature (succeeds) evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig Mimi > --- > security/integrity/digsig_asymmetric.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c > index 6b21b9bf829e..6e68ec3becbd 100644 > --- a/security/integrity/digsig_asymmetric.c > +++ b/security/integrity/digsig_asymmetric.c > @@ -154,7 +154,8 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type, > size_t file_id_size; > int rc; > > - if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG) > + if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG && > + type != EVM_XATTR_PORTABLE_DIGSIG) > return -EINVAL; > > tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0); > > base-commit: 3fa0dea50084da8279fb4b1175b3a9b4fc16f052
On 3/25/26 10:56 AM, Mimi Zohar wrote: > On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote: >> Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA, >> ECRDSA, and SM2 signatures. >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > Thanks, Stefan. > > IMA makes an exception allowing an EVM signature in lieu of an IMA signature, > when there is no IMA signature. If the IMA policy rule requires an IMA sigv3 > type signature, then EVM should also require a sigv3 type signature. > > Currently any EVM signature type suffices. Agreed, though it seems to be a problem that also exists with EVM non-portable signature, which should have a check. I cannot create them easily in my environment, so I cannot test with them. Passing the flags from IMA into EVM is easy. What is a bit more challenging is the evm_verify_current_integrity code path... > > Testing results: > > # EVM v2 type signature, with IMA hash (improperly succeeds) > evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2 > > # EVM v2 type signature, with IMA v2 type signature (fails properly) > evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig > > # EVM v3 type signature, with IMA file hash (succeeds) > evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3 > > # EVM v3 type signature, with IMA v3 type signature (succeeds) > evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig > > Mimi
On Wed, 2026-03-25 at 13:37 -0400, Stefan Berger wrote: > > On 3/25/26 10:56 AM, Mimi Zohar wrote: > > On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote: > > > Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA, > > > ECRDSA, and SM2 signatures. > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > Thanks, Stefan. > > > > IMA makes an exception allowing an EVM signature in lieu of an IMA signature, > > when there is no IMA signature. If the IMA policy rule requires an IMA sigv3 > > type signature, then EVM should also require a sigv3 type signature. > > > Currently any EVM signature type suffices. > > Agreed, though it seems to be a problem that also exists with EVM > non-portable signature, which should have a check. I cannot create them > easily in my environment, so I cannot test with them. > > Passing the flags from IMA into EVM is easy. What is a bit more > challenging is the evm_verify_current_integrity code path... I've queued this patch in next-integrity-testing with the other sigv3 patches, since enforcing EVM sigv3 should be upstreamed as separate patch. thanks, Mimi
© 2016 - 2026 Red Hat, Inc.