Enable the configuration of EVM so that it requires that asymmetric
signatures it accepts are of version 3 (sigv3). To enable this, introduce
bit 3 (value 0x0008) that the user may write to EVM's securityfs policy
configuration file 'evm' for sigv3 enforcement.

Mention bit 3 in the documentation.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 Documentation/ABI/testing/evm     |  1 +
 security/integrity/evm/evm.h      |  3 ++-
 security/integrity/evm/evm_main.c | 14 ++++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 44750a933db4..db3007babb58 100644
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -26,6 +26,7 @@ Description:
 		2	  Permit modification of EVM-protected metadata at
 			  runtime. Not supported if HMAC validation and
 			  creation is enabled (deprecated).
+		3	  Require asymmetric signatures to be version 3
 		31	  Disable further runtime modification of EVM policy
 		===	  ==================================================
 
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 51aba5a54275..694552aceaf8 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -20,11 +20,12 @@
 #define EVM_INIT_HMAC	0x0001
 #define EVM_INIT_X509	0x0002
 #define EVM_ALLOW_METADATA_WRITES	0x0004
+#define EVM_SIGV3_REQUIRED		0x0008
 #define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */
 
 #define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509)
 #define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \
-		       EVM_ALLOW_METADATA_WRITES)
+		       EVM_ALLOW_METADATA_WRITES | EVM_SIGV3_REQUIRED)
 
 struct xattr_list {
 	struct list_head list;
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index b15d9d933b84..b59e3f121b8a 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -136,6 +136,14 @@ static bool evm_hmac_disabled(void)
 	return true;
 }
 
+static bool evm_sigv3_required(void)
+{
+	if (evm_initialized & EVM_SIGV3_REQUIRED)
+		return true;
+
+	return false;
+}
+
 static int evm_find_protected_xattrs(struct dentry *dentry)
 {
 	struct inode *inode = d_backing_inode(dentry);
@@ -258,6 +266,12 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 		}
 
 		hdr = (struct signature_v2_hdr *)xattr_data;
+
+		if (evm_sigv3_required() && hdr->version != 3) {
+			evm_status = INTEGRITY_FAIL;
+			goto out;
+		}
+
 		digest.hdr.algo = hdr->hash_algo;
 		rc = evm_calc_hash(dentry, xattr_name, xattr_value,
 				   xattr_value_len, xattr_data->type, &digest,

base-commit: e5797456e49041238b131c78e90e5d36a7fc0656
-- 
2.53.0

On Wed, 2026-03-25 at 17:33 -0400, Stefan Berger wrote:
> Enable the configuration of EVM so that it requires that asymmetric
> signatures it accepts are of version 3 (sigv3). To enable this, introduce
> bit 3 (value 0x0008) that the user may write to EVM's securityfs policy
> configuration file 'evm' for sigv3 enforcement.
> 
> Mention bit 3 in the documentation.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks, Stefan.  This patch is now queued in next-integrity-testing with the
other sigv3 patches.

Mimi