Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG

Next message: Pasha Tatashin: "Re: [PATCH v3 1/2] liveupdate: prevent double management of files"
Previous message: Russell King (Oracle): "Re: [PATCH net-next v10 2/6] net: stmmac: qcom-ethqos: use generic device properties"
In reply to: Stefan Berger: "Re: [PATCH] integrity: Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mimi Zohar

Date: Wed Mar 25 2026 - 17:15:27 EST

On Wed, 2026-03-25 at 13:37 -0400, Stefan Berger wrote:
>
> On 3/25/26 10:56 AM, Mimi Zohar wrote:
> > On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote:
> > > Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA,
> > > ECRDSA, and SM2 signatures.
> > >
> > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> >
> > Thanks, Stefan.
> >
> > IMA makes an exception allowing an EVM signature in lieu of an IMA signature,
> > when there is no IMA signature. If the IMA policy rule requires an IMA sigv3
> > type signature, then EVM should also require a sigv3 type signature.
> > > Currently any EVM signature type suffices.
>
> Agreed, though it seems to be a problem that also exists with EVM
> non-portable signature, which should have a check. I cannot create them
> easily in my environment, so I cannot test with them.
>
> Passing the flags from IMA into EVM is easy. What is a bit more
> challenging is the evm_verify_current_integrity code path...

I've queued this patch in next-integrity-testing with the other sigv3 patches,
since enforcing EVM sigv3 should be upstreamed as separate patch.

thanks,

Mimi