On Wed, 2020-09-02 at 11:42 +0000, Roberto Sassu wrote:

quoted

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Monday, August 24, 2020 7:45 PM
Hi Roberto,

On Fri, 2020-08-21 at 14:30 -0400, Mimi Zohar wrote:

quoted

Sorry for the delay in reviewing these patches.   Missing from this
patch set is a cover letter with an explanation for grouping these
patches into a patch set, other than for convenience.  In this case, it
would be along the lines that the original use case for EVM portable
and immutable keys support was for a few critical files, not combined
with an EVM encrypted key type.   This patch set more fully integrates
the initial EVM portable and immutable signature support.

Thank you for more fully integrating the EVM portable signatures into
IMA.

" [PATCH 08/11] ima: Allow imasig requirement to be satisfied by EVM
portable signatures" equates an IMA signature to having a portable and
immutable EVM signature.  That is true in terms of signature
verification, but from an attestation perspective the "ima-sig"
template will not contain a signature.  If not the EVM signature, then
at least some other indication should be included in the measurement
list.

Would it be ok to print the EVM portable signature in the sig field if the IMA
signature is not found? Later we can introduce the new template evm-sig
to include all metadata necessary to verify the EVM portable signature.

As long as the attestation server can differentiate between the
signature types, including the EVM signature should be fine.

quoted

Are you planning on posting the associated IMA/EVM regression tests?

I didn't have a look yet at the code. I will try to write some later.

It looks like ima_verify_signature() in ima-evm-utils could be extended
to support the EVM portable signature or at least not to fail the
signature verification.

Mimi