Thread (12 messages) 12 messages, 2 authors, 2022-02-11

Re: [PATCH v4 0/8] ima: support fs-verity digests and signatures

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-02-08 14:57:38
Also in: linux-fscrypt, lkml

On Mon, 2022-02-07 at 21:50 -0800, Eric Biggers wrote:
On Mon, Feb 07, 2022 at 08:41:32PM -0500, Mimi Zohar wrote:
quoted
Support for including fs-verity file digests and signatures in the IMA
measurement list as well as verifying the fs-verity file digest based
signatures, both based on IMA policy rules, was discussed prior to
fs-verity being upstreamed[1,2].

Support for including fs-verity file digests in the 'd-ng' template field
is based on a new policy rule option named 'digest_type=verity'.  A new
template field named 'd-type' as well as a new template named 'ima-ngv2'
are defined to differentiate between the regular IMA file hashes from the
fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng'
template field.

Support for verifying fs-verity based file signatures stored in the
'security.ima' xattr is similarly based on the policy rule option
'digest_type=verity'.

To differentiate IMA from fs-verity file signatures a new xattr_type
named IMA_VERITY_DIGSIG is defined.  Signature version 3, which is a hash
of the ima_file_id struct, disambiguates the signatures stored as
'security.ima' xattr.  fs-verity only supports the new signature format
(version 3).  To prevent abuse of the different signature formats, policy
rules must be limited to a specific signature version.

[1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf
[2] Documentation/filesystems/fsverity.rst
What does this patchset apply to?  I'm no longer able to apply it.  I tried
both v5.17-rc3, and the next-integrity branch of
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git.
Just refreshed 'next-integrity' now.

-- 
thanks,

Mimi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help