Support for fs-verity file digests in IMA was discussed from the beginning,
prior to fs-verity being upstreamed[1,2]. This patch set adds signature
verification support based on the fs-verity file digest. Both the
file digest and the signature must be included in the IMA measurement list
in order to disambiguate the type of file digest.
[1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf
[2] Documentation/filesystems/fsverity.rst
Changelog v1:
- Updated both fsverity and IMA documentation.
- Addressed both Eric Bigger's and Lakshmi's comments.
Mimi Zohar (5):
fs-verity: define a function to return the integrity protected file
digest
ima: define a new signature type named IMA_VERITY_DIGSIG
ima: limit including fs-verity's file digest in measurement list
ima: support fs-verity file digest based signatures
fsverity: update the documentation
Documentation/filesystems/fsverity.rst | 22 ++++++----
Documentation/security/IMA-templates.rst | 9 +++-
fs/verity/Kconfig | 1 +
fs/verity/fsverity_private.h | 7 ---
fs/verity/measure.c | 49 +++++++++++++++++++++
include/linux/fsverity.h | 18 ++++++++
security/integrity/ima/ima.h | 3 +-
security/integrity/ima/ima_api.c | 23 +++++++++-
security/integrity/ima/ima_appraise.c | 52 ++++++++++++++++++++++-
security/integrity/ima/ima_main.c | 7 ++-
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity/integrity.h | 1 +
12 files changed, 172 insertions(+), 23 deletions(-)
--
2.27.0
|