Re: [PATCH v3 5/8] ima: include fsverity's file digests in the IMA measurement list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 25, 2022 at 07:06:55PM -0500, Mimi Zohar wrote:
> Allow fsverity's file digests to be included in the IMA measurement list
> based on policy.
> 
> Define a new measurement policy rule option named 'digest_type=' to
> allow fsverity file digests to be included in the measurement list
> in the d-ng field.
> 
> Including the 'd-type' template field is recommended for unsigned
> fs-verity digests to distinguish between d-ng digest types.  The
> following policy rule, for example, specifies the new 'ima-ngv2'
> template.
> 
> measure func=FILE_CHECK digest_type=hash|verity template=ima-ngv2
> 
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
>  Documentation/ABI/testing/ima_policy      |  7 +++++
>  Documentation/security/IMA-templates.rst  |  6 ++++
>  security/integrity/ima/ima_api.c          | 29 +++++++++++++++--
>  security/integrity/ima/ima_policy.c       | 38 ++++++++++++++++++++++-
>  security/integrity/ima/ima_template_lib.c |  9 +++++-
>  security/integrity/integrity.h            |  4 ++-
>  6 files changed, 88 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 839fab811b18..444bb7ccbe03 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -51,6 +51,7 @@ Description:
>  			appraise_flag:= [check_blacklist]
>  			Currently, blacklist check is only for files signed with appended
>  			signature.
> +			digest_type:= [hash|verity]

This doesn't explain what this option actually does.

> diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
> index 1a91d92950a7..5e31513e8ec4 100644
> --- a/Documentation/security/IMA-templates.rst
> +++ b/Documentation/security/IMA-templates.rst
> @@ -69,6 +69,7 @@ descriptors by adding their identifier to the format string
>     algorithm (field format: [<hash algo>:]digest, where the digest
>     prefix is shown only if the hash algorithm is not SHA1 or MD5);
>   - 'd-modsig': the digest of the event without the appended modsig;
> + - 'd-type': the type of file digest (e.g. hash, verity[1]);

This should explain how this is different from the hash algorithm.

- Eric
[Index of Archives]     [linux Cryptography]     [Asterisk App Development]     [PJ SIP]     [Gnu Gatekeeper]     [IETF Sipping]     [Info Cyrus]     [ALSA User]     [Fedora Linux Users]     [Linux SCTP]     [DCCP]     [Gimp]     [Yosemite News]     [Deep Creek Hot Springs]     [Yosemite Campsites]     [ISDN Cause Codes]

  Powered by Linux