On Fri, 2018-11-09 at 13:16 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> > Attempting to verify IMA signatures fail causing the system to hang.
>
> Can you say why?
On systems with IMA-appraisal enabled with a policy requiring file
signatures, the "good" signature values are stored on the filesystem
as extended attributes (security.ima). Signature verification failure
would normally be limited to just a particular file (eg. executable),
but during boot signature verification failure could result in a
system hang.
Removing existing signature formats breaks existing systems. This
patch adds support for RSA signatures without an explicit "pkcs1" sig-
>encoding.
>
> > Fixes: commit 82f94f24475c ("KEYS: Provide software public key query
> > function [ver #2]")
>
> Btw, no word "commit" after Fixes:.
Ok.
Looking the patch over again, do you prefer the duplicate call or
defining a local variable and using the ternary conditional operator
("?:") like this:
bool rsa = false;
if (!(sig->encoding) && strcmp(pkey->pkey_algo, "rsa") == 0)
rsa = true;
ret = software_key_determine_akcipher(rsa ? "pkcs1" : sig->encoding,
sig->hash_algo,
pkey, alg_name);
Mimi
