On Mon, 2020-01-06 at 09:36 -0500, Ken Goldman wrote:
> On 1/4/2020 6:32 PM, Mimi Zohar wrote:
> > The "sig" and "modsig" hash algorithms are independent
> > of each other. They might or might not be the same.
>
> My question was about the d-modsig hash algorithm. Should the spec say:
>
> 1 - If d-ng and d-modsig are both present, the hash algorithms MUST be
> the same.
No, the hash algorithm does not need to be the same. The "d-ng" hash
algorithm is based on the "sig" field, if present, and defaults to the
IMA default algorithm as specified in the Kconfig -
CONFIG_IMA_DEFAULT_HASH. The appended signature ("sig" field), like
in the case of the kexec kernel image, might be a third party
signature.
>
> I did have a question about the 'd-ng | sig | sig' template. Is that an
> error or could a file be signed with e.g. both RSA-2048 and RSA-3072?
>
> Etc. You can see where I'm going - precise rules for an IMA log verifier.
The "sig" field is the original IMA signature, stored as an extended
attribute. If/when IMA fs-verity support is added, that signature
would require defining new digest and signature field types. A
template with two "sig" fields doesn't make sense.
Mimi
