This patch adds support for ima verification for rsa with pss encoding. And a patch for ima-evm-utils will be sent later. Signed-off-by: Hongbo Li <herbert.tencent@xxxxxxxxx> --- security/integrity/digsig_asymmetric.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c index 23240d7..ef7a51a 100644 --- a/security/integrity/digsig_asymmetric.c +++ b/security/integrity/digsig_asymmetric.c @@ -85,6 +85,7 @@ int asymmetric_verify(struct key *keyring, const char *sig, struct public_key_signature pks; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; const struct public_key *pk; + struct public_key_signature *cert_sig; struct key *key; int ret; @@ -109,16 +110,21 @@ int asymmetric_verify(struct key *keyring, const char *sig, pk = asymmetric_key_public_key(key); pks.pkey_algo = pk->pkey_algo; - if (!strcmp(pk->pkey_algo, "rsa")) - pks.encoding = "pkcs1"; - else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) + if (!strcmp(pk->pkey_algo, "rsa")) { + cert_sig = key->payload.data[asym_auth]; + if (cert_sig) + pks.encoding = cert_sig->encoding; + else + pks.encoding = "pkcs1"; + } else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) { /* edcsa-nist-p192 etc. */ pks.encoding = "x962"; - else if (!strcmp(pk->pkey_algo, "ecrdsa") || - !strcmp(pk->pkey_algo, "sm2")) + } else if (!strcmp(pk->pkey_algo, "ecrdsa") || + !strcmp(pk->pkey_algo, "sm2")) { pks.encoding = "raw"; - else + } else { return -ENOPKG; + } pks.digest = (u8 *)data; pks.digest_size = datalen; -- 1.8.3.1