Hi Roberto, On Wed, 2021-05-05 at 13:33 +0200, Roberto Sassu wrote: > With the patch to accept EVM portable signatures when the > appraise_type=imasig requirement is specified in the policy, appraisal can > be successfully done even if the file does not have an IMA signature. > > However, remote attestation would not see that a different signature type > was used, as only IMA signatures can be included in the measurement list. > This patch solves the issue by introducing the new template field 'evmsig' > to show EVM portable signatures and by including its value in the existing > field 'sig' if the IMA signature is not found. With this patch, instead of storing the file data signature, the file metadata signature is stored in the IMA measurement list, as designed. There's a minor problem. Unlike the file data signature, the measurement list record does not contain all the information needed to verify the file metadata signature. thanks, Mimi
