Re: [PATCH v2 6/7] ima: Define new template evm-sig

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2021-05-28 at 09:38 +0200, Roberto Sassu wrote:
> With the recent introduction of the evmsig template field, remote verifiers
> can obtain the EVM portable signature instead of the IMA signature, to
> verify file metadata.
> 
> After introducing the new fields to include file metadata in the
> measurement list, this patch finally defines the evm-sig template, whose
> format is:
> 
> d-ng|n-ng|evmsig|xattrnames|xattrlengths|xattrvalues|iuid|igid|imode
> 
> xattrnames, xattrlengths and xattrvalues are populated only from defined
> EVM protected xattrs, i.e. the ones that EVM considers to verify the
> portable signature. xattrnames and xattrlengths are populated only if the
> xattr is present.
> 
> xattrnames and xattrlengths are not necessary for verifying the EVM
> portable signature, but they are included for completeness of information,
> if a remote verifier wants to infer more from file metadata.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
>  Documentation/security/IMA-templates.rst | 1 +
>  security/integrity/ima/ima_template.c    | 3 +++
>  2 files changed, 4 insertions(+)
> 
> diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
> index 6a58760a0a35..5adc22f99496 100644
> --- a/Documentation/security/IMA-templates.rst
> +++ b/Documentation/security/IMA-templates.rst
> @@ -91,6 +91,7 @@ Below, there is the list of defined template descriptors:
>   - "ima-sig": its format is ``d-ng|n-ng|sig``;
>   - "ima-buf": its format is ``d-ng|n-ng|buf``;
>   - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``;
> + - "evm-sig": its format is ``d-ng|n-ng|evmsig|xattrnames|xattrlengths|xattrvalues|iuid|igid|imode``;
>  
>  
>  Use
> diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
> index 159a31d2fcdf..be435efe6122 100644
> --- a/security/integrity/ima/ima_template.c
> +++ b/security/integrity/ima/ima_template.c
> @@ -22,6 +22,9 @@ static struct ima_template_desc builtin_templates[] = {
>  	{.name = "ima-sig", .fmt = "d-ng|n-ng|sig"},
>  	{.name = "ima-buf", .fmt = "d-ng|n-ng|buf"},
>  	{.name = "ima-modsig", .fmt = "d-ng|n-ng|sig|d-modsig|modsig"},
> +	{.name = "evm-sig",
> +	 .fmt = "d-ng|n-ng|evmsig|"
> +		"xattrnames|xattrlengths|xattrvalues|iuid|igid|imode"},

checkpatch is complaining "WARNING: quoted string split across lines".

>  	{.name = "", .fmt = ""},	/* placeholder for a custom format */
>  };
>  

The MAX_TEMPLATE_NAME_LEN needs to be updated.

thanks,

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux