Support for fs-verity file digests in IMA was discussed from the beginning, prior to fs-verity being upstreamed[1,2]. This patch set adds signature verification support based on the fs-verity file digest. Both the file digest and the signature must be included in the IMA measurement list in order to disambiguate the type of file digest. [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf [2] Documentation/filesystems/fsverity.rst Mimi Zohar (4): fs-verity: define a function to return the integrity protected file digest ima: define a new signature type named IMA_VERITY_DIGSIG ima: limit including fs-verity's file digest in measurement list ima: support fs-verity file digest based signatures fs/verity/fsverity_private.h | 6 --- fs/verity/measure.c | 49 +++++++++++++++++++++++ include/linux/fsverity.h | 17 ++++++++ security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_api.c | 23 ++++++++++- security/integrity/ima/ima_appraise.c | 9 ++++- security/integrity/ima/ima_main.c | 7 +++- security/integrity/ima/ima_template_lib.c | 3 +- security/integrity/integrity.h | 1 + 9 files changed, 107 insertions(+), 11 deletions(-) -- 2.27.0
