On Mon, 2021-11-29 at 18:36 -0800, Eric Biggers wrote: > On Mon, Nov 29, 2021 at 12:00:53PM -0500, Mimi Zohar wrote: > > Support for fs-verity file digests in IMA was discussed from the beginning, > > prior to fs-verity being upstreamed[1,2]. This patch set adds signature > > verification support based on the fs-verity file digest. Both the > > file digest and the signature must be included in the IMA measurement list > > in order to disambiguate the type of file digest. > > > > [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf > > [2] Documentation/filesystems/fsverity.rst > > > > Mimi Zohar (4): > > fs-verity: define a function to return the integrity protected file > > digest > > ima: define a new signature type named IMA_VERITY_DIGSIG > > ima: limit including fs-verity's file digest in measurement list > > ima: support fs-verity file digest based signatures > > > > fs/verity/fsverity_private.h | 6 --- > > fs/verity/measure.c | 49 +++++++++++++++++++++++ > > include/linux/fsverity.h | 17 ++++++++ > > security/integrity/ima/ima.h | 3 +- > > security/integrity/ima/ima_api.c | 23 ++++++++++- > > security/integrity/ima/ima_appraise.c | 9 ++++- > > security/integrity/ima/ima_main.c | 7 +++- > > security/integrity/ima/ima_template_lib.c | 3 +- > > security/integrity/integrity.h | 1 + > > 9 files changed, 107 insertions(+), 11 deletions(-) > > I left some comments, but this generally looks like the right approach. > However, I'm not an expert in IMA, so it's hard for me to review the IMA parts. Thank you for the quick review! > > Can you add documentation for this feature? Yes, of course. Originally I assumed the fs-verity support would be a lot more complicated, but to my pleasant surprise by limiting the IMA fsverity support to just signatures and requiring the file signature be included in the IMA measurement list, it's a lot simpler than expected. As there aren't any IMA policy changes, I'm just thinking about where to document it. thanks, Mimi
