On Tue, 2021-11-30 at 07:56 -0500, Mimi Zohar wrote: > On Mon, 2021-11-29 at 18:36 -0800, Eric Biggers wrote: > > On Mon, Nov 29, 2021 at 12:00:53PM -0500, Mimi Zohar wrote: > > > Support for fs-verity file digests in IMA was discussed from the beginning, > > > prior to fs-verity being upstreamed[1,2]. This patch set adds signature > > > verification support based on the fs-verity file digest. Both the > > > file digest and the signature must be included in the IMA measurement list > > > in order to disambiguate the type of file digest. > > > > > > [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf > > > [2] Documentation/filesystems/fsverity.rst > > > > > > Mimi Zohar (4): > > > fs-verity: define a function to return the integrity protected file > > > digest > > > ima: define a new signature type named IMA_VERITY_DIGSIG > > > ima: limit including fs-verity's file digest in measurement list > > > ima: support fs-verity file digest based signatures > > > > > > fs/verity/fsverity_private.h | 6 --- > > > fs/verity/measure.c | 49 +++++++++++++++++++++++ > > > include/linux/fsverity.h | 17 ++++++++ > > > security/integrity/ima/ima.h | 3 +- > > > security/integrity/ima/ima_api.c | 23 ++++++++++- > > > security/integrity/ima/ima_appraise.c | 9 ++++- > > > security/integrity/ima/ima_main.c | 7 +++- > > > security/integrity/ima/ima_template_lib.c | 3 +- > > > security/integrity/integrity.h | 1 + > > > 9 files changed, 107 insertions(+), 11 deletions(-) > > > > I left some comments, but this generally looks like the right approach. > > However, I'm not an expert in IMA, so it's hard for me to review the IMA parts. > > Thank you for the quick review! > > > > > Can you add documentation for this feature? > > Yes, of course. Originally I assumed the fs-verity support would be a > lot more complicated, but to my pleasant surprise by limiting the IMA > fsverity support to just signatures and requiring the file signature be > included in the IMA measurement list, it's a lot simpler than expected. > As there aren't any IMA policy changes, I'm just thinking about where > to document it. I'll update both Documentation/filesystems/fsverity.rst and Documentation/security/IMA-templates.rst. thanks, Mimi
