On Tue, Jan 25, 2022 at 07:06:55PM -0500, Mimi Zohar wrote: > Allow fsverity's file digests to be included in the IMA measurement list > based on policy. > > Define a new measurement policy rule option named 'digest_type=' to > allow fsverity file digests to be included in the measurement list > in the d-ng field. > > Including the 'd-type' template field is recommended for unsigned > fs-verity digests to distinguish between d-ng digest types. The > following policy rule, for example, specifies the new 'ima-ngv2' > template. > > measure func=FILE_CHECK digest_type=hash|verity template=ima-ngv2 > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > --- > Documentation/ABI/testing/ima_policy | 7 +++++ > Documentation/security/IMA-templates.rst | 6 ++++ > security/integrity/ima/ima_api.c | 29 +++++++++++++++-- > security/integrity/ima/ima_policy.c | 38 ++++++++++++++++++++++- > security/integrity/ima/ima_template_lib.c | 9 +++++- > security/integrity/integrity.h | 4 ++- > 6 files changed, 88 insertions(+), 5 deletions(-) > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > index 839fab811b18..444bb7ccbe03 100644 > --- a/Documentation/ABI/testing/ima_policy > +++ b/Documentation/ABI/testing/ima_policy > @@ -51,6 +51,7 @@ Description: > appraise_flag:= [check_blacklist] > Currently, blacklist check is only for files signed with appended > signature. > + digest_type:= [hash|verity] This doesn't explain what this option actually does. > diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst > index 1a91d92950a7..5e31513e8ec4 100644 > --- a/Documentation/security/IMA-templates.rst > +++ b/Documentation/security/IMA-templates.rst > @@ -69,6 +69,7 @@ descriptors by adding their identifier to the format string > algorithm (field format: [<hash algo>:]digest, where the digest > prefix is shown only if the hash algorithm is not SHA1 or MD5); > - 'd-modsig': the digest of the event without the appended modsig; > + - 'd-type': the type of file digest (e.g. hash, verity[1]); This should explain how this is different from the hash algorithm. - Eric
