On Mon, Feb 07, 2022 at 08:41:32PM -0500, Mimi Zohar wrote: > Support for including fs-verity file digests and signatures in the IMA > measurement list as well as verifying the fs-verity file digest based > signatures, both based on IMA policy rules, was discussed prior to > fs-verity being upstreamed[1,2]. > > Support for including fs-verity file digests in the 'd-ng' template field > is based on a new policy rule option named 'digest_type=verity'. A new > template field named 'd-type' as well as a new template named 'ima-ngv2' > are defined to differentiate between the regular IMA file hashes from the > fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng' > template field. > > Support for verifying fs-verity based file signatures stored in the > 'security.ima' xattr is similarly based on the policy rule option > 'digest_type=verity'. > > To differentiate IMA from fs-verity file signatures a new xattr_type > named IMA_VERITY_DIGSIG is defined. Signature version 3, which is a hash > of the ima_file_id struct, disambiguates the signatures stored as > 'security.ima' xattr. fs-verity only supports the new signature format > (version 3). To prevent abuse of the different signature formats, policy > rules must be limited to a specific signature version. > > [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf > [2] Documentation/filesystems/fsverity.rst What does this patchset apply to? I'm no longer able to apply it. I tried both v5.17-rc3, and the next-integrity branch of https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git. - Eric
