On Thu, 2022-05-05 at 13:12 -0400, Stefan Berger wrote: > > On 5/5/22 08:31, Mimi Zohar wrote: > > IMA may verify a file's integrity against a "good" value stored in the > > 'security.ima' xattr or as an appended signature, based on policy. When > > the "good value" is stored in the xattr, the xattr may contain a file > > hash or signature. In either case, the "good" value is preceded by a > > header. The first byte of the xattr header indicates the type of data > > - hash, signature - stored in the xattr. To support storing fs-verity > > signatures in the 'security.ima' xattr requires further differentiating > > the fs-verity signature from the existing IMA signature. > > > > In addition the signatures stored in 'security.ima' xattr, need to be > > disambiguated. Instead of directly signing the fs-verity digest, a new > > signature format version 3 is defined as the hash of the ima_file_id > > structure, which identifies the type of signature and the digest. > > > > The IMA policy defines "which" files are to be measured, verified, and/or > > audited. For those files being verified, the policy rules indicate "how" > > the file should be verified. For example to require a file be signed, > > the appraise policy rule must include the 'appraise_type' option. > > > > appraise_type:= [imasig] | [imasig|modsig] | [sigv3] > > where 'imasig' is the original or signature format v2 (default), > > where 'modsig' is an appended signature, > > where 'sigv3' is the signature format v3. > > > > The policy rule must also indicate the type of digest, if not the IMA > > default, by first specifying the digest type: > > > > digest_type:= [verity] > > > > The following policy rule requires fsverity signatures. The rule may be > > constrained, for example based on a fsuuid or LSM label. > > > > appraise func=BPRM_CHECK digest_type=verity appraise_type=sigv3 > > > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Acked-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> Thanks, Stefan! This patch set is now queued in the next-integrity-testing branch, waiting additional review/tags. thanks, Mimi
