Extend the existing file list digest signing and the IMA measurement list file signature verification to support the new sigv3 format version. Neither file digest signing nor signature verification require calculating the fs-verity file digest. evmctl examples of signing fs-verity file hashes and verifying the fs-verity file signatures are included the respective patch description. Changelog v4: - Addressed Stefan's comments (e.g. fixed max digest size, removed unnecessary errno clearing, updated evmctl sign_hash usage format). Changelog v3: - Refactor the existing file hash signing function so that both signature format version 2 and 3 may use it. Signature v2 directly signs the file hash, while signature v3 indirectly signs the file hash. - Addressed Stefan Berger's comments: properly clear errno, properly limit the hash algorithm name size to address an out of bounds error. Instead of allowing the maximum hash algorithm name size, use the current fs-verity supported maximum hash algorithm size. - Based on Eric Bigger's recommendation of using "fsverity digest" instead of "fsverity measure", replaced all references. Mimi Zohar (3): Reset 'errno' after failure to open or access a file Sign an fs-verity file digest Verify an fs-verity file digest based signature README | 3 +- src/evmctl.c | 126 ++++++++++++++++++++++++++++++------ src/imaevm.h | 5 +- src/libimaevm.c | 166 ++++++++++++++++++++++++++++++++++++++++++++---- 4 files changed, 268 insertions(+), 32 deletions(-) -- 2.27.0
