Add support for V3 signatures for EVM & IMA for all supported key types#29
Open
stefanberger wants to merge 6 commits intolinux-integrity:next-testingfrom
Open
Add support for V3 signatures for EVM & IMA for all supported key types#29stefanberger wants to merge 6 commits intolinux-integrity:next-testingfrom
stefanberger wants to merge 6 commits intolinux-integrity:next-testingfrom
Conversation
stefanberger
force-pushed
the
v3-for-all-schemes
branch
3 times, most recently
from
e72e058 to
7d62b78
Compare
stefanberger
changed the title
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
7d62b78 to
ca66a75
Compare
stefanberger
commented
Mar 1, 2026
| xattr_type = EVM_IMA_XATTR_DIGSIG; | ||
|
|
||
| if (evm_immutable) | ||
| sig[1] = 3; /* immutable signature version */ |
Contributor
Author
There was a problem hiding this comment.
I am not sure why this was '3'.
stefanberger
force-pushed
the
v3-for-all-schemes
branch
2 times, most recently
from
779d7d2 to
b31cbaa
Compare
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
b31cbaa to
c0fbd1e
Compare
Implement imaevm_create_sigv3 that creates v3 signatures. This function will now also allocate a buffer if the caller did not provide one. Further, it will write the full signature into the signature buffer, including the leading xattr type byte. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for signing IMA signatures with the V3 signing scheme. Introduce a global variable that states which signing scheme to use and for now set it to SIGNATURE_V2. Implement the SIGNATURE_V3 case where necessary for IMA. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for signing EVM signatures with the V3 signing scheme. Implement the SIGNATURE_v3 case where necessary for EVM. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
c0fbd1e to
8a6d276
Compare
Enable both IMA and EVM file signatures with a new --v3 option that sets the previously introduced global variable that states which signature version to use. Similarly, introduce a --v2 option for users to (already) choose old V2 type of signatures. Update the README with the dump of the evmctl help screen and mention v3 signature format. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the new --v3 option to the sign_verify_ima test cases. Adjust openssl signature verification to build ima_file_id structure in a file that is then used for signature verification rather than the plain file (as before). Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert the code that built the fsverity signature with V3 signing scheme to use the new imaevm_create_sigv3 function. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
8a6d276 to
109314f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds support for the V3 signatures for EVM & IMA for all supported key types. It implements a imaevm_create_sigv3() library function that takes the file hash as input and creates the hash of the ima_file_id needed for V3 signatures.
Add a few test cases for V3 signature creation and verification to sign_verify.test.
Later on, inside this function, we will check whether the signing key is an ML-DSA key and pass the ima_file_id structure to ML-DSA pure-mode signing saving the cycles for hashing this structure. Avoiding the hashing here will also save cycles when being able to avoid the hashing upon signature verification in Linux IMA.
Signature verification of V3 signatures is already supported in imaevm_verify_hash() through fsverify's V3 signature support.