Add support for V3 signatures for EVM & IMA for all supported key types#29
Open
stefanberger wants to merge 10 commits intolinux-integrity:next-testingfrom
Open
Add support for V3 signatures for EVM & IMA for all supported key types#29stefanberger wants to merge 10 commits intolinux-integrity:next-testingfrom
stefanberger wants to merge 10 commits intolinux-integrity:next-testingfrom
Conversation
stefanberger
force-pushed
the
v3-for-all-schemes
branch
3 times, most recently
from
e72e058 to
7d62b78
Compare
stefanberger
changed the title
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
7d62b78 to
ca66a75
Compare
stefanberger
commented
Mar 1, 2026
| xattr_type = EVM_IMA_XATTR_DIGSIG; | ||
|
|
||
| if (evm_immutable) | ||
| sig[1] = 3; /* immutable signature version */ |
Contributor
Author
There was a problem hiding this comment.
I am not sure why this was '3'.
stefanberger
force-pushed
the
v3-for-all-schemes
branch
2 times, most recently
from
779d7d2 to
b31cbaa
Compare
stefanberger
force-pushed
the
v3-for-all-schemes
branch
2 times, most recently
from
c0fbd1e to
8a6d276
Compare
stefanberger
force-pushed
the
v3-for-all-schemes
branch
2 times, most recently
from
109314f to
b765770
Compare
Use EVP_PKEY_free to fix a memory leak that occurs when using free() on the key field of public_key_entry that is a pointer to an EVP_PKEY. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid a memory leak of a public_key_entry if the passed public_keys pointer is NULL because in this case the entry is lost. For this particular case to work we would need public keys to be passed in as 'struct public_key_entry **public_keys' so that '*public_keys = entry' could be assign. However, this change would propagate all the way to the API of the library and we don't want to change existing functions' signature. This change should not have any noticeable side-effect since the resolved case did not work before but the newly allocated entry was lost. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
b765770 to
c3c3799
Compare
Implement imaevm_create_sigv3 that creates v3 signatures. This function will now also allocate a buffer if the caller did not provide one. Further, it will write the full signature into the signature buffer, including the leading xattr type byte. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for creating IMA signatures with the V3 signing scheme. Introduce a global variable that states which signing scheme to use and for now set it to SIGNATURE_V2. Implement the SIGNATURE_V3 case where necessary for IMA. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for creating EVM signatures with the V3 signing scheme. Implement the SIGNATURE_v3 case where necessary for EVM. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable both IMA and EVM file signatures with a new --v3 option that sets the previously introduced global variable that states which signature version to use. Similarly, introduce a --v2 option for users to (already) choose old V2 type of signatures. Update the README with the dump of the evmctl help screen and mention v3 signature format that is expected for Linux 7.1. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert the code that built the fsverity signature with V3 signing scheme to use the new imaevm_create_sigv3 function. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the new --v3 option to the sign_verify test cases. For --v3, adjust openssl signature verification to build an ima_file_id structure in a file that is then used for signature verification rather than the plain file (as before). Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To enable sigv3 signature verification for EVM portable signatures, allow signature verification on EVM_XATTR_PORTABLE_DIGSIG type of xattrs with sigv3. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To enable sigv3 for EVM portable signatures, enable hashing for sigv3 for EVM_XATTR_PORTABLE_DIGSIG. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
v3-for-all-schemes
branch
from
c3c3799 to
d804fe1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds support for the V3 signatures for EVM & IMA for all supported key types. It implements a imaevm_create_sigv3() library function that takes the file hash as input and creates the hash of the ima_file_id needed for V3 signatures.
Add a few test cases for V3 signature creation and verification to sign_verify.test.
Later on, inside this function, we will check whether the signing key is an ML-DSA key and pass the ima_file_id structure to ML-DSA pure-mode signing saving the cycles for hashing this structure. Avoiding the hashing here will also save cycles when being able to avoid the hashing upon signature verification in Linux IMA.
Signature verification of V3 signatures is already supported in imaevm_verify_hash() through fsverify's V3 signature support.