[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f1e16fe91bd80437ea2cf9ed60c40a3687fa0e40.camel@linux.ibm.com>
Date: Tue, 11 May 2021 18:12:23 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...gle.com
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 10/11] ima: Introduce template field evmsig and write
to field sig as fallback
Hi Roberto,
On Wed, 2021-05-05 at 13:33 +0200, Roberto Sassu wrote:
> With the patch to accept EVM portable signatures when the
> appraise_type=imasig requirement is specified in the policy, appraisal can
> be successfully done even if the file does not have an IMA signature.
>
> However, remote attestation would not see that a different signature type
> was used, as only IMA signatures can be included in the measurement list.
> This patch solves the issue by introducing the new template field 'evmsig'
> to show EVM portable signatures and by including its value in the existing
> field 'sig' if the IMA signature is not found.
With this patch, instead of storing the file data signature, the file
metadata signature is stored in the IMA measurement list, as designed.
There's a minor problem. Unlike the file data signature, the
measurement list record does not contain all the information needed to
verify the file metadata signature.
thanks,
Mimi
Powered by blists - more mailing lists