lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <329b719e7fe302a9fa13325687061634a8d99977.camel@linux.ibm.com>
Date:   Tue, 08 Feb 2022 09:57:17 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     linux-integrity@...r.kernel.org,
        Stefan Berger <stefanb@...ux.ibm.com>,
        linux-fscrypt@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 0/8] ima: support fs-verity digests and signatures

On Mon, 2022-02-07 at 21:50 -0800, Eric Biggers wrote:
> On Mon, Feb 07, 2022 at 08:41:32PM -0500, Mimi Zohar wrote:
> > Support for including fs-verity file digests and signatures in the IMA
> > measurement list as well as verifying the fs-verity file digest based
> > signatures, both based on IMA policy rules, was discussed prior to
> > fs-verity being upstreamed[1,2].
> > 
> > Support for including fs-verity file digests in the 'd-ng' template field
> > is based on a new policy rule option named 'digest_type=verity'.  A new
> > template field named 'd-type' as well as a new template named 'ima-ngv2'
> > are defined to differentiate between the regular IMA file hashes from the
> > fs-verity file digests (tree-hash based file hashes) stored in the 'd-ng'
> > template field.
> > 
> > Support for verifying fs-verity based file signatures stored in the
> > 'security.ima' xattr is similarly based on the policy rule option
> > 'digest_type=verity'.
> > 
> > To differentiate IMA from fs-verity file signatures a new xattr_type
> > named IMA_VERITY_DIGSIG is defined.  Signature version 3, which is a hash
> > of the ima_file_id struct, disambiguates the signatures stored as
> > 'security.ima' xattr.  fs-verity only supports the new signature format
> > (version 3).  To prevent abuse of the different signature formats, policy
> > rules must be limited to a specific signature version.
> > 
> > [1] https://events19.linuxfoundation.org/wp-content/uploads/2017/11/fs-verify_Mike-Halcrow_Eric-Biggers.pdf
> > [2] Documentation/filesystems/fsverity.rst
> 
> What does this patchset apply to?  I'm no longer able to apply it.  I tried
> both v5.17-rc3, and the next-integrity branch of
> https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git.

Just refreshed 'next-integrity' now.

-- 
thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ