ima: add regular file data hash signature version 3 support

Instead of directly verifying the signature of a file data hash,
signature v3 verifies the signature of the ima_file_id structure
containing the file data hash.

To disambiguate the signature usage, the ima_file_id structure also
includes the hash algorithm and the type of data (e.g. regular file
hash or fs-verity root hash).

Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

2 files changed, 2 insertions, 2 deletions

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index dc5313746609..6b21b9bf829e 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -154,7 +154,7 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
 	size_t file_id_size;
 	int rc;
 
-	if (type != IMA_VERITY_DIGSIG)
+	if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
 		return -EINVAL;
 
 	tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5b42307ac254..8f182d808b09 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -297,7 +297,7 @@ static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
 		}
 
 		sig = (typeof(sig))xattr_value;
-		if (sig->version >= 3) {
+		if (sig->version > 3) {
 			*cause = "invalid-signature-version";
 			*status = INTEGRITY_FAIL;
 			break;