summaryrefslogtreecommitdiff
path: root/Documentation/security
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2021-05-14 18:27:52 +0300
committerMimi Zohar <zohar@linux.ibm.com>2021-06-01 19:30:51 +0300
commit026d7fc92a9d629630779c999fe49ecae93f9d63 (patch)
treee54222a44f2739b05f274e68ed87a84d86e75e97 /Documentation/security
parent7aa5783d95646f924b99d245338d5b7aa7a2b3c0 (diff)
downloadlinux-026d7fc92a9d629630779c999fe49ecae93f9d63.tar.xz
ima: Introduce template field evmsig and write to field sig as fallback
With the patch to accept EVM portable signatures when the appraise_type=imasig requirement is specified in the policy, appraisal can be successfully done even if the file does not have an IMA signature. However, remote attestation would not see that a different signature type was used, as only IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/IMA-templates.rst4
1 files changed, 3 insertions, 1 deletions
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index c5a8432972ef..9f3e86ab028a 100644
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -70,9 +70,11 @@ descriptors by adding their identifier to the format string
prefix is shown only if the hash algorithm is not SHA1 or MD5);
- 'd-modsig': the digest of the event without the appended modsig;
- 'n-ng': the name of the event, without size limitations;
- - 'sig': the file signature;
+ - 'sig': the file signature, or the EVM portable signature if the file
+ signature is not found;
- 'modsig' the appended file signature;
- 'buf': the buffer data that was used to generate the hash without size limitations;
+ - 'evmsig': the EVM portable signature;
Below, there is the list of defined template descriptors: