diff options
author | Roberto Sassu <roberto.sassu@huawei.com> | 2021-05-14 18:27:52 +0300 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2021-06-01 19:30:51 +0300 |
commit | 026d7fc92a9d629630779c999fe49ecae93f9d63 (patch) | |
tree | e54222a44f2739b05f274e68ed87a84d86e75e97 /Documentation/security | |
parent | 7aa5783d95646f924b99d245338d5b7aa7a2b3c0 (diff) | |
download | linux-026d7fc92a9d629630779c999fe49ecae93f9d63.tar.xz |
ima: Introduce template field evmsig and write to field sig as fallback
With the patch to accept EVM portable signatures when the
appraise_type=imasig requirement is specified in the policy, appraisal can
be successfully done even if the file does not have an IMA signature.
However, remote attestation would not see that a different signature type
was used, as only IMA signatures can be included in the measurement list.
This patch solves the issue by introducing the new template field 'evmsig'
to show EVM portable signatures and by including its value in the existing
field 'sig' if the IMA signature is not found.
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/IMA-templates.rst | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index c5a8432972ef..9f3e86ab028a 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -70,9 +70,11 @@ descriptors by adding their identifier to the format string prefix is shown only if the hash algorithm is not SHA1 or MD5); - 'd-modsig': the digest of the event without the appended modsig; - 'n-ng': the name of the event, without size limitations; - - 'sig': the file signature; + - 'sig': the file signature, or the EVM portable signature if the file + signature is not found; - 'modsig' the appended file signature; - 'buf': the buffer data that was used to generate the hash without size limitations; + - 'evmsig': the EVM portable signature; Below, there is the list of defined template descriptors: |