On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote: > Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA, > ECRDSA, and SM2 signatures. > > Signed-off-by: Stefan Berger <[email protected]>
Thanks, Stefan. IMA makes an exception allowing an EVM signature in lieu of an IMA signature, when there is no IMA signature. If the IMA policy rule requires an IMA sigv3 type signature, then EVM should also require a sigv3 type signature. Currently any EVM signature type suffices. Testing results: # EVM v2 type signature, with IMA hash (improperly succeeds) evmctl sign --imahash -o --hashalgo sha256 --key <key> filename-v2 # EVM v2 type signature, with IMA v2 type signature (fails properly) evmctl sign --imasig -o --hashalgo sha256 --key f<key> filename-v2-imasig # EVM v3 type signature, with IMA file hash (succeeds) evmctl sign --v3 --imahash -o --hashalgo sha256 --key <key> filename-v3 # EVM v3 type signature, with IMA v3 type signature (succeeds) evmctl sign --v3 --imasig -o --hashalgo sha256 --key <key> filename-v3-imasig Mimi > --- > security/integrity/digsig_asymmetric.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/digsig_asymmetric.c > b/security/integrity/digsig_asymmetric.c > index 6b21b9bf829e..6e68ec3becbd 100644 > --- a/security/integrity/digsig_asymmetric.c > +++ b/security/integrity/digsig_asymmetric.c > @@ -154,7 +154,8 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type, > size_t file_id_size; > int rc; > > - if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG) > + if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG && > + type != EVM_XATTR_PORTABLE_DIGSIG) > return -EINVAL; > > tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0); > > base-commit: 3fa0dea50084da8279fb4b1175b3a9b4fc16f052
