On Wed, 2026-03-25 at 13:37 -0400, Stefan Berger wrote: > > On 3/25/26 10:56 AM, Mimi Zohar wrote: > > On Tue, 2026-03-24 at 20:10 -0400, Stefan Berger wrote: > > > Allow sigv3 verification on EVM_XATTR_PORTABLE_DIGSIG on RSA, ECDSA, > > > ECRDSA, and SM2 signatures. > > > > > > Signed-off-by: Stefan Berger <[email protected]> > > > > Thanks, Stefan. > > > > IMA makes an exception allowing an EVM signature in lieu of an IMA > > signature, > > when there is no IMA signature. If the IMA policy rule requires an IMA > > sigv3 > > type signature, then EVM should also require a sigv3 type signature. > > > Currently any EVM signature type suffices. > > Agreed, though it seems to be a problem that also exists with EVM > non-portable signature, which should have a check. I cannot create them > easily in my environment, so I cannot test with them. > > Passing the flags from IMA into EVM is easy. What is a bit more > challenging is the evm_verify_current_integrity code path...
I've queued this patch in next-integrity-testing with the other sigv3 patches, since enforcing EVM sigv3 should be upstreamed as separate patch. thanks, Mimi
