]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 254f496)
ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
authorKamlesh Kumar <kamlesh0hrs@gmail.com>
Fri, 24 Apr 2026 11:39:46 +0000 (17:09 +0530)
committerMimi Zohar <zohar@linux.ibm.com>
Mon, 27 Apr 2026 11:24:07 +0000 (07:24 -0400)
ima_get_hash_algo() only recognizes version 2 signatures when the xattr
type is EVM_IMA_XATTR_DIGSIG. Since sigv3 signatures also use
EVM_IMA_XATTR_DIGSIG as the xattr type, version 3 must be accepted as
well to correctly determine the hash algorithm.

Additionally, ima_validate_rule() does not include IMA_SIGV3_REQUIRED in
the allowed flags bitmask for MODULE_CHECK, KEXEC_KERNEL_CHECK, and
KEXEC_INITRAMFS_CHECK hook functions. As a result, policy rules with
"appraise_type=sigv3" are rejected for these functions.

Add version 3 to the accepted versions in ima_get_hash_algo() for
EVM_IMA_XATTR_DIGSIG, and add IMA_SIGV3_REQUIRED to the allowed flags
for MODULE_CHECK, KEXEC_KERNEL_CHECK, and KEXEC_INITRAMFS_CHECK in
ima_validate_rule().

Signed-off-by: Kamlesh Kumar <kam@juniper.net>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Fixes: de4c44a7f559 ("ima: add support to require IMA sigv3 signatures")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
security/integrity/ima/ima_appraise.c patch | blob | blame | history
security/integrity/ima/ima_policy.c patch | blob | blame | history

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index de963b9f3634470bc79145ad13f602c35c20a00e..2dd231567710a5e5ef80abdb8d183e07ad2218b0 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -195,8 +195,9 @@ enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
                return sig->hash_algo;
        case EVM_IMA_XATTR_DIGSIG:
                sig = (typeof(sig))xattr_value;
-               if (sig->version != 2 || xattr_len <= sizeof(*sig)
-                   || sig->hash_algo >= HASH_ALGO__LAST)
+               if ((sig->version != 2 && sig->version != 3) ||
+                   xattr_len <= sizeof(*sig) ||
+                   sig->hash_algo >= HASH_ALGO__LAST)
                        return ima_hash_algo;
                return sig->hash_algo;
        case IMA_XATTR_DIGEST_NG:
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f7f940a7692234d447fdb99e3a75695e5bb57674..b1c010e8eb138798bc955af467773c7020875365 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1313,7 +1313,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
                                     IMA_GID | IMA_EGID |
                                     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
                                     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
-                                    IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
+                                    IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS |
+                                    IMA_SIGV3_REQUIRED))
                        return false;
 
                break;
A mirror of Linus' kernel repository