ima: add regular file data hash signature version 3 support

Instead of directly verifying the signature of a file data hash,
signature v3 verifies the signature of the ima_file_id structure
containing the file data hash.

To disambiguate the signature usage, the ima_file_id structure also
includes the hash algorithm and the type of data (e.g. regular file
hash or fs-verity root hash).

Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index dc53137466093b613b6d92ad79ede805d0ec0a82..6b21b9bf829e1048f5f7579e8c60332c3fc0edfc 100644 (file)
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -154,7 +154,7 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
        size_t file_id_size;
        int rc;
 
-       if (type != IMA_VERITY_DIGSIG)
+       if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
                return -EINVAL;
 
        tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 5b42307ac25418a61c81fd00ff25f7120517aadb..8f182d808b096d7f03b6b64222ede7afb0d16d79 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -297,7 +297,7 @@ static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
                }
 
                sig = (typeof(sig))xattr_value;
-               if (sig->version >= 3) {
+               if (sig->version > 3) {
                        *cause = "invalid-signature-version";
                        *status = INTEGRITY_FAIL;
                        break;