mbox series

[v3,ima-evm-utils,0/3] fs-verity file signature support

Message ID 20220520161103.373554-1-zohar@linux.ibm.com (mailing list archive)
Headers show
Series fs-verity file signature support | expand

Message

Mimi Zohar May 20, 2022, 4:11 p.m. UTC 
Extend the existing file list digest signing and the IMA measurement
list file signature verification to support the new sigv3 format
version.  Neither file digest signing nor signature verification
require calculating the fs-verity file digest.

evmctl examples of signing fs-verity file hashes and verifying the
fs-verity file signatures are included the respective patch
description.

Changelog v3:

- Refactor the existing file hash signing function so that both
signature format version 2 and 3 may use it.  Signature v2 directly
signs the file hash, while signature v3 indirectly signs the file hash.

- Addressed Stefan Berger's comments: properly clear errno, properly
limit the hash algorithm name size to address an out of bounds error.
Instead of allowing the maximum hash algorithm name size, use the
current fs-verity supported maximum hash algorithm size.

- Based on Eric Bigger's recommendation of using "fsverity digest"
instead of "fsverity measure", replaced all references.


Mimi Zohar (3):
  Reset 'errno' after failure to open or access a file
  Sign an fs-verity file digest
  Verify an fs-verity file digest based signature

 README          |   3 +-
 src/evmctl.c    | 126 ++++++++++++++++++++++++++++++------
 src/imaevm.h    |   5 +-
 src/libimaevm.c | 166 ++++++++++++++++++++++++++++++++++++++++++++----
 src/utils.c     |   5 +-
 5 files changed, 272 insertions(+), 33 deletions(-)