summaryrefslogtreecommitdiffstats
path: root/Documentation/security/IMA-templates.rst
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2021-05-14 17:27:52 +0200
committerMimi Zohar <zohar@linux.ibm.com>2021-06-01 18:30:51 +0200
commit026d7fc92a9d629630779c999fe49ecae93f9d63 (patch)
treee54222a44f2739b05f274e68ed87a84d86e75e97 /Documentation/security/IMA-templates.rst
parentima: Allow imasig requirement to be satisfied by EVM portable signatures (diff)
downloadlinux-026d7fc92a9d629630779c999fe49ecae93f9d63.tar.xz
linux-026d7fc92a9d629630779c999fe49ecae93f9d63.zip
ima: Introduce template field evmsig and write to field sig as fallback
With the patch to accept EVM portable signatures when the appraise_type=imasig requirement is specified in the policy, appraisal can be successfully done even if the file does not have an IMA signature. However, remote attestation would not see that a different signature type was used, as only IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/security/IMA-templates.rst')
-rw-r--r--Documentation/security/IMA-templates.rst4
1 files changed, 3 insertions, 1 deletions
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index c5a8432972ef..9f3e86ab028a 100644
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -70,9 +70,11 @@ descriptors by adding their identifier to the format string
prefix is shown only if the hash algorithm is not SHA1 or MD5);
- 'd-modsig': the digest of the event without the appended modsig;
- 'n-ng': the name of the event, without size limitations;
- - 'sig': the file signature;
+ - 'sig': the file signature, or the EVM portable signature if the file
+ signature is not found;
- 'modsig' the appended file signature;
- 'buf': the buffer data that was used to generate the hash without size limitations;
+ - 'evmsig': the EVM portable signature;
Below, there is the list of defined template descriptors: