diff options
author | Mimi Zohar <zohar@linux.ibm.com> | 2021-12-23 18:29:56 +0100 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2022-05-05 17:49:13 +0200 |
commit | 54f03916fb892441f9a9b579db9ad7925cdeb395 (patch) | |
tree | 0fdee8270399ff57636479db46d5d37044373608 /Documentation/security | |
parent | ima: define a new template field named 'd-ngv2' and templates (diff) | |
download | linux-54f03916fb892441f9a9b579db9ad7925cdeb395.tar.xz linux-54f03916fb892441f9a9b579db9ad7925cdeb395.zip |
ima: permit fsverity's file digests in the IMA measurement list
Permit fsverity's file digest (a hash of struct fsverity_descriptor) to
be included in the IMA measurement list, based on the new measurement
policy rule 'digest_type=verity' option.
To differentiate between a regular IMA file hash from an fsverity's
file digest, use the new d-ngv2 format field included in the ima-ngv2
template.
The following policy rule requires fsverity file digests and specifies
the new 'ima-ngv2' template, which contains the new 'd-ngv2' field. The
policy rule may be constrained, for example based on a fsuuid or LSM
label.
measure func=FILE_CHECK digest_type=verity template=ima-ngv2
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/IMA-templates.rst | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index eafc4e34f890..09b5fac38195 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -67,7 +67,7 @@ descriptors by adding their identifier to the format string - 'n': the name of the event (i.e. the file name), with size up to 255 bytes; - 'd-ng': the digest of the event, calculated with an arbitrary hash algorithm (field format: <hash algo>:digest); - - 'd-ngv2': same as d-ng, but prefixed with the "ima" digest type + - 'd-ngv2': same as d-ng, but prefixed with the "ima" or "verity" digest type (field format: <digest type>:<hash algo>:digest); - 'd-modsig': the digest of the event without the appended modsig; - 'n-ng': the name of the event, without size limitations; |