diff options
author | Mimi Zohar <zohar@linux.ibm.com> | 2021-06-03 10:12:36 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.ibm.com> | 2021-06-03 10:12:36 -0400 |
commit | dc0983f2f9b6a9a9abe575a7ae15f873da694887 (patch) | |
tree | 8310bbf6e53319a037ced2757fa30d4243338536 /Documentation/security | |
parent | 5a25d8ceb8611c06797b74e22d04af2b9fefd130 (diff) | |
parent | d721c15fd519c08819fbc6de39b713e2ed1d9894 (diff) |
Merge branch 'verify-evm-portable-sig-v2' into next-integrity
From the cover letter:
The recent patch set 'evm: Improve usability of portable signatures' added
the possibility to include EVM portable signatures in the IMA measurement
list.
However, the information necessary to verify the signature were not
included in the IMA measurement list. This patch set introduces new
template fields to accomplish this goal:
- 'iuid': the inode UID;
- 'igid': the inode GID;
- 'imode': the inode mode;
- 'xattrnames': a list of xattr names (separated by |), only if the xattr is
present;
- 'xattrlengths': a list of xattr lengths (u32), only if the xattr is present;
- 'xattrvalues': a list of xattr values;
Patch 1 adds an helper function to show integers in the measurement list.
Patches 2, 3 and 5 introduce new template fields. Patch 4 make it possible
to verify EVM portable signatures which protect xattrs belonging to LSMs
not enabled in the target platform. Patch 6 introduces the new IMA template
evm-sig. Patch 7 fixes a small issue in evm_write_xattrs() when audit is
not enabled.
Link: https://lore.kernel.org/linux-integrity/20210528073812.407936-1-roberto.sassu@huawei.com/
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/IMA-templates.rst | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst index 9f3e86ab028a..5adc22f99496 100644 --- a/Documentation/security/IMA-templates.rst +++ b/Documentation/security/IMA-templates.rst @@ -75,6 +75,13 @@ descriptors by adding their identifier to the format string - 'modsig' the appended file signature; - 'buf': the buffer data that was used to generate the hash without size limitations; - 'evmsig': the EVM portable signature; + - 'iuid': the inode UID; + - 'igid': the inode GID; + - 'imode': the inode mode; + - 'xattrnames': a list of xattr names (separated by |), only if the xattr is + present; + - 'xattrlengths': a list of xattr lengths (u32), only if the xattr is present; + - 'xattrvalues': a list of xattr values; Below, there is the list of defined template descriptors: @@ -84,6 +91,7 @@ Below, there is the list of defined template descriptors: - "ima-sig": its format is ``d-ng|n-ng|sig``; - "ima-buf": its format is ``d-ng|n-ng|buf``; - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``; + - "evm-sig": its format is ``d-ng|n-ng|evmsig|xattrnames|xattrlengths|xattrvalues|iuid|igid|imode``; Use |