RE: [PATCH v6 10/11] ima: Introduce template field evmsig and write to field sig as fallback
From: Roberto Sassu
Date: Wed May 12 2021 - 06:55:38 EST
> From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx]
> Sent: Wednesday, May 12, 2021 12:12 AM
> Hi Roberto,
>
> On Wed, 2021-05-05 at 13:33 +0200, Roberto Sassu wrote:
> > With the patch to accept EVM portable signatures when the
> > appraise_type=imasig requirement is specified in the policy, appraisal can
> > be successfully done even if the file does not have an IMA signature.
> >
> > However, remote attestation would not see that a different signature type
> > was used, as only IMA signatures can be included in the measurement list.
> > This patch solves the issue by introducing the new template field 'evmsig'
> > to show EVM portable signatures and by including its value in the existing
> > field 'sig' if the IMA signature is not found.
>
> With this patch, instead of storing the file data signature, the file
> metadata signature is stored in the IMA measurement list, as designed.
> There's a minor problem. Unlike the file data signature, the
> measurement list record does not contain all the information needed to
> verify the file metadata signature.
Ok, we could add new template fields later.
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> thanks,
>
> Mimi