Instead of directly verifying the signature of a file data hash, signature v3 verifies the signature of the ima_file_id structure containing the file data hash.
To disambiguate the signature usage, the ima_file_id structure also includes the hash algorithm and the type of data (e.g. regular file hash or fs-verity root hash). Signed-off-by: Mimi Zohar <[email protected]> --- security/integrity/digsig_asymmetric.c | 2 +- security/integrity/ima/ima_appraise.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c index dc5313746609..6b21b9bf829e 100644 --- a/security/integrity/digsig_asymmetric.c +++ b/security/integrity/digsig_asymmetric.c @@ -154,7 +154,7 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type, size_t file_id_size; int rc; - if (type != IMA_VERITY_DIGSIG) + if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG) return -EINVAL; tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 5b42307ac254..8f182d808b09 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -297,7 +297,7 @@ static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint, } sig = (typeof(sig))xattr_value; - if (sig->version >= 3) { + if (sig->version > 3) { *cause = "invalid-signature-version"; *status = INTEGRITY_FAIL; break; -- 2.53.0
