IMA signature version 3 (sigv3) support was introduced to avoid file signature ambiguity. Instead of directly signing a raw fs-verity hash, IMA signs the hash of ima_file_id structure, containing the type of signature, the hash algorithm, and the hash.
Pure ML-DSA calculates and signs the hash directly rather than a pre-hashed digest. To avoid ML-DSA having to re-calculate the file data hash, Eric Biggers suggested signing the smaller ima_file_id structure. This patch set adds the sigv3 support for regular file data hashes. A subsequent patch set will add the ML-DSA support. Mimi Zohar (3): ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures ima: add regular file data hash signature version 3 support ima: add support to require IMA sigv3 signatures Documentation/ABI/testing/ima_policy | 10 ++-- security/integrity/digsig.c | 8 +-- security/integrity/digsig_asymmetric.c | 58 +++++++++++++++++++++ security/integrity/evm/evm_main.c | 3 +- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_appraise.c | 72 ++++++++------------------ security/integrity/ima/ima_policy.c | 22 ++++---- security/integrity/integrity.h | 14 ++++- 8 files changed, 115 insertions(+), 73 deletions(-) -- 2.53.0
