On Tue, Mar 24, 2026 at 04:39:27PM -0400, Mimi Zohar wrote: > + * IMA signature version 3 disambiguates the data that is signed by > + * indirectly signing the hash of the ima_file_id structure data.
The right way to think about it is that it's the ima_file_id itself that is being signed and verified, and taking the hash of it is only a workaround for legacy algorithms that can only sign and verify hashes. With modern algorithms like Ed25519 and ML-DSA that accept arbitrary-length messages, that workaround won't be needed. - Eric
