On Tue, Mar 24, 2026 at 04:39:26PM -0400, Mimi Zohar wrote: > IMA signature version 3 (sigv3) support was introduced to avoid file > signature ambiguity. Instead of directly signing a raw fs-verity hash, > IMA signs the hash of ima_file_id structure, containing the type of > signature, the hash algorithm, and the hash. > > Pure ML-DSA calculates and signs the hash directly rather than a > pre-hashed digest. To avoid ML-DSA having to re-calculate the file data > hash, Eric Biggers suggested signing the smaller ima_file_id structure. > > This patch set adds the sigv3 support for regular file data hashes. A > subsequent patch set will add the ML-DSA support.
This explanation is a bit confusing, since this is actually needed regardless of ML-DSA support. Anyway, it's still the right thing to do. Acked-by: Eric Biggers <[email protected]> - Eric
