On 3/24/26 4:39 PM, Mimi Zohar wrote: > IMA signature version 3 (sigv3) support was introduced to avoid file > signature ambiguity. Instead of directly signing a raw fs-verity hash, > IMA signs the hash of ima_file_id structure, containing the type of > signature, the hash algorithm, and the hash. > > Pure ML-DSA calculates and signs the hash directly rather than a > pre-hashed digest. To avoid ML-DSA having to re-calculate the file data > hash, Eric Biggers suggested signing the smaller ima_file_id structure. > > This patch set adds the sigv3 support for regular file data hashes. A > subsequent patch set will add the ML-DSA support. > > Mimi Zohar (3): > ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures > ima: add regular file data hash signature version 3 support > ima: add support to require IMA sigv3 signatures > > Documentation/ABI/testing/ima_policy | 10 ++-- > security/integrity/digsig.c | 8 +-- > security/integrity/digsig_asymmetric.c | 58 +++++++++++++++++++++ > security/integrity/evm/evm_main.c | 3 +- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_appraise.c | 72 ++++++++------------------ > security/integrity/ima/ima_policy.c | 22 ++++---- > security/integrity/integrity.h | 14 ++++- > 8 files changed, 115 insertions(+), 73 deletions(-) > > -- > 2.53.0 >
I have tested this series along with Stefan's ML-DSA patches [1] and an additional fix [2] for ima_get_hash_algo(). With all patches applied, I am able to successfully sign files with ML-DSA-65 and verify IMA sigv3 signatures during appraisal. [1] https://lore.kernel.org/linux-integrity/[email protected]/ [2] https://lore.kernel.org/linux-integrity/[email protected]/ Tested-by: Kamlesh Kumar <[email protected]>
