On Mon, 2026-04-27 at 18:27 +0530, Kamlesh Kumar wrote: > On 3/24/26 4:39 PM, Mimi Zohar wrote: > > IMA signature version 3 (sigv3) support was introduced to avoid file > > signature ambiguity. Instead of directly signing a raw fs-verity hash, > > IMA signs the hash of ima_file_id structure, containing the type of > > signature, the hash algorithm, and the hash. > > > > Pure ML-DSA calculates and signs the hash directly rather than a > > pre-hashed digest. To avoid ML-DSA having to re-calculate the file data > > hash, Eric Biggers suggested signing the smaller ima_file_id structure. > > > > This patch set adds the sigv3 support for regular file data hashes. A > > subsequent patch set will add the ML-DSA support. > > > > Mimi Zohar (3): > > ima: Define asymmetric_verify_v3() to verify IMA sigv3 signatures > > ima: add regular file data hash signature version 3 support > > ima: add support to require IMA sigv3 signatures > > > > Documentation/ABI/testing/ima_policy | 10 ++-- > > security/integrity/digsig.c | 8 +-- > > security/integrity/digsig_asymmetric.c | 58 +++++++++++++++++++++ > > security/integrity/evm/evm_main.c | 3 +- > > security/integrity/ima/ima.h | 1 + > > security/integrity/ima/ima_appraise.c | 72 ++++++++------------------ > > security/integrity/ima/ima_policy.c | 22 ++++---- > > security/integrity/integrity.h | 14 ++++- > > 8 files changed, 115 insertions(+), 73 deletions(-) > > > > -- > > 2.53.0 > > > > I have tested this series along with Stefan's ML-DSA patches [1] and an > additional fix [2] for ima_get_hash_algo(). > With all patches applied, I am able to successfully sign files with > ML-DSA-65 and verify IMA sigv3 signatures during appraisal. > > [1] > https://lore.kernel.org/linux-integrity/[email protected]/ > [2] > https://lore.kernel.org/linux-integrity/[email protected]/ > > Tested-by: Kamlesh Kumar <[email protected]>
Thanks, Kamlesh! I'd appreciate re-testing with the v3 version now queued in next-integrity- testing https://lore.kernel.org/linux-integrity/[email protected] ? Mimi
