bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-04-18 06:44:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Browse Source 
Enable the configuration of EVM so that it requires that asymmetric
signatures it accepts are of version 3 (sigv3). To enable this, introduce
bit 3 (value 0x0008) that the user may write to EVM's securityfs policy
configuration file 'evm' for sigv3 enforcement.

Mention bit 3 in the documentation.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Stefan Berger
2026-03-25 17:33:49 -04:00
committed by Mimi Zohar
parent bab8e90bca
commit 82bbd44719
3 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Documentation/ABI/testing/evm
View File

@@ -26,6 +26,7 @@ Description:
2 Permit modification of EVM-protected metadata at 2 Permit modification of EVM-protected metadata at
runtime. Not supported if HMAC validation and runtime. Not supported if HMAC validation and
creation is enabled (deprecated). creation is enabled (deprecated).
3 Require asymmetric signatures to be version 3
31 Disable further runtime modification of EVM policy 31 Disable further runtime modification of EVM policy
=== ================================================== === ==================================================

3
security/integrity/evm/evm.h
View File

@@ -20,11 +20,12 @@
#define EVM_INIT_HMAC 0x0001 #define EVM_INIT_HMAC 0x0001
#define EVM_INIT_X509 0x0002 #define EVM_INIT_X509 0x0002
#define EVM_ALLOW_METADATA_WRITES 0x0004 #define EVM_ALLOW_METADATA_WRITES 0x0004
#define EVM_SIGV3_REQUIRED 0x0008
#define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */ #define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */
#define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509) #define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509)
#define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \ #define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \
EVM_ALLOW_METADATA_WRITES) EVM_ALLOW_METADATA_WRITES | EVM_SIGV3_REQUIRED)
struct xattr_list { struct xattr_list {
struct list_head list; struct list_head list;

14
security/integrity/evm/evm_main.c
View File

@@ -136,6 +136,14 @@ static bool evm_hmac_disabled(void)
return true; return true;
} }
static bool evm_sigv3_required(void)
{
if (evm_initialized & EVM_SIGV3_REQUIRED)
return true;
return false;
}
static int evm_find_protected_xattrs(struct dentry *dentry) static int evm_find_protected_xattrs(struct dentry *dentry)
{ {
struct inode *inode = d_backing_inode(dentry); struct inode *inode = d_backing_inode(dentry);
@@ -258,6 +266,12 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
} }
hdr = (struct signature_v2_hdr *)xattr_data; hdr = (struct signature_v2_hdr *)xattr_data;
if (evm_sigv3_required() && hdr->version != 3) {
evm_status = INTEGRITY_FAIL;
goto out;
}
digest.hdr.algo = hdr->hash_algo; digest.hdr.algo = hdr->hash_algo;
rc = evm_calc_hash(dentry, xattr_name, xattr_value, rc = evm_calc_hash(dentry, xattr_name, xattr_value,
xattr_value_len, xattr_data->type, &digest, xattr_value_len, xattr_data->type, &digest,