ima: add support to require IMA sigv3 signatures

Defining a policy rule with the "appraise_type=imasig" option allows either v2 or v3 signatures. Defining an IMA appraise rule with the "appraise_type=sigv3" option requires a file sigv3 signature. Define a new appraise type: IMA_SIGV3_REQUIRED Example: appraise func=BPRM_CHECK appraise_type=sigv3 Tested-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2026-04-18 06:44:00 -04:00 · 2026-03-10 09:16:25 -04:00
parent 64c658f358
commit de4c44a7f5
4 changed files with 24 additions and 16 deletions
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -53,10 +53,7 @@ Description:
 			    where 'imasig' is the original or the signature
 				format v2.
 			    where 'modsig' is an appended signature,
-			    where 'sigv3' is the signature format v3. (Currently
-				limited to fsverity digest based signatures
-				stored in security.ima xattr. Requires
-				specifying "digest_type=verity" first.)
+			    where 'sigv3' is the signature format v3.

 			appraise_flag:= [check_blacklist] (deprecated)
 			Setting the check_blacklist flag is no longer necessary.
@@ -186,6 +183,11 @@ Description:
 			appraise func=BPRM_CHECK digest_type=verity \
 				appraise_type=sigv3

+		Example of a regular IMA file hash 'appraise' rule requiring
+		signature version 3 format stored in security.ima xattr.
+
+			appraise func=BPRM_CHECK appraise_type=sigv3
+
 		All of these policy rules could, for example, be constrained
 		either based on a filesystem's UUID (fsuuid) or based on LSM
 		labels.