ima: add regular file data hash signature version 3 support

mimizohar · mimizohar · commit 64c658f358ec · 2026-04-01T10:16:20.000-04:00
Instead of directly verifying the signature of a file data hash,
signature v3 verifies the signature of the ima_file_id structure
containing the file data hash.

To disambiguate the signature usage, the ima_file_id structure also
includes the hash algorithm and the type of data (e.g. regular file
hash or fs-verity root hash).

Tested-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Acked-by: Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.ibm.com&gt;
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
@@ -154,7 +154,7 @@ static int calc_file_id_hash(enum evm_ima_xattr_type type,
 	size_t file_id_size;
 	int rc;
 
-	if (type != IMA_VERITY_DIGSIG)
+	if (type != IMA_VERITY_DIGSIG && type != EVM_IMA_XATTR_DIGSIG)
 		return -EINVAL;
 
 	tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
@@ -297,7 +297,7 @@ static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,
 		}
 
 		sig = (typeof(sig))xattr_value;
-		if (sig->version >= 3) {
+		if (sig->version > 3) {
 			*cause = "invalid-signature-version";
 			*status = INTEGRITY_FAIL;
 			break;

Original file line number	Diff line number	Diff line change
`@@ -297,7 +297,7 @@ static int xattr_verify(enum ima_hooks func, struct ima_iint_cache *iint,`
`297`	`297`	`}`
`298`	`298`
`299`	`299`	`sig = (typeof(sig))xattr_value;`
`300`		`- if (sig->version >= 3) {`
	`300`	`+ if (sig->version > 3) {`
`301`	`301`	`*cause = "invalid-signature-version";`
`302`	`302`	`*status = INTEGRITY_FAIL;`
`303`	`303`	`break;`