Deprecate IMA signature version 1

The original IMA file signatures were based on a SHA1 hash. Kernel support for other hash algorithms was subsequently upstreamed. Deprecate "--rsa" support. Define "--enable-sigv1" option to configure signature v1 support. Reviewed-by: Petr Vorel <pvorel@suse.cz> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-07-01 21:31:14 +02:00 · 2022-08-04 18:33:38 -04:00
parent 8e1da33b0c
commit 751a395772
5 changed files with 66 additions and 13 deletions
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@ -17,6 +17,10 @@

 cd "$(dirname "$0")" || exit 1
 PATH=../src:$PATH
+
+# set the env SIGV1=1 to execute the signature v1 tests
+SIGV1=${SIGV1:-0}
+
 source ./functions.sh

 _require cmp evmctl getfattr openssl xxd
@ -368,13 +372,18 @@ try_different_sigs() {

 ## Test v1 signatures
 # Signature v1 only supports sha1 and sha256 so any other should fail
-expect_fail \
-  check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa
+if [ $SIGV1 -eq 0 ]; then
+  __skip() { echo "IMA signature v1 tests are skipped: not supported"; return $SKIP; }
+  expect_pass __skip
+else
+   expect_fail \
+      check_sign TYPE=ima KEY=rsa1024 ALG=md5 PREFIX=0x0301 OPTS=--rsa

-sign_verify  rsa1024  sha1    0x0301 --rsa
-sign_verify  rsa1024  sha256  0x0301 --rsa
-  try_different_keys
-  try_different_sigs
+   sign_verify  rsa1024  sha1    0x0301 --rsa
+   sign_verify  rsa1024  sha256  0x0301 --rsa
+      try_different_keys
+      try_different_sigs
+fi

 ## Test v2 signatures with RSA PKCS#1
 # List of allowed hashes much greater but not all are supported.