Sign an fs-verity file digest

Sign fs-verity file digests provided in the format as produced by "fsverity digest". The output is of the same format as the input, but with the file signature appended. Use setfattr to write the signature as security.ima xattr. fsverity digest format: <algo>:<hash> <pathname> output format: <algo>:<hash> <pathname> <signature> Instead of directly signing the fsverity hash, to disambiguate the original IMA signatures from the fs-verity signatures stored in the security.ima xattr a new signature format version 3 (sigv3) was defined as the hash of the xattr type (enum evm_ima_xattr_type), the hash algorithm (enum hash_algo), and the hash. Example: fsverity digest <pathname> | evmctl sign_hash --veritysig \ --key <pem encoded private key> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-07-01 21:31:14 +02:00 · 2021-11-24 08:35:20 -05:00
parent acb19d1894
commit fc46af121e
4 changed files with 186 additions and 18 deletions
--- a/3
+++ b/3
@ -34,7 +34,7 @@ COMMANDS
 ima_hash file
 ima_measurement [--ignore-violations] [--verify-sig [--key "key1, key2, ..."]]  [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file
 ima_fix [-t fdsxm] path
- sign_hash [--key key] [--pass password]
+ sign_hash [--veritysig] [--key key] [--pass password]
 hmac [--imahash | --imasig ] file


@ -43,6 +43,7 @@ OPTIONS

  -a, --hashalgo     sha1, sha224, sha256, sha384, sha512
  -s, --imasig       make IMA signature
+      --veritysig    sign an fs-verity file digest hash
  -d, --imahash      make IMA hash
  -f, --sigfile      store IMA signature in .sig file instead of xattr
      --xattr-user   store xattrs in user namespace (for testing purposes)