mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-11-14 11:00:37 +01:00
fc46af121e
Sign fs-verity file digests provided in the format as produced by "fsverity digest". The output is of the same format as the input, but with the file signature appended. Use setfattr to write the signature as security.ima xattr. fsverity digest format: <algo>:<hash> <pathname> output format: <algo>:<hash> <pathname> <signature> Instead of directly signing the fsverity hash, to disambiguate the original IMA signatures from the fs-verity signatures stored in the security.ima xattr a new signature format version 3 (sigv3) was defined as the hash of the xattr type (enum evm_ima_xattr_type), the hash algorithm (enum hash_algo), and the hash. Example: fsverity digest <pathname> | evmctl sign_hash --veritysig \ --key <pem encoded private key> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
14 KiB
14 KiB