Menu
▾
▴
Re: [Linux-ima-user] [PATCH] evmctl verify: immutable EVM sign verification support, ignore -i flag.
|
From: Mikhail K. <vie...@vi...> - 2016-12-22 03:59:34
|
В Wed, 21 Dec 2016 20:37:02 -0500 Mimi Zohar <zo...@li...> пишет: > On Tue, 2016-12-20 at 01:58 +0300, Mikhail Kurinnoi wrote: > > This patch add verification support for immutable EVM sign, ignore > > -i flag during EVM sign verification. > > > > - verify_hash function (/src/libimaevm.c) parse DIGSIG_VERSION_3 in > > same way as DIGSIG_VERSION_2, since version 3 on this stage should > > use same code as version 2. > > > > - verify_evm function (/src/evmctl.c) care about "evm_immutable" > > internal flag to be sure, that "-i" flag is ignored and hash will be > > generated accordingly to the file EVM sign version. Please note, I > > don't use in this source file DIGSIG_VERSION_3 from "enum > > digsig_version", since Dmitry Kasatkin used "3" for some reason in > > his patch (see > > https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/92033dc4042668aaec2df45aa864edc705bd607b/). > > > > - this patch fix issue in EVM sign verification, when flag "-i" is > > provided by mistake during EVM sign version 1 or version 2 > > verification (in this case hash will be generated for version 3 > > accordingly to provided flags, but not to the file EVM sign version > > as it should be, so, verification will be failed for sure). > > Dmitry started working on a portable EVM signature version, that could > be included in archives. Kernel support for the "new" format has not > been upstreamed. > > Mimi I use revised Dmitry's patch for kernel in order to use IMA/EVM feature with stand alone package build server and desktop PCs. Do you plan remove this feature from emctl util, since this feature was not been upstreamed into kernel, or this work still in progress? -- Best regards, Mikhail Kurinnoi |
