* [PATCH] integrity: support new struct public_key_signature encoding field
@ 2018-11-11 14:29 ` Mimi Zohar
0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2018-11-11 14:29 UTC (permalink / raw)
To: David Howells
Cc: Mimi Zohar, keyrings, linux-integrity, linux-security-module,
Denis Kenzior
On systems with IMA-appraisal enabled with a policy requiring file
signatures, the "good" signature values are stored on the filesystem as
extended attributes (security.ima). Signature verification failure
would normally be limited to just a particular file (eg. executable),
but during boot signature verification failure could result in a system
hang.
Defining and requiring a new public_key_signature field requires all
callers of asymmetric signature verification to be updated to reflect
the change. This patch updates the integrity asymmetric_verify()
caller.
Fixes: 82f94f24475c ("KEYS: Provide software public key query function [ver #2]")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Denis Kenzior <denkenz@gmail.com>
---
security/integrity/digsig_asymmetric.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6dc075144508..d775e03fbbcc 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -106,6 +106,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_algo = "rsa";
pks.hash_algo = hash_algo_name[hdr->hash_algo];
+ pks.encoding = "pkcs1";
pks.digest = (u8 *)data;
pks.digest_size = datalen;
pks.s = hdr->sig;
--
2.7.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] integrity: support new struct public_key_signature encoding field
@ 2018-11-11 14:29 ` Mimi Zohar
0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2018-11-11 14:29 UTC (permalink / raw)
To: David Howells
Cc: Mimi Zohar, keyrings, linux-integrity, linux-security-module,
Denis Kenzior
On systems with IMA-appraisal enabled with a policy requiring file
signatures, the "good" signature values are stored on the filesystem as
extended attributes (security.ima). Signature verification failure
would normally be limited to just a particular file (eg. executable),
but during boot signature verification failure could result in a system
hang.
Defining and requiring a new public_key_signature field requires all
callers of asymmetric signature verification to be updated to reflect
the change. This patch updates the integrity asymmetric_verify()
caller.
Fixes: 82f94f24475c ("KEYS: Provide software public key query function [ver #2]")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Denis Kenzior <denkenz@gmail.com>
---
security/integrity/digsig_asymmetric.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6dc075144508..d775e03fbbcc 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -106,6 +106,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_algo = "rsa";
pks.hash_algo = hash_algo_name[hdr->hash_algo];
+ pks.encoding = "pkcs1";
pks.digest = (u8 *)data;
pks.digest_size = datalen;
pks.s = hdr->sig;
--
2.7.5
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] integrity: support new struct public_key_signature encoding field
2018-11-11 14:29 ` Mimi Zohar
@ 2018-11-12 16:42 ` Denis Kenzior
-1 siblings, 0 replies; 4+ messages in thread
From: Denis Kenzior @ 2018-11-12 16:42 UTC (permalink / raw)
To: Mimi Zohar, David Howells
Cc: keyrings, linux-integrity, linux-security-module
Hi Mimi,
On 11/11/2018 08:29 AM, Mimi Zohar wrote:
> On systems with IMA-appraisal enabled with a policy requiring file
> signatures, the "good" signature values are stored on the filesystem as
> extended attributes (security.ima). Signature verification failure
> would normally be limited to just a particular file (eg. executable),
> but during boot signature verification failure could result in a system
> hang.
>
> Defining and requiring a new public_key_signature field requires all
> callers of asymmetric signature verification to be updated to reflect
> the change. This patch updates the integrity asymmetric_verify()
> caller.
>
> Fixes: 82f94f24475c ("KEYS: Provide software public key query function [ver #2]")
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> Cc: David Howells <dhowells@redhat.com>
> Cc: Denis Kenzior <denkenz@gmail.com>
> ---
> security/integrity/digsig_asymmetric.c | 1 +
> 1 file changed, 1 insertion(+)
>
Acked/Reviewed by: Denis Kenzior <denkenz@gmail.com>
Regards,
-Denis
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] integrity: support new struct public_key_signature encoding field
@ 2018-11-12 16:42 ` Denis Kenzior
0 siblings, 0 replies; 4+ messages in thread
From: Denis Kenzior @ 2018-11-12 16:42 UTC (permalink / raw)
To: Mimi Zohar, David Howells
Cc: keyrings, linux-integrity, linux-security-module
Hi Mimi,
On 11/11/2018 08:29 AM, Mimi Zohar wrote:
> On systems with IMA-appraisal enabled with a policy requiring file
> signatures, the "good" signature values are stored on the filesystem as
> extended attributes (security.ima). Signature verification failure
> would normally be limited to just a particular file (eg. executable),
> but during boot signature verification failure could result in a system
> hang.
>
> Defining and requiring a new public_key_signature field requires all
> callers of asymmetric signature verification to be updated to reflect
> the change. This patch updates the integrity asymmetric_verify()
> caller.
>
> Fixes: 82f94f24475c ("KEYS: Provide software public key query function [ver #2]")
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> Cc: David Howells <dhowells@redhat.com>
> Cc: Denis Kenzior <denkenz@gmail.com>
> ---
> security/integrity/digsig_asymmetric.c | 1 +
> 1 file changed, 1 insertion(+)
>
Acked/Reviewed by: Denis Kenzior <denkenz@gmail.com>
Regards,
-Denis
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-11-12 16:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-11 14:29 [PATCH] integrity: support new struct public_key_signature encoding field Mimi Zohar
2018-11-11 14:29 ` Mimi Zohar
2018-11-12 16:42 ` Denis Kenzior
2018-11-12 16:42 ` Denis Kenzior
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.