* [PATCH] integrity: support new struct public_key_signature encoding field
@ 2018-11-11 14:29 Mimi Zohar
2018-11-12 16:42 ` Denis Kenzior
0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2018-11-11 14:29 UTC (permalink / raw)
To: David Howells
Cc: Mimi Zohar, keyrings, linux-integrity, linux-security-module,
Denis Kenzior
On systems with IMA-appraisal enabled with a policy requiring file
signatures, the "good" signature values are stored on the filesystem as
extended attributes (security.ima). Signature verification failure
would normally be limited to just a particular file (eg. executable),
but during boot signature verification failure could result in a system
hang.
Defining and requiring a new public_key_signature field requires all
callers of asymmetric signature verification to be updated to reflect
the change. This patch updates the integrity asymmetric_verify()
caller.
Fixes: 82f94f24475c ("KEYS: Provide software public key query function [ver #2]")
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Denis Kenzior <denkenz@gmail.com>
---
security/integrity/digsig_asymmetric.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 6dc075144508..d775e03fbbcc 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -106,6 +106,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_algo = "rsa";
pks.hash_algo = hash_algo_name[hdr->hash_algo];
+ pks.encoding = "pkcs1";
pks.digest = (u8 *)data;
pks.digest_size = datalen;
pks.s = hdr->sig;
--
2.7.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] integrity: support new struct public_key_signature encoding field
2018-11-11 14:29 [PATCH] integrity: support new struct public_key_signature encoding field Mimi Zohar
@ 2018-11-12 16:42 ` Denis Kenzior
0 siblings, 0 replies; 2+ messages in thread
From: Denis Kenzior @ 2018-11-12 16:42 UTC (permalink / raw)
To: Mimi Zohar, David Howells
Cc: keyrings, linux-integrity, linux-security-module
Hi Mimi,
On 11/11/2018 08:29 AM, Mimi Zohar wrote:
> On systems with IMA-appraisal enabled with a policy requiring file
> signatures, the "good" signature values are stored on the filesystem as
> extended attributes (security.ima). Signature verification failure
> would normally be limited to just a particular file (eg. executable),
> but during boot signature verification failure could result in a system
> hang.
>
> Defining and requiring a new public_key_signature field requires all
> callers of asymmetric signature verification to be updated to reflect
> the change. This patch updates the integrity asymmetric_verify()
> caller.
>
> Fixes: 82f94f24475c ("KEYS: Provide software public key query function [ver #2]")
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> Cc: David Howells <dhowells@redhat.com>
> Cc: Denis Kenzior <denkenz@gmail.com>
> ---
> security/integrity/digsig_asymmetric.c | 1 +
> 1 file changed, 1 insertion(+)
>
Acked/Reviewed by: Denis Kenzior <denkenz@gmail.com>
Regards,
-Denis
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-11-12 16:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-11 14:29 [PATCH] integrity: support new struct public_key_signature encoding field Mimi Zohar
2018-11-12 16:42 ` Denis Kenzior
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).