On Wed, 2020-09-02 at 11:42 +0000, Roberto Sassu wrote:
From: Mimi Zohar [mailto:zohar@linux.ibm.com] Sent: Monday, August 24, 2020 7:45 PM Hi Roberto,
On Fri, 2020-08-21 at 14:30 -0400, Mimi Zohar wrote:
Sorry for the delay in reviewing these patches. Missing from this patch set is a cover letter with an explanation for grouping these patches into a patch set, other than for convenience. In this case, it would be along the lines that the original use case for EVM portable and immutable keys support was for a few critical files, not combined with an EVM encrypted key type. This patch set more fully integrates the initial EVM portable and immutable signature support.
Thank you for more fully integrating the EVM portable signatures into IMA.
" [PATCH 08/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures" equates an IMA signature to having a portable and immutable EVM signature. That is true in terms of signature verification, but from an attestation perspective the "ima-sig" template will not contain a signature. If not the EVM signature, then at least some other indication should be included in the measurement list.
Would it be ok to print the EVM portable signature in the sig field if the IMA signature is not found? Later we can introduce the new template evm-sig to include all metadata necessary to verify the EVM portable signature.
As long as the attestation server can differentiate between the signature types, including the EVM signature should be fine.
Are you planning on posting the associated IMA/EVM regression tests?
I didn't have a look yet at the code. I will try to write some later.
It looks like ima_verify_signature() in ima-evm-utils could be extended to support the EVM portable signature or at least not to fail the signature verification.
Mimi