[PATCH] evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Stefan Berger Wed, 25 Mar 2026 14:37:18 -0700

Enable the configuration of EVM so that it requires that asymmetric
signatures it accepts are of version 3 (sigv3). To enable this, introduce
bit 3 (value 0x0008) that the user may write to EVM's securityfs policy
configuration file 'evm' for sigv3 enforcement.


Mention bit 3 in the documentation.

Signed-off-by: Stefan Berger <[email protected]>
---
 Documentation/ABI/testing/evm     |  1 +
 security/integrity/evm/evm.h      |  3 ++-
 security/integrity/evm/evm_main.c | 14 ++++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 44750a933db4..db3007babb58 100644
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -26,6 +26,7 @@ Description:
                2         Permit modification of EVM-protected metadata at
                          runtime. Not supported if HMAC validation and
                          creation is enabled (deprecated).
+               3         Require asymmetric signatures to be version 3
                31        Disable further runtime modification of EVM policy
                ===       ==================================================
 
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 51aba5a54275..694552aceaf8 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -20,11 +20,12 @@
 #define EVM_INIT_HMAC  0x0001
 #define EVM_INIT_X509  0x0002
 #define EVM_ALLOW_METADATA_WRITES      0x0004
+#define EVM_SIGV3_REQUIRED             0x0008
 #define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */
 
 #define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509)
 #define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \
-                      EVM_ALLOW_METADATA_WRITES)
+                      EVM_ALLOW_METADATA_WRITES | EVM_SIGV3_REQUIRED)
 
 struct xattr_list {
        struct list_head list;
diff --git a/security/integrity/evm/evm_main.c 
b/security/integrity/evm/evm_main.c
index b15d9d933b84..b59e3f121b8a 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -136,6 +136,14 @@ static bool evm_hmac_disabled(void)
        return true;
 }
 
+static bool evm_sigv3_required(void)
+{
+       if (evm_initialized & EVM_SIGV3_REQUIRED)
+               return true;
+
+       return false;
+}
+
 static int evm_find_protected_xattrs(struct dentry *dentry)
 {
        struct inode *inode = d_backing_inode(dentry);
@@ -258,6 +266,12 @@ static enum integrity_status evm_verify_hmac(struct dentry 
*dentry,
                }
 
                hdr = (struct signature_v2_hdr *)xattr_data;
+
+               if (evm_sigv3_required() && hdr->version != 3) {
+                       evm_status = INTEGRITY_FAIL;
+                       goto out;
+               }
+
                digest.hdr.algo = hdr->hash_algo;
                rc = evm_calc_hash(dentry, xattr_name, xattr_value,
                                   xattr_value_len, xattr_data->type, &digest,

base-commit: e5797456e49041238b131c78e90e5d36a7fc0656
-- 
2.53.0

[PATCH] evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Reply via email to