On Mon, 2025-06-02 at 15:25 +0200, Vitaly Kuznetsov wrote:
> UEFI SecureBoot 'db' keys are currently not trusted for modules signatures
> verification. RedHat based downstream distros (RHEL, Fedora, ...) carry a
> patch changing that for many years (since 2019 at least). This RFC is an
> attempt to
Hi Thomas,
On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> The current signature-based module integrity checking has some drawbacks
> in combination with reproducible builds:
> Either the module signing key is generated at build time, which makes
> the build unreproducible, or a stati
On Wed, 2025-05-14 at 20:25 +0200, Thomas Weißschuh wrote:
> May 14, 2025 19:39:37 Mimi Zohar :
>
> > On Wed, 2025-05-14 at 11:09 -0400, Mimi Zohar wrote:
> > > On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> > > > When configuration settings are d
On Wed, 2025-05-14 at 11:09 -0400, Mimi Zohar wrote:
> On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> > When configuration settings are disabled the guarded functions are
> > defined as empty stubs, so the check is unnecessary.
> > The specific con
check avoids some later churn.
>
> Signed-off-by: Thomas Weißschuh
Reviewed-by: Mimi Zohar
>
> ---
> This patch is not strictly necessary right now, but makes looking for
> usages of CONFIG_MODULE_SIG easier.
> ---
> arch/powerpc/kernel/ima_arch.c | 3 +--
> 1 fi
On Tue, 2025-04-29 at 15:04 +0200, Thomas Weißschuh wrote:
> When configuration settings are disabled the guarded functions are
> defined as empty stubs, so the check is unnecessary.
> The specific configuration option for set_module_sig_enforced() is
> about to change and removing the checks avoid
11c60f23ed13 ("integrity: Remove unused macro IMA_ACTION_RULE_FLAGS")
Please update the Fixes tag to refer to commit 0d73a55208e9.
> Reviewed-by: Mimi Zohar
> Signed-off-by: Roberto Sassu
> ---
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima
ized by the iint lock.
>
> Reviewed-by: Mimi Zohar
> Signed-off-by: Roberto Sassu
Reviewed-by: Mimi Zohar
; iint->mutex up to where the inode was locked, use only one iint lock in
> __ima_inode_hash(), since the mutex is now in the inode security blob, and
> replace the inode_lock()/inode_unlock() calls in ima_check_last_writer().
>
> Signed-off-by: Roberto Sassu
> Reviewed-by: Paul Moore
Reviewed-by: Mimi Zohar
ve an additional overhead
> since the decision can be made in constant time, as opposed to logarithm
> when the inode integrity metadata was stored in the rb-tree.
>
> Suggested-by: Shu Han
> Reviewed-by: Christian Brauner
> Acked-by: Jan Kara
> Signed-off-by: Roberto Sassu
Reviewd-by: Mimi Zohar
On Wed, 2025-01-22 at 18:24 +0100, Roberto Sassu wrote:
> From: Roberto Sassu
>
> IMA-Appraisal implements a fix mode, selectable from the kernel command
> line by specifying ima_appraise=fix.
>
> The fix mode is meant to be used in a TOFU (trust on first use) model,
> where systems are supposed
maining ima_inode_get() calls, in
> ima_post_create_tmpfile() and ima_post_path_mknod(), to avoid the lockdep
> warnings.
>
> Signed-off-by: Roberto Sassu
Thank you for updating the patch description. You might also want to mention
that
CONFIG_LOCKDEP_DEBUG is required to see the warnings.
Reviewed-by: Mimi Zohar
On Wed, 2024-11-13 at 07:56 +0200, Jarkko Sakkinen wrote:
> On Wed Nov 13, 2024 at 6:34 AM EET, Mimi Zohar wrote:
> > The module_param variable documentation needs to be updated to reflect the
> > actual module_param variable 'disable_pcr_integrity'.
> >
> >
tegrity/20241015193916.59964-1-zo...@linux.ibm.com/
> Fixes: 6519fea6fd37 ("tpm: add hmac checks to tpm2_pcr_extend()")
> Co-developed-by: Roberto Sassu
> Signed-off-by: Roberto Sassu
> Co-developed-by: Mimi Zohar
> Signed-off-by: Mimi Zohar
> Signed-off-by: Jarkko Sakkinen
T
On Tue, 2024-11-12 at 19:57 +0200, Jarkko Sakkinen wrote:
> On Mon Nov 11, 2024 at 9:53 PM EET, Mimi Zohar wrote:
> > > The original open coded the empty auth append with struct
> > > tpm2_null_auth since it's the only user. However, since we do have
> > > ano
On Thu, 2024-11-07 at 08:52 -0500, James Bottomley wrote:
> On Thu, 2024-11-07 at 15:49 +0200, Jarkko Sakkinen wrote:
> > On Thu Nov 7, 2024 at 3:20 PM EET, James Bottomley wrote:
> > > On Thu, 2024-11-07 at 11:51 +0200, Jarkko Sakkinen wrote:
> > > [...]
> > > > +void tpm_buf_append_auth(struct tp
ux.ibm.com/
> Fixes: 6519fea6fd37 ("tpm: add hmac checks to tpm2_pcr_extend()")
> Co-developed-by: Roberto Sassu
> Signed-off-by: Roberto Sassu
> Co-developed-by: Mimi Zohar
> Signed-off-by: Mimi Zohar
> Signed-off-by: Jarkko Sakkinen
> ---
> v2:
> - Move tpm_
On Thu, 2024-11-07 at 15:47 +0200, Jarkko Sakkinen wrote:
> On Thu Nov 7, 2024 at 3:44 PM EET, Mimi Zohar wrote:
> > >
> > > @@ -232,18 +236,26 @@ int tpm2_pcr_extend(struct tpm_chip *chip, u32
> > > pcr_idx,
> > > int rc;
> > > int i;
&
On Thu, 2024-11-07 at 02:51 +0200, Jarkko Sakkinen wrote:
> On Thu Nov 7, 2024 at 2:47 AM EET, Jarkko Sakkinen wrote:
> > From: Mimi Zohar
> >
> > The initial encrypted HMAC session feature added TPM bus encryption to
> > various in-kernel TPM operations. This can ca
Roberto, please consider renaming this patch.
IMA is informing the digest_cache LSM of the digest_list verification result.
Instead of "ima: Record IMA verification result of digest lists in digest
cache", it should be "ima: inform digest_cache LSM of digest list verification
result".
Mimi
On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> From: Roberto Sassu
>
> Specify the 'digest_cache_measure' boot-time policy with 'ima_policy=' in
> the kernel command line to add the following rule at the beginning of the
> IMA policy, before other rules:
>
> measure func=DIGEST_LIST_C
On Mon, 2024-03-11 at 10:11 +0100, Roberto Sassu wrote:
>
> > > @@ -386,8 +402,6 @@ static int process_measurement(struct file *file,
> > > const
> > > struct cred *cred,
> > > if (verif_mask_ptr)
> > > allow_mask = policy_mask & *verif_mask_ptr;
> > >
Hi Roberto,
> b/security/integrity/ima/ima_main.c
> index a66522a22cbc..e1b2f5737753 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -301,6 +301,15 @@ static int process_measurement(struct file *file, const
> struct cred *cred,
> }
>
Hi Roberto,
> diff --git a/security/integrity/ima/ima_main.c
> b/security/integrity/ima/ima_main.c
> index 3fc48214850a..48a09747ae7a 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -222,7 +222,9 @@ static int process_measurement(struct file *file, c
> > > @@ -971,6 +1006,16 @@ void __init ima_init_policy(void)
> > > {
> > > int build_appraise_entries, arch_entries;
> > >
> > > + /*
> > > + * We need to load digest cache rules at the beginning, to avoid dont_
> > > + * rules causing ours to not be reached.
> > > + */
> >
> > "lockdow
On Fri, 2024-03-08 at 10:05 +0100, Roberto Sassu wrote:
> On Thu, 2024-03-07 at 14:43 -0500, Mimi Zohar wrote:
> > On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> > > From: Roberto Sassu
> > >
> > > Add the 'digest_cache=' policy keyword,
On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> From: Roberto Sassu
>
> Specify the 'digest_cache_measure' boot-time policy with 'ima_policy=' in
> the kernel command line
The 'built-in' policies may be specified on the boot command line. Please
update Subject line, to user the term "
On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> From: Roberto Sassu
>
> Invoking digest_cache_get() inside the iint->mutex critical region can
> cause deadlocks due to the fact that IMA can be recursively invoked for
> reading the digest list. The deadlock would occur if the digest_cach
On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> From: Roberto Sassu
>
> Add the 'digest_cache=' policy keyword, to enable the usage of digest
> caches for specific IMA actions and purposes.
>
> At the moment, it accepts only 'content' as value, as digest caches can be
> only used only
[Cc'ing Rob Landley]
On Tue, 2019-06-25 at 14:57 +0200, Roberto Sassu wrote:
> Mimi, do you have any thoughts on this version?
I need to look closer, but when I first looked these changes seemed to
be really invasive. Let's first work on getting the CPIO xattr
support upstreamed. Rob Landley sa
On Thu, 2019-06-13 at 09:40 -0700, Casey Schaufler wrote:
> On 6/13/2019 3:30 AM, Sumit Garg wrote:
> > Add support for TEE based trusted keys where TEE provides the functionality
> > to seal and unseal trusted keys using hardware unique key. Also, this is
> > an alternative in case platform doesn'
On Fri, 2019-06-07 at 17:14 +0200, Roberto Sassu wrote:
> On 6/7/2019 5:08 PM, Mimi Zohar wrote:
> > On Fri, 2019-06-07 at 16:40 +0200, Roberto Sassu wrote:
> >>> On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote:
> >
> >>>> Although this choice ap
On Fri, 2019-06-07 at 16:40 +0200, Roberto Sassu wrote:
> > On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote:
> >> Although this choice appears legitimate, it might not be suitable for
> >> hardened systems, where the administrator expects that access is denied if
> >> there is any error. An
Hi Roberto,
Thank you for updating the patch description.
On Thu, 2019-06-06 at 13:26 +0200, Roberto Sassu wrote:
> IMA and EVM have been designed as two independent subsystems: the first for
> checking the integrity of file data; the second for checking file metadata.
> Making them independent a
On Thu, 2019-06-06 at 13:43 +0200, Roberto Sassu wrote:
> On 6/6/2019 1:26 PM, Roberto Sassu wrote:
> > Previous versions included the patch 'ima: don't ignore INTEGRITY_UNKNOWN
> > EVM status'. However, I realized that this patch cannot be accepted alone
> > because IMA-Appraisal would deny access
On Mon, 2019-06-03 at 11:25 +0200, Roberto Sassu wrote:
> On 5/30/2019 2:00 PM, Mimi Zohar wrote:
> > On Wed, 2019-05-29 at 15:30 +0200, Roberto Sassu wrote:
> >> Currently, ima_appraise_measurement() ignores the EVM status when
> >> evm_verifyxattr() returns INTEGRI
On Wed, 2019-05-29 at 15:30 +0200, Roberto Sassu wrote:
> Currently, ima_appraise_measurement() ignores the EVM status when
> evm_verifyxattr() returns INTEGRITY_UNKNOWN. If a file has a valid
> security.ima xattr with type IMA_XATTR_DIGEST or IMA_XATTR_DIGEST_NG,
> ima_appraise_measurement() retur
On Wed, 2019-05-29 at 15:30 +0200, Roberto Sassu wrote:
> Show the '^' character when a policy rule has flag IMA_INMASK.
>
> Fixes: 80eae209d63ac ("IMA: allow reading back the current IMA policy")
> Signed-off-by: Roberto Sassu
> Cc: sta...@vger.kernel.org
Thanks, queued.
> ---
> security/inte
On Wed, 2019-05-29 at 15:30 +0200, Roberto Sassu wrote:
> This patch prevents memory access beyond the evm_tfm array by checking the
> validity of the index (hash algorithm) passed to init_desc(). The hash
> algorithm can be arbitrarily set if the security.ima xattr type is not
> EVM_XATTR_HMAC.
>
On Tue, 2019-05-21 at 09:26 +0200, Roberto Sassu wrote:
> On 5/20/2019 11:20 PM, Mimi Zohar wrote:
> > On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> >> diff --git a/Documentation/admin-guide/kernel-parameters.txt
> >> b/Documentation/admin-guide/kerne
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> This patch ensures that integrity_audit_msg() is called only when the
> status is not INTEGRITY_PASS.
>
> Fixes: 8606404fa555c ("ima: digital signature verification support")
> Signed-off-by: Roberto Sassu
> Cc: sta...@vger.kernel.org
> --
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> diff --git a/Documentation/admin-guide/kernel-parameters.txt
> b/Documentation/admin-guide/kernel-parameters.txt
> index 52e6fbb042cc..80e1c233656b 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-g
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> This patch adds a call to evm_reset_status() in evm_inode_post_setattr(),
> before security.evm is updated. The same is done in the other
> evm_inode_post_* functions.
>
> Fixes: 523b74b16bcbb ("evm: reset EVM status when file attributes ch
On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
> This patch prevents memory access beyond the evm_tfm array by checking the
> validity of the index (hash algorithm) passed to init_desc(). The hash
> algorithm can be arbitrarily set if the security.ima xattr type is not
> EVM_XATTR_HMAC.
>
On Fri, 2019-05-17 at 00:10 +, Sasha Levin wrote:
>
> How should we proceed with this patch?
Yikes! This was posted earlier today. I haven't even had a chance to
look at it yet. Similarly for "[PATCH 4/4] ima: only audit failed
appraisal verifications".
Mimi
Hi Thiago,
On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote:
>
> @@ -326,6 +356,10 @@ int ima_appraise_measurement(enum ima_hooks func,
> case INTEGRITY_UNKNOWN:
> break;
> case INTEGRITY_NOXATTRS:/* No EVM protected xattrs. */
> +
be used in the places that actually expect that
> definition.
, specifically the EVM HMAC code.
>
> Signed-off-by: Thiago Jung Bauermann
Other than commenting the evm_xattr usage is limited to HMAC before
the structure definition, this looks good.
Reviewed-by: Mimi Zohar
> ---
> s
On Fri, 2018-11-02 at 13:49 -0700, Kees Cook wrote:
> On Fri, Nov 2, 2018 at 11:13 AM, Mimi Zohar wrote:
> > I don't recall why "integrity" is on the security_initcall, while both
> > IMA and EVM are on the late_initcall().
>
> It's because integ
Hi Kees,
On Wed, 2018-10-10 at 17:18 -0700, Kees Cook wrote:
> This provides a place for ordered LSMs to be initialized, separate from
> the "major" LSMs. This is mainly a copy/paste from major_lsm_init() to
> ordered_lsm_init(), but it will change drastically in later patches.
>
> What is not ob
On Sat, 2018-02-17 at 16:26 -0800, h...@zytor.com wrote:
> Do you have a description of the gaps you have identified?
Probably the 2016 Linux Security Summit (LSS) integrity status update
has the best list.
http://events17.linuxfoundation.org/sites/events/files/slides/LSS2016-
LinuxIntegritySubs
On Fri, 2018-02-16 at 12:59 -0800, H. Peter Anvin wrote:
> On 02/16/18 12:33, Taras Kondratiuk wrote:
> > Many of the Linux security/integrity features are dependent on file
> > metadata, stored as extended attributes (xattrs), for making decisions.
> > These features need to be initialized during
On Mon, 2017-11-20 at 10:40 +0100, Roberto Sassu wrote:
> On 11/19/2017 12:23 AM, Mimi Zohar wrote:
> > Hi Serge,
> >
> > On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote:
> >> On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote:
> >>
Hi Serge,
On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote:
> On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote:
> > from a predefined position (/etc/ima/digest_lists/metadata), when rootfs
> > becomes available. Digest lists must be loaded before IMA appraisal is in
> > enforc
On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote:
> On 11/17/2017 2:08 AM, Kees Cook wrote:
> > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu
> > wrote:
> >> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
> >>> Normally, the protection of kernel memory is ou
On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote:
> This seems very over-complicated, and it's unclear why the kernel
> needs to open the file itself. You *know* that all of userland is
> trustworthy at this point even in the absence of signatures.
Assuming the initramfs is signed, then y
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
> IMA is a security module with the objective of reporting or enforcing the
> integrity of a system, by measuring files accessed with the execve(),
> mmap() and open() system calls. For reporting, it takes advantage of the
> TPM a
On Wed, 2017-08-09 at 19:18 +0200, Roberto Sassu wrote:
> On 8/9/2017 4:30 PM, Mimi Zohar wrote:
> > On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote:
> >> On 8/2/2017 9:22 AM, James Morris wrote:
> >>> On Tue, 1 Aug 2017, Roberto Sassu wrote:
> >>&
On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote:
> On 8/2/2017 9:22 AM, James Morris wrote:
> > On Tue, 1 Aug 2017, Roberto Sassu wrote:
> >
> >> On 8/1/2017 12:27 PM, Christoph Hellwig wrote:
> >>> On Tue, Aug 01, 2017 at 12:20:36PM +0200, Roberto Sassu wrote:
> This patch introduces a
Hi Roberto,
[cc'ing tpmdd-devel]
On Tue, 2017-07-25 at 17:44 +0200, Roberto Sassu wrote:
> This patch set applies on top of kernel v4.13-rc2.
>
> IMA, for each file matching policy rules, calculates a digest, creates
> a new entry in the measurement list and extends a TPM PCR with the digest
> o
On Sat, 2017-05-06 at 15:59 +0300, Gilad Ben-Yossef wrote:
> ima starts several async. crypto ops and waits for their completions.
> Move it over to generic code doing the same.
>
> Signed-off-by: Gilad Ben-Yossef
Acked-by: Mimi Zohar
> ---
> security/integrity/ima
On Tue, 2016-04-12 at 15:38 -0700, Kees Cook wrote:
> On Tue, Apr 12, 2016 at 3:31 PM, Al Viro wrote:
> > On Tue, Apr 12, 2016 at 09:54:44AM -0700, Kees Cook wrote:
> >> Providing human-readable (and audit-parsable) strings for the READING_*
> >> enums is needed by some LSMs.
> >>
> >> Signed-off-
61 matches
Mail list logo
