> On May 3, 2018, at 5:42 PM, Mimi Zohar wrote:
>
> On Fri, 2018-05-04 at 03:11 +1000, James Morris wrote:
>> On Wed, 2 May 2018, Mehmet Kayaalp wrote:
>>
>>> These patches add support for modifying the reserved space for extra
>>> certificates in a
Detailed INFO output should go to stdout instead of stderr.
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c
index a3bd7ea8a436..caa446fe91b8 100644
--- a/scripts
reserved space is initially filled with random bytes.
Since a certificate contains some compressible bytes, after insertion the
vmlinux will hopefully be compressed to a smaller size.
Signed-off-by: Mehmet Kayaalp
---
certs/.gitignore| 1 +
certs/Makefile | 21
is created this way, the actual
certificate can be inserted into the bzImage:
scripts/insert-sys-cert -s -z -c
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 257 +-
1 file changed, 252 insertions(+), 5 deletions(-)
diff --git a
-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 331 +-
1 file changed, 218 insertions(+), 113 deletions(-)
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c
index 8902836c2342..10a17504dc87 100644
--- a/scripts/insert-sys-cert.c
+++ b
2-bit.
* Reordered 3/4, added x86 bzImage boot version (>=2.08) verification.
v2:
* Rebased arch/boot/x86/Makefile patch (removed in v3)
Mehmet Kayaalp (4):
KEYS: Insert incompressible bytes to reserve space in bzImage
KEYS: Add ELF class-independent certificate insertion support
KEYS: Sup
> On Aug 1, 2017, at 1:17 PM, Tycho Andersen wrote:
>
> Hi Mehmet,
>
> On Thu, Jul 20, 2017 at 06:50:31PM -0400, Mehmet Kayaalp wrote:
>> --- a/security/integrity/ima/ima_ns.c
>> +++ b/security/integrity/ima/ima_ns.c
>> @@ -301,3 +301,24 @@ struct ns
since this id
can be released and later reused by a different process.
Signed-off-by: Guilherme Magalhaes
Changelog:
* Change the field name from "mnt_ns" to "ns_mnt"
Signed-off-by: Mehmet Kayaalp
---
security/integrity/ima/ima_api.c | 10 ++
1 file changed, 10
Signed-off-by: Mehmet Kayaalp
---
init/Kconfig | 4 +++-
security/integrity/ima/ima.h | 24 +++-
security/integrity/ima/ima_api.c | 8 +---
security/integrity/ima/ima_main.c | 15 ---
security/integrity/ima/ima_ns.c
From: Mimi Zohar
The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY
to reflect the IMA policy rules.
Signed-off-by: Mimi Zohar
---
include/uapi/linux/audit.h | 3 ++-
security/integrity/ima/ima_p
ept ns_struct is not free'd when the inode is free'd.
Instead, the lookup verifies the i_ino and i_generation fields are also a
match. A lazy clean up of the rbtree that removes free'd inodes could be
implemented to reclaim the invalid entries.
Signed-off-by: Mehmet Kayaalp
---
i
/integrity/ima/ima_ns.c
* Fix typo INFO->INO
* Each namespace free's itself, removed recursively free'ing
until init_ima_ns from free_ima_ns()
Signed-off-by: Mehmet Kayaalp
---
fs/proc/namespaces.c | 3 +
include/linux/ima.h | 37
include/li
IMA audit measurement msgs
Mehmet Kayaalp (2):
ima: Add ns_status for storing namespaced iint data
ima: mamespace audit status flags
Mimi Zohar (1):
ima: differentiate auditing policy rules from "audit" actions
Yuqiong Sun (1):
ima: extend clone() with IMA namespace supp
This IMA namespacing patch set was initially implemented by Yuqiong Sun,
while at IBM Research as a summer intern working with David Safford. It
was subsequently modified and rebased by Stefan Berger and Mehmet
Kayaalp. The resulting patches are being made available from the
"next-namesp
> On Jun 3, 2017, at 10:21 PM, Peter Dolding wrote:
>
> On Thu, Jun 1, 2017 at 1:36 AM, Mehmet Kayaalp
> wrote:
>>
>>> On May 31, 2017, at 6:59 AM, Peter Dolding wrote:
>>>
>>> Number 1 we need to split the idea of signed and whitelisted.
> On May 31, 2017, at 6:59 AM, Peter Dolding wrote:
>
> Number 1 we need to split the idea of signed and whitelisted. IMA is
> signed should not be confused with white-listed.You will find
> policies stating whitelist and signed as two different things.
IMA-appraisal can do both. If the s
Use ELF class-independent GElf API for processing the kernel binary. This
patch adds support for compiling the script for 64-bit and the kernel for
32-bit (e.g. make ARCH=i386 on x86-64).
Signed-off-by: Mehmet Kayaalp
---
scripts/Makefile | 1 +
scripts/insert-sys-cert.c | 215
is created this way, the actual
certificate can be inserted into the bzImage:
scripts/insert-sys-cert -s -z -c
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 256 +-
1 file changed, 251 insertions(+), 5 deletions(-)
diff
Detailed INFO output should go to stdout instead of stderr.
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c
index b9793aa..990907d 100644
--- a/scripts/insert
reserved space is initially filled with random bytes.
Since a certificate contains some compressible bytes, after insertion the
vmlinux will hopefully be compressed to a smaller size.
Signed-off-by: Mehmet Kayaalp
---
certs/.gitignore| 1 +
certs/Makefile | 21
boot version (>=2.08) verification.
v2:
* Rebased arch/boot/x86/Makefile patch (removed in v3)
Mehmet Kayaalp (4):
KEYS: Insert incompressible bytes to reserve space in bzImage
KEYS: Add ELF class-independent certificate insertion support
KEYS: Support for inserting a certificate into x86
> On Apr 27, 2017, at 5:41 PM, Thiago Jung Bauermann
> wrote:
>
> Am Mittwoch, 26. April 2017, 18:18:34 BRT schrieb Mehmet Kayaalp:
>>> On Apr 20, 2017, at 7:41 PM, Thiago Jung Bauermann
>>> wrote:
>>>
>>> This patch introduces the appende
> On Apr 27, 2017, at 9:54 AM, David Howells wrote:
>
> Mehmet Kayaalp wrote:
>
>> +/* TODO: update CRC */
>
> Is this bit missing?
I didn't add it, since I wasn't sure it was still used with secure boot. The
CRC
code is implemented in multiple pl
> On Apr 20, 2017, at 7:41 PM, Thiago Jung Bauermann
> wrote:
>
> This patch introduces the appended_imasig keyword to the IMA policy syntax
> to specify that a given hook should expect the file to have the IMA
> signature appended to it. Here is how it can be used in a rule:
>
> appraise func
> On Apr 20, 2017, at 7:13 PM, Henrique de Moraes Holschuh
> wrote:
>
> On Thu, 20 Apr 2017, Mehmet Kayaalp wrote:
>> Include a random filled binary in vmlinux at the space reserved with
>> CONFIG_SYSTEM_EXTRA_CERTIFICATE. This results in an uncompressed reserved
>
Use ELF class-independent GElf API for processing the kernel binary. This
patch adds support for compiling the script for 64-bit and the kernel for
32-bit (e.g. make ARCH=i386 on x86-64).
Signed-off-by: Mehmet Kayaalp
---
scripts/Makefile | 1 +
scripts/insert-sys-cert.c | 215
fication.
v2:
* Rebased arch/boot/x86/Makefile patch (removed in v3)
Mehmet Kayaalp (4):
KEYS: Insert incompressible bytes to reserve space in bzImage
KEYS: Add ELF class-independent certificate insertion support
KEYS: Support for inserting a certificate into x86 bzImage
KEYS: Print insert-
reserved space is initially filled with random bytes.
Since a certificate contains some compressible bytes, after insertion the
vmlinux will hopefully be compressed to a smaller size.
Signed-off-by: Mehmet Kayaalp
---
certs/.gitignore| 1 +
certs/Makefile | 21
is created this way, the actual
certificate can be inserted into the bzImage:
scripts/insert-sys-cert -s -z -c
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 236 +-
1 file changed, 231 insertions(+), 5 deletions(-)
diff
Detailed INFO output should go to stdout instead of stderr.
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c
index f558616..56c5482 100644
--- a/scripts/insert
> On Nov 25, 2016, at 4:06 AM, David Howells wrote:
>
> Mehmet Kayaalp wrote:
>
>> Include a random filled binary in vmlinux at the space reserved with
>> CONFIG_SYSTEM_EXTRA_CERTIFICATE. This results in an uncompressed reserved
>> area inside the bzImage as we
cross compilation.
* Added 2/4 for ELF class-independent processing of vmlinux file, in case the
script was compiled for 64-bit and the kernel was compiled for 32-bit.
* Reordered 3/4, added x86 bzImage boot version (>=2.08) verification.
v2:
* Rebased arch/boot/x86/Makefile patch (removed in v3)
Mehmet
is created this way, the actual
certificate can be inserted into the bzImage:
scripts/insert-sys-cert -s -z -c
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 238 +-
1 file changed, 233 insertions(+), 5 deletions(-)
diff
Include a random filled binary in vmlinux at the space reserved with
CONFIG_SYSTEM_EXTRA_CERTIFICATE. This results in an uncompressed reserved
area inside the bzImage as well, so that it can be replaced with an actual
certificate later (after the bzImage is distributed).
Signed-off-by: Mehmet
Detailed INFO output should go to stdout instead of stderr.
Signed-off-by: Mehmet Kayaalp
---
scripts/insert-sys-cert.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys-cert.c
index 3d9018f..0516b2e 100644
--- a/scripts/insert
>From e8196ab86d10c24a9ebc87a1007a4047dc77bab8 Mon Sep 17 00:00:00 2001
From: Mehmet Kayaalp
Date: Mon, 21 Nov 2016 15:46:20 -0500
Subject: [PATCH v3 0/4] Certificate insertion support for x86 bzImages
These patches add support for modifying the reserved space for extra
certificates i
Use ELF class-independent GElf API for processing the kernel binary.
Signed-off-by: Mehmet Kayaalp
---
scripts/Makefile | 1 +
scripts/insert-sys-cert.c | 215 +++---
2 files changed, 109 insertions(+), 107 deletions(-)
diff --git a/scripts
certificate for x86.
Changes:
* Rebased 2/3 on top of be1fb0e8eb082 ("kbuild: delete unnecessary "@:"")
Mehmet Kayaalp (3):
KEYS: Support for inserting a certificate into x86 bzImage
KEYS: Insert incompressible bytes to vmlinux to reserve space in
bzImage
KEYS: P
certificate later (after the bzImage is distributed).
Cross compilation is not supported yet.
Signed-off-by: Mehmet Kayaalp
Tested-by: Stefan Berger
Acked-by: Mimi Zohar
---
arch/x86/boot/compressed/Makefile | 8
1 file changed, 8 insertions(+)
diff --git a/arch/x86/boot/compressed
Detailed INFO output should go to stdout instead of stderr. This removes
the clutter from the output of build, which discards stdout.
Fixes: c4c361059585 ("KEYS: Reserve an extra certificate symbol for inserting
without recompiling")
Signed-off-by: Mehmet Kayaalp
Tested-by: Ste
-sys-cert -s -z -c
Signed-off-by: Mehmet Kayaalp
Tested-by: Stefan Berger
Acked-by: Mimi Zohar
---
scripts/insert-sys-cert.c | 210 --
1 file changed, 203 insertions(+), 7 deletions(-)
diff --git a/scripts/insert-sys-cert.c b/scripts/insert-sys
41 matches
Mail list logo
