more flexibility,
probably a boot time override can be considered.
Thanks & Regards,
- Nayna
cc: joeyli
Signed-off-by: Michal Suchanek
---
security/integrity/Kconfig | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 232
how you generate randconfig? Do you use make xconfig?
Thanks & Regards,
- Nayna
The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.
Signed-off-by: Nayna Jain
Acked-by: Stefan Berger
---
certs/system_certificates.S | 13 -
certs/system_keyring.c| 50
The "mrproper" target is still looking for build time generated keys in
the kernel root directory instead of certs directory. Fix the path and
remove the names of the files which are no longer generated.
Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
Acked-by: Stefan Berger
---
certs/Kconfig | 2 +-
certs/Makefile | 8
init/Kconfig | 6
5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (3):
keys: cleanup build time module signing keys
ima: enable signing of modules with build time generated key
ima: enable loading of build time generated key on .ima keyring
ing.
v2:
* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (3):
keys: cleanup build time module signing keys
ima: enable signing o
The kernel currently only loads the kernel module signing key onto the
builtin trusted keyring. Load the module signing key onto the IMA keyring
as well.
Signed-off-by: Nayna Jain
---
certs/system_certificates.S | 13 +-
certs/system_keyring.c| 47
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
certs/Kconfig | 2 +-
certs/Makefile | 8
init/Kconfig | 6 +++---
3 files changed
The "mrproper" target is still looking for build time generated keys in
the kernel root directory instead of certs directory. Fix the path and
remove the names of the files which are no longer generated.
Fixes: cfc411e7fff3 ("Move certificate handling to its own directory")
On 2/11/21 5:01 PM, Stefan Berger wrote:
On 2/11/21 2:54 PM, Nayna Jain wrote:
Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self
builtin trusted keyring.
Signed-off-by: Nayna Jain
---
certs/system_keyring.c| 55 ++-
include/keys/system_keyring.h | 9 +-
security/integrity/digsig.c | 4 +++
3 files changed, 54 insertions(+), 14 deletions(-)
diff --git a/certs/system_keyring.c b
)
Signed-off-by: Nayna Jain
---
Makefile| 2 ++
certs/Makefile | 68 ++---
certs/system_certificates.S | 16 -
3 files changed, 80 insertions(+), 6 deletions(-)
diff --git a/Makefile b/Makefile
index a971d4ae40bd
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
certs/Kconfig | 2 +-
init/Kconfig | 6 +++---
2 files changed, 4 insertions(+), 4 deletions
d time for IMA_APPRAISE_MODSIG as well
v2:
* Include feedback from Stefan - corrected the Fixes commit id in Patch 1
and cleaned Patch 5/5.
* Fix the issue reported by kernel test bot.
* Include Jarkko's feedback on patch description.
Nayna Jain (5):
keys: cleanup build time module sign
-off-by: Nayna Jain
---
Makefile | 3 ++-
certs/Makefile | 15 +++
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 004163a4e6b3..a971d4ae40bd 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES += include/config
The "mrproper" target is still looking for build time generated keys in
the old path instead of certs/ directory. Fix the path and remove the
names of the files which are no longer generated.
Fixes: fb1179499134 ("modsign: Use single PEM file for autogenerated key")
Signe
On 2/11/21 4:57 PM, Stefan Berger wrote:
On 2/11/21 2:54 PM, Nayna Jain wrote:
The "mrproper" target is still looking for build time generated keys
in the old path instead of certs/ directory.
This patch fixes the path as well removes the names of the files which
are no longer
trusted keyring.
Signed-off-by: Nayna Jain
---
certs/system_keyring.c| 56 +++
include/keys/system_keyring.h | 9 +-
security/integrity/digsig.c | 4 +++
3 files changed, 55 insertions(+), 14 deletions(-)
diff --git a/certs/system_keyring.c b/certs
Certificates being loaded onto the IMA trusted keyring must be signed by
a key on either the builtin and secondary trusted keyring.
This patch creates and includes in the kernel image an ephemeral CA
key, at build time when IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
Makefile
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain
---
certs/Kconfig | 2 +-
init/Kconfig | 6 +++---
2 files changed, 4 insertions(+), 4 deletions
CSR.
Signed-off-by: Nayna Jain
---
Makefile | 3 ++-
certs/Makefile | 15 +++
2 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index af18aab6bbee..9c87fdd600d8 100644
--- a/Makefile
+++ b/Makefile
@@ -1473,7 +1473,8 @@ MRPROPER_FILES
The "mrproper" target is still looking for build time generated keys
in the old path instead of certs/ directory.
This patch fixes the path as well removes the names of the files which
are no longer generated.
Signed-off-by: Nayna Jain
Fixes: 28a68f828266 ("modsign: Use sing
d time for IMA_APPRAISE_MODSIG as well
Nayna Jain (5):
keys: cleanup build time module signing keys
keys: generate self-signed module signing key using CSR
ima: update kernel module signing process during build
keys: define build time generated ephemeral kernel CA key
ima: enable loading of
On 1/27/21 11:11 PM, Eric Snowberg wrote:
On Jan 27, 2021, at 8:54 PM, Nayna wrote:
On 1/22/21 1:10 PM, Eric Snowberg wrote:
This fixes CVE-2020-26541.
The Secure Boot Forbidden Signature Database, dbx, contains a list of now
revoked signatures and keys previously approved to boot with
ert()
* is_key_on_revocation_list() -> is_cert_blacklisted()
Thanks & Regards,
- Nayna
_CERT_X509_SHA256_GUID or EFI_CERT_SHA256_GUID are applied
everywhere, and does not satisfy the trust model for .platform keyring.
We should fix this, but changing now might break some existing systems.
Probably it should be discussed as separate thread from this patchset.
Thanks & Regards,
- Nayna
On 8/11/20 3:26 PM, Tyler Hicks wrote:
v2:
- Always return an ERR_PTR from ima_alloc_rule_opt_list() (Nayna)
- Add Lakshmi's Reviewed-by to both patches
- Rebased on commit 3db0d0c276a7 ("integrity: remove redundant
initialization of variable ret") of next-integ
size_t i;
+
+ src_copy = match_strdup(src);
+ if (!src_copy)
+ return NULL;
The caller of this function checks for IS_ERR(..) and not
IS_ERR_OR_NULL(..). Shouldn't it return ERR_PTR(-EINVAL) instead of NULL ?
Thanks & Regards,
- Nayna
On 7/17/20 2:11 PM, Tyler Hicks wrote:
On 2020-07-17 13:40:22, Nayna wrote:
On 7/9/20 2:19 AM, Tyler Hicks wrote:
The "appraise_flag" option is only appropriate for appraise actions
and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enable
c: sta...@vger.kernel.org
Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
Signed-off-by: Bruno Meneguele
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
On 7/9/20 2:19 AM, Tyler Hicks wrote:
Ask the LSM to free its audit rule rather than directly calling kfree().
Is it to be called audit rule or filter rule ? Likewise in subject line.
Thanks & Regards,
- Nayna
(ima_rule_contains_lsm_cond(entry))
+ return false;
+
break;
default:
return false;
Should there be a check for IMA_MEASURE_ASYMMETRIC_KEYS in Opt_keyrings
in ima_parse_rule() to return immediately if not enabled ?
Thanks & Regards,
- Nayna
supported for Linux.
2 - Enabled and enforced.
3-9 - Enabled and enforcing; requirements are at the discretion of the
operating system.
The values of ibm,trusted-boot under pseries are interpreted as:
0 - Disabled
1 - Enabled
Signed-off-by: Nayna Jain
Reviewed-by: Daniel Axtens
---
v3:
* fixed
The device-tree property to check secure and trusted boot state is
different for guests(pseries) compared to baremetal(powernv).
This patch updates the existing is_ppc_secureboot_enabled() and
is_ppc_trustedboot_enabled() function to add support for pseries.
Signed-off-by: Nayna Jain
Reviewed
The device-tree property to check secure and trusted boot state is
different for guests(pseries) compared to baremetal(powernv).
This patch updates the existing is_ppc_secureboot_enabled() and
is_ppc_trustedboot_enabled() function to add support for pseries.
Signed-off-by: Nayna Jain
---
arch
ell based on if secure boot is enabled.
Thanks & Regards,
- Nayna
e based on CONFIG_MODULE_SIG
instead.
Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
Signed-off-by: Nayna Jain
---
v2:
* Fixes the patch description to specify the problem more clearly as asked
by Michael Ellerman.
arch/powerpc/kernel/ima_arch.c | 6 ++
On 10/01/2019 02:16 PM, Greg Kroah-Hartman wrote:
On Tue, Oct 01, 2019 at 02:08:53PM -0400, Nayna wrote:
Hi Greg,
On 08/26/2019 11:01 AM, Greg Kroah-Hartman wrote:
This variant was missing from sysfs.h, I guess no one noticed it before.
Turns out the powerpc secure variable code can use
-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain
+ */
+
+#include
+#include
+
+bool arch_ima_get_secureboot(void)
+{
+ return is_powerpc_os_secureboot_enabled();
+}
+
+/* Defines IMA appraise rules for secureboot */
+static const char *const arch_rules
This patch updates the arch specific policies for PowernV systems
to add check against blacklisted hashes before doing the verification.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel
This patch deprecates the existing permit_directio flag, instead adds
it as possible value to appraise_flag parameter.
For eg.
appraise_flag=permit_directio
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 4 ++--
security/integrity/ima/ima_policy.c | 2 ++
2 files changed
On 09/02/2019 07:52 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael,
Some more comments below.
Nayna Jain writes:
POWER secure boot relies on the kernel IMA security subsystem to
perform the OS kernel image signature verification.
Again this is just a design choice we've made,
On 09/02/2019 07:52 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael,
Sorry I've taken so long to get to this series, there's just too many
patches that need reviewing :/
No problem. I understand. Thanks for reviewing.
Nayna Jain writes:
Secure boot on POWER defines dif
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel/ima_arch.c | 50 ++
include/linux/ima.h| 3 +-
4 files changed
Secure boot on POWER defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
ECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (2):
powerpc: detect the secure boot mode of the system
powerpc: Add support to initialize ima policy rules
arch/powerpc/Kconfig | 13 ++
arch/powerpc/include/asm/secb
obsfucated mess and
not a good place at all for using ternary operator.
I have posted the v3 version that includes the suggested corrections by
you and Stefan. Sorry for some delay.
Michal and Sachin, I would appreciate if you can test the v3 version,
please ?
Thanks & Regards,
- Nayna
l Suchanek
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Sachin Sant
Tested-by: Michal Suchánek
---
Changelog:
v3:
* Includes Stefan's feedback correctly:
* Fixed handling of rc > 0 error
* Includes Jarkko's feedback related to comment and the function.
v2:
* Incl
On 07/05/2019 01:50 PM, Jarkko Sakkinen wrote:
On Fri, 2019-07-05 at 11:32 -0400, Nayna wrote:
I am not sure of the purpose of tpm_stop_chip(), so I have left it as it
is. Jarkko, what do you think about the change ?
Stefan right. Your does not work, or will randomly work or not work
l Suchanek
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Tested-by: Sachin Sant
Tested-by: Michal Suchánek
---
Changelog:
v2:
* Includes Jarkko's feedbacks
* fixes the function name to tpm_get_pcr_allocation()
* adds new function tpm1_get_pcr_allocation()
* updates patch summary
On 07/05/2019 10:13 AM, Stefan Berger wrote:
On 7/3/19 11:32 PM, Nayna Jain wrote:
The nr_allocated_banks and allocated banks are initialized as part of
tpm_chip_register. Currently, this is done as part of auto startup
function. However, some drivers, like the ibm vtpm driver, do not run
already made it available in my master and next.
Could you please wait few days? I would prefer to fix this issue instead
of reverting the whole patch.
Nayna posted a patch late yesterday titled "tpm: fixes uninitialized
allocated banks for IBM vtpm driver", which addresses this bug.
N
kernel panic during boot.
This patch moves the pcr allocation outside the auto startup function
into tpm_chip_register. This ensures that allocated banks are initialized
in any case.
Fixes: 879b589210a9 ("tpm: retrieve digest size of unknown algorithms with
PCR read")
Signed-off-by:
.
Fix this by adding the missing __init annotation.
Fixes: 9dc92c45177ab70e ("integrity: Define a trusted platform keyring")
Signed-off-by: Geert Uytterhoeven
Thanks for fixing it.
Reviewed-by: Nayna Jain
Thanks & Regards,
- Nayna
CONFIG_KEXEC_VERIFY_SIG for CONFIG_IMA_ARCH_POLICY
Fixes: d958083a8f640 (x86/ima: define arch_get_ima_policy() for x86)
Signed-off-by: Nayna Jain
Cc: Eric Biederman
Cc: Dave Young
---
security/integrity/ima/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity
On 04/25/2019 01:19 PM, prsriva wrote:
On 2019-04-25 4:48 a.m., Nayna wrote:
On 04/23/2019 08:15 PM, Prakhar Srivastava wrote:
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
The v2 version has to be on top of the HEAD of the repository itself,
and not on the v1
ion
makes to the upstream.
Btw, which repository and its branch are you using ?
Thanks & Regards,
- Nayna
#ifdef CONFIG_IMA
extern int ima_bprm_check(struct linux_binprm *bprm);
extern int ima_file_check(struct file *file, int mask, int opened);
@@ -29,7 +23,7 @@ extern int
function named set_module_sig_required() and renames
is_module_sig_enforced() to is_module_sig_enforced_or_required(). The
call to set_module_sig_required() is dependent on CONFIG_IMA_ARCH_POLICY
being enabled.
Signed-off-by: Mimi Zohar
---
Reviewed-by: Nayna Jain
Thanks & Reg
key_perm_t perm,
keyring[id] = NULL;
}
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+ if (id == INTEGRITY_KEYRING_PLATFORM) {
Shouldn't it also check that keyring[id] is not NULL ?
Thanks & Regards,
- Nayna
+ set_platform
> Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > >
> > > Acked-by: Dave Young
> >
> > The original "platform" keyring
Boyer
Signed-off-by: David Howells
Signed-off-by: Nayna Jain
Acked-by: Serge Hallyn
Signed-off-by: Mimi Zohar
---
Changelog:
v2a:
- refactored uefi_blacklist_x509_tbs() and uefi_blacklist_binary()
v2:
- Fixed the checkpatch.pl warnings
v0:
- This patch replaces the loading of certificate
On 12/12/2018 12:17 AM, James Morris wrote:
On Sun, 9 Dec 2018, Nayna Jain wrote:
+/*
+ * Blacklist an X509 TBS hash.
+ */
+static __init void uefi_blacklist_x509_tbs(const char *source,
+ const void *data, size_t len)
+{
+ char *hash, *p
patch also sets the size of those arrays to zero and removes the definition
of TPM2_ACTIVE_PCR_BANKS.
Signed-off-by: Roberto Sassu
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
n modified.
Signed-off-by: Roberto Sassu
Acked-by: Mimi Zohar
Reviewed-by: Jarkko Sakkinen
Mimi, Nayna, can you help with testing this (because of the IMA change)?
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
/Jarkko
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
From: Dave Howells
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
include/linux
Howells
Signed-off-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- removed the CONFIG EFI_SIGNATURE_LIST_PARSER
- moved efi_parser.c from certs to security/integrity/platform_certs
directory
v2:
- Fixed the checkpatch.pl warnings
include/linux/efi.h
: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
v2:
- Fixed the checkpatch.pl warnings
security/integrity/platform_certs/load_uefi.c | 45 +--
1 file changed, 35 insertions(+), 10 deletions(-)
diff --git a/security/integrity
x'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-by: Josh Bo
-appraisal access to those original keys, now
loaded on the platform keyring, needed for verifying the kernel image
and initramfs signatures.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
- replace 'rc' with 'xattr_len' when calling integrity_
The patch refactors integrity_load_x509(), making it a wrapper for a new
function named integrity_add_key(). This patch also defines a new
function named integrity_load_cert() for loading the platform keys.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
---
security
ob parser
Josh Boyer (2):
efi: Import certificates from UEFI Secure Boot
efi: Allow the "db" UEFI variable to be suppressed
Nayna Jain (3):
integrity: Define a trusted platform keyring
integrity: Load certs to the platform keyring
ima: Support platform
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
n modified.
Signed-off-by: Roberto Sassu
Acked-by: Mimi Zohar
Reviewed-by: Jarkko Sakkinen
Mimi, Nayna, can you help with testing this (because of the IMA change)?
Sure, I will try to do by end of my day tomorrow,
Thanks & Regards,
- Nayna
/Jarkko
On 11/07/2018 03:11 PM, Roberto Sassu wrote:
On 11/7/2018 7:14 AM, Nayna Jain wrote:
On 11/06/2018 08:31 PM, Roberto Sassu wrote:
This patch removes the hard-coded limit of the active_banks array size.
The hard-coded limit in static array active_banks[] represents the
maximum possible
er my understanding, the count in the TPML_PCR_SELECTION represent
the number of possible banks and not the number of active banks.
TCG Structures Spec for TPM 2.0 - Table 102 mentions this as explanation
of #TPM_RC_SIZE.
Thanks & Regards,
- Nayna
- if (count > ARRAY_SIZ
ip);
I only have Nuvoton TPM 2.0, tested for that.
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain (For TPM 2.0)
Thanks & Regards,
- Nayna
PM 1.2 and TPM 2.0. This is a
change in behavior.
Thanks & Regards,
- Nayna
Thanks
Tomas
revious comment -
"The original code in the nuvoton driver does not differentiate between
TPM 1.2 and TPM 2.0 as it does in tpm_tis_core.c.
Before making any changes, I would first fix it, so that it could easily
be backported. Only then do the refactoring."
Thanks & Rega
On 09/29/2018 04:00 AM, Tomas Winkler wrote:
Reimplement tpm1_continue_selftest() using tpm_buf structure.
This is the last command using the old tpm_cmd_t structure
and now the structure can be removed.
Cc: Nayna Jain
Signed-off-by: Tomas Winkler
Reviewed-by: Jarkko Sakkinen
Tested-by
rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE,
+ TPM_DIGEST_SIZE, 0, log_msg);
+
+ tpm_buf_destroy(&buf);
+ return rc;
+}
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Sorry for bit delay in testing.
Thanks & Regards,
- Nayna
different in this tpm1_auto_startup(...) and the original one ?
Is this needed ?
Thanks & Regards,
- Nayna
+int tpm1_get_timeouts(struct tpm_chip *chip);
unsigned long tpm1_calc_ordinal_duration(struct tpm_chip *chip, u32 ordinal);
unsigned long tpm_calc_ordinal_duration(struct tpm_
Thanks & Regards,
- Nayna
+ rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue);
if (rc) {
- dev_err(dev, "%s() timeout command duration\n", __func__);
+ dev_err(dev, "%s() timeout command duration %ld\n
From: Nayna Jain
This patch removes the code duplication in ima_init_policy() by defining
a new function named add_rules(). The new function adds the rules to the
initial IMA policy, the custom policy or both based on the policy mask
(IMA_DEFAULT_POLICY, IMA_CUSTOM_POLICY).
Signed-off-by: Nayna
this from someone with a working IMA setup
on testing.
My test system is down for now.. I think it will be up later in this
week. I can test it then.
Thanks & Regards,
- Nayna
/Jarkko
TPM chip to use.
+ * @ordinal: TPM command ordinal.
+ *
+ * Return: A maxiaml duration time for an ordinal in jiffies.
typo *maximal". It seems the typo got carried over to all
tpm*_calc_ordinal_duration functions.
Thanks & Regards,
- Nayna
+ */
+unsigned long tpm1_calc_ordinal_du
On 09/21/2018 07:28 PM, Tomas Winkler wrote:
1. TPM2_CC_LAST has moved from 182 to 193
2. Convert tpm2_ordinal_duration from an array into a switch statement,
as there are not so many commands that require special duration
relative to a number of commands, the switch statement function
hould probably setup).
I think I can try testing this patch sometime next week. I will test the
updated version.
Thanks & Regards,
- Nayna
/Jarkko
= tpm_transmit_cmd(chip, NULL, &buf.data, PAGE_SIZE,
I think this needs to buf.data instead of &buf.data
Thanks & Regards,
- Nayna
0, 0, "continue selftest");
+
+ tpm_buf_destroy(&buf);
+
return rc;
}
respectively.
Signed-off-by: Tomas Winkler
Tested-by: Jarkko Sakkine
Typo in Jarkko's last name - "Sakkinen"
Thanks & Regards,
- Nayna
---
V2-V3: Resend.
V4: Fix the commit message.
drivers/char/tpm/tpm-interface.c | 41
dri
On 03/26/2018 05:44 PM, Jarkko Sakkinen wrote:
In order to make struct tpm_buf the first class object for constructing TPM
commands, migrate tpm2_get_tpm_pt() to use it.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Regards,
- N
On 03/26/2018 05:44 PM, Jarkko Sakkinen wrote:
In order to make struct tpm_buf the first class object for constructing TPM
commands, migrate tpm2_probe() to use it.
Signed-off-by: Jarkko Sakkinen
Acked-by: Jay Freyensee
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Reg
.
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
---
drivers/char/tpm/tpm2-cmd.c | 44
1 file changed, 12 insertions(+), 32 deletions(-)
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index
if (tpm_buf_length(&buf) < TPM_HEADER_SIZE + 6 + data_len) {
rc = -EFAULT;
goto out;
}
Probably, all the changes related to the use of tpm_buf_length() could
be a separate patch in itself ?
Otherwise,
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
ranularity less than 1msec
Nayna Jain (2):
tpm: reduce poll sleep time in tpm_transmit()
tpm: reduce polling time to usecs for even finer granularity
drivers/char/tpm/tpm-interface.c | 2 +-
drivers/char/tpm/tpm.h | 5 -
drivers/char/tpm/tpm_tis_core.c | 11 +++
improved from ~14 sec to ~10.7 sec.
[1] All tests are performed on an x86 based, locked down, single purpose
closed system. It has Infineon TPM 1.2 using LPC Bus.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Jay Freyensee
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
MHz clock and 64-byte transfers, it would take about 120 usec
to move 256B of data. Sending 1kB would take about 500 usec. If the
transactions are done using 4 bytes at a time, then it would take about
1 msec. to transfer 1kB of data."
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Rev
10.4:
"This command(TPM2_GetTestResult) returns manufacturer-specific information
regarding the results of a self-test and an indication of the test status.
Signed-off-by: Nayna Jain
Tested-by: Mimi Zohar (on Pi with TPM 2.0)
Tested-by: Stefan Berger (With QEMU with
swtpm TP
On 05/10/2018 06:11 PM, Nayna Jain wrote:
On 05/08/2018 10:04 PM, J Freyensee wrote:
do {
- tpm_msleep(TPM_POLL_SLEEP);
+ tpm_msleep(TPM_TIMEOUT_POLL);
I'm just curious why it was decided to still use tpm_msleep() here
instead of usleep_range() whic
1 - 100 of 256 matches
Mail list logo
