added sync mode flag to handle reboot notifications
- added discards handling
- use DM functions for printing kernel messages
- Dmitry
Dmitry Kasatkin (1):
dm-integrity: integrity protection device-mapper target
Documentation/device-mapper/dm-integrity.txt | 137
drivers/
e specific, binds integrity data to the
device. As a result data blocks and corresponding HMACs cannot simply be
copied over from other file systems.
Signed-off-by: Dmitry Kasatkin
---
Documentation/device-mapper/dm-integrity.txt | 137
drivers/md/Kconfig | 13 +
This an RFC for the signed initramfs images, which can be used to provide
verified initial user-space. Please read patch description for the detailed
explanation.
BR,
Dmitry
Dmitry Kasatkin (2):
export unpack_to_rootfs
initramfs with digital signature protection
init/Kconfig |7
e
conventional initramfs using initramfs-tools hooks, for example, by creating
/etc/initramfs-tools/hooks/initramfs_sig.sh, and adding following lines there:
#!/bin/sh
. /usr/share/initramfs-tools/hook-functions
copy_exec /initramfs-sig.img
Signed-off-by: Dmitry Kasatkin
---
init/K
Signed-off-by: Dmitry Kasatkin
---
init/do_mounts.h |2 ++
init/initramfs.c |2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/init/do_mounts.h b/init/do_mounts.h
index f5b978a..11829eb 100644
--- a/init/do_mounts.h
+++ b/init/do_mounts.h
@@ -74,3 +74,5 @@ void
d size is reduced to 32 bits to save xattr space. Key search is done
using partial match functionality of asymmetric_key_match().
- Kconfig option title was changed
Signed-off-by: Dmitry Kasatkin
Acked-by: David Howells
---
security/integrity/Kconfig | 12
securit
From: YOSHIFUJI Hideaki
digsig_verify_rsa() does not free kmalloc'ed buffer returned by
mpi_get_buffer().
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: Dmitry Kasatkin
Cc: sta...@vger.kernel.org
---
lib/digsig.c |2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/digsig.c
-integrity provides a lighter weight read-write block level integrity
protection for file systems not requiring full disk encryption, but
which do require writability.
- Dmitry
Dmitry Kasatkin (1):
dm-integrity: integrity protection device-mapper target
Documentation/device-mapper/dm-integrity.
e specific, binds integrity data to the
device. As a result data blocks and corresponding HMACs cannot simply be
copied over from other file systems.
Signed-off-by: Dmitry Kasatkin
---
Documentation/device-mapper/dm-integrity.txt | 125
drivers/md/Kconfig | 12 +
On 16/08/13 20:45, Greg KH wrote:
> On Fri, Aug 16, 2013 at 08:38:12PM +0300, Dmitry Kasatkin wrote:
>> On Fri, Aug 16, 2013 at 8:30 PM, Sarah Sharp wrote:
>>> On Fri, Aug 16, 2013 at 10:26:35AM -0700, Sarah Sharp wrote:
>>>> On Thu, Aug 15, 2013 at 05:17:16PM -070
]: *** [drivers/usb/host] Error 2
make: *** [drivers/usb/] Error 2
This patch separates definition for CONFIG_DYNAMIC_DEBUG and DEBUG cases.
Signed-off-by: Dmitry Kasatkin
---
include/linux/device.h | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/include/linux
When debug is not enabled and dev_dbg() will expand to nothing,
log might be flooded with "callbacks suppressed". If it was not
done on purpose, better to use dev_dbg_ratelimited() instead.
Signed-off-by: Dmitry Kasatkin
---
drivers/usb/host/xhci-ring.c | 24 --
Used vim "=" as Sarah suggested.
- Dmitry
On Tue, Aug 27, 2013 at 5:47 PM, Dmitry Kasatkin wrote:
> When debug is not enabled and dev_dbg() will expand to nothing,
> log might be flooded with "callbacks suppressed". If it was not
> done on purpose, better to use
On Tue, Aug 27, 2013 at 8:39 PM, Greg KH wrote:
> On Tue, Aug 27, 2013 at 05:16:37PM +0300, Dmitry Kasatkin wrote:
>> On 16/08/13 20:45, Greg KH wrote:
>> > On Fri, Aug 16, 2013 at 08:38:12PM +0300, Dmitry Kasatkin wrote:
>> >> On Fri, Aug 16, 2013 at 8:30 PM, Sarah
On Tue, Aug 27, 2013 at 9:16 PM, Joe Perches wrote:
> On Tue, 2013-08-27 at 13:32 -0400, Jason Baron wrote:
>> On 08/27/2013 12:20 PM, Joe Perches wrote:
>> > On Tue, 2013-08-27 at 17:47 +0300, Dmitry Kasatkin wrote:
>> >> When DEBUG is defined, dev_dbg_ratel
On 28/08/13 13:38, Sedat Dilek wrote:
> On Wed, Aug 28, 2013 at 12:29 PM, Sedat Dilek wrote:
>> On Wed, Aug 28, 2013 at 11:56 AM, Sedat Dilek wrote:
>>> On Wed, Aug 28, 2013 at 11:49 AM, Sedat Dilek wrote:
Hi all,
Changes since 20130827:
The f2fs tree lost its build fail
On 28/08/13 13:46, Sedat Dilek wrote:
> On Wed, Aug 28, 2013 at 12:43 PM, Dmitry Kasatkin
> wrote:
>> On 28/08/13 13:38, Sedat Dilek wrote:
>>> On Wed, Aug 28, 2013 at 12:29 PM, Sedat Dilek wrote:
>>>> On Wed, Aug 28, 2013 at 11:56 AM, Sedat Dilek
>>>
On 28/08/13 19:59, Sarah Sharp wrote:
> Please trim your replies.
>
> On Wed, Aug 28, 2013 at 01:53:49PM +0300, Dmitry Kasatkin wrote:
>>>>> That change seems to cause the problems:
>>>>>
>>>>> commit 0730d52a86919300a39a2be37f6c140997dfb82f
&g
I would not remove comment, because it is for explaining the macro line...
Second warning is natural in this case because macro itself defines
dev_dbg() functionality.
Internally it must use something else than itself...
- Dmitry
> Sarah Sharp
>
> On Tue, Aug 27, 2013 at 05:47:34PM +0300, Dmitry
Hello,
On Sat, Sep 14, 2013 at 7:56 PM, Lee, Chun-Yi wrote:
> Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the
> first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN).
>
> This patch is temporary set emLen to pks->k, and temporary set EM to
> pks->S for debug
On Sat, Sep 14, 2013 at 7:56 PM, Lee, Chun-Yi wrote:
> Implement EMSA_PKCS1-v1_5-ENCODE [RFC3447 sec 9.2] in rsa.c. It's the
> first step of signature generation operation (RSASSA-PKCS1-v1_5-SIGN).
>
> This patch is temporary set emLen to pks->k, and temporary set EM to
> pks->S for debugging. We
Sorry. I am not at @intel.com any more. Did not see it.
I will use my private email for now..
Yes. This was bothering my eye for quite a while...
- Dmitry
On Fri, Apr 12, 2013 at 4:12 AM, Alexandru Gheorghiu
wrote:
>
> Use ERR_CAST function instead of ERR_PTR and PTR_ERR.
> Patch found using co
Sorry. I am not at @intel.com any more. Did not see it.
Will handle.
- Dmitry
On Mon, May 6, 2013 at 1:08 AM, Helge Deller wrote:
> The umul_ppmm() macro for parisc uses the xmpyu assembler statement
> which does calculation via a floating point register.
>
> But usage of floating point registe
On 15/08/13 02:30, Joel Fernandes wrote:
> On 08/14/2013 06:12 PM, Joel Fernandes wrote:
>> This patch series is a rewrite of the DMA portion of omap-aes driver
>> and also adds support for PIO mode. Both these modes, give better
>> performance than before.
>>
>> Earlier, only a single SG was used
On 15/08/13 06:12, Joel Fernandes wrote:
> On 08/14/2013 07:47 PM, Joe Perches wrote:
>> On Wed, 2013-08-14 at 18:40 -0500, Joel Fernandes wrote:
>>> On 08/14/2013 06:29 PM, Joe Perches wrote:
On Wed, 2013-08-14 at 18:12 -0500, Joel Fernandes wrote:
> When DEBUG is enabled, these macros ca
When debug is not enabled and dev_dbg() will expand to nothing,
log might be flooded with "callbacks suppressed". If it was not
done on purpose, better to use dev_dbg_ratelimited() instead.
Signed-off-by: Dmitry Kasatkin
---
drivers/usb/host/xhci-ring.c | 6 ++
1 file changed, 2
]: *** [drivers/usb/host] Error 2
make: *** [drivers/usb/] Error 2
This patch separates definition for CONFIG_DYNAMIC_DEBUG and DEBUG cases.
Signed-off-by: Dmitry Kasatkin
Cc: sta...@vger.kernel.org
---
include/linux/device.h | 17 ++---
1 file changed, 14 insertions(+), 3 deletions
On 15/08/13 19:37, Greg KH wrote:
> On Thu, Aug 15, 2013 at 07:04:54PM +0300, Dmitry Kasatkin wrote:
>> When DEBUG is defined, dev_dbg_ratelimited uses dynamic debug data
>> structures even when CONFIG_DYNAMIC_DEBUG is not defined.
>> It leads to build break.
>> For
On Fri, Aug 16, 2013 at 8:30 PM, Sarah Sharp wrote:
> On Fri, Aug 16, 2013 at 10:26:35AM -0700, Sarah Sharp wrote:
>> On Thu, Aug 15, 2013 at 05:17:16PM -0700, Greg KH wrote:
>> > On Thu, Aug 15, 2013 at 07:04:55PM +0300, Dmitry Kasatkin wrote:
>> > > When debug is
13 at 07:04:55PM +0300, Dmitry Kasatkin wrote:
>> > > > When debug is not enabled and dev_dbg() will expand to nothing,
>> > > > log might be flooded with "callbacks suppressed". If it was not
>> > > > done on purpose, better t
Hello,
(in plain text)
I respond to the original question of this thread.
signed initramfs allows not only to add keys to the keyrings but
perform other initialization,
which requires user-space.
Keys can be embedded into the kernel. This is fine.
Regards
- Dmitry
On Thu, Apr 11, 2013 at 12:0
On Thu, Apr 11, 2013 at 5:55 PM, Vivek Goyal wrote:
> On Thu, Apr 11, 2013 at 11:06:55AM +0300, Dmitry Kasatkin wrote:
>> Hello,
>>
>> I respond to the original question of this thread.
>> signed initramfs allows not only to add keys to the keyrings but perform
>&g
ed new option 'zero_on_error' to return zeroed block instead of an error
default behavior is to return an error
- improved error printing
-Dmitry
Dmitry Kasatkin (1):
dm-integrity: integrity protection device-mapper target
Documentation/device-mapper/dm-integrity.txt | 137 +
e specific, binds integrity data to the
device. As a result data blocks and corresponding HMACs cannot simply be
copied over from other file systems.
Signed-off-by: Dmitry Kasatkin
---
Documentation/device-mapper/dm-integrity.txt | 137
drivers/md/Kconfig | 13 +
ing LSM and read real extended attribute values.
getfattr -e text -n integrity.SMACK64 foo
# file: foo
integrity.SMACK64="hello world"
Suggested-by: Casey Schaufler
Signed-off-by: Dmitry Kasatkin
---
fs/xattr.c | 22 +++---
include/uapi/linux/x
not be measured
and appraised and test this flag during subsequent calls to skip policy search.
Signed-off-by: Dmitry Kasatkin
---
include/linux/fs.h |4
1 file changed, 4 insertions(+)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index b33cfc9..0bef2b2 100644
--- a/include
approach?
Thanks,
Dmitry
Dmitry Kasatkin (2):
vfs: new super block feature flags attribute
ima: skip policy search for never appraised or measured files
include/linux/fs.h |4
security/integrity/ima/ima_api.c|8 ++--
security/integrity/ima/ima_policy.c | 20
not be measured
and appraised and test this flag during subsequent calls to skip policy search.
Signed-off-by: Dmitry Kasatkin
---
include/linux/fs.h |4
1 file changed, 4 insertions(+)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index b33cfc9..0bef2b2 100644
--- a/include
signature format.
BR,
Dmitry
Dmitry Kasatkin (1):
ima: digital signature verification using asymmetric keys
security/integrity/Kconfig | 12 +
security/integrity/digsig.c | 103 ++-
2 files changed, 114 insertions(+), 1 deletion(-)
--
1.7.10.4
yption.
I addressed all comments I got so far. Can it be now added to the DM tree?
- Dmitry
Dmitry Kasatkin (1):
dm-integrity: integrity protection device-mapper target
Documentation/device-mapper/dm-integrity.txt | 137
drivers/md/Kconfig | 13 +
drivers/m
e specific, binds integrity data to the
device. As a result data blocks and corresponding HMACs cannot simply be
copied over from other file systems.
Signed-off-by: Dmitry Kasatkin
---
Documentation/device-mapper/dm-integrity.txt | 137
drivers/md/Kconfig | 13 +
patch changed to /etc/keys
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig| 17 +
security/integrity/evm/evm_main.c | 7 +++
security/integrity/iint.c | 1 +
security/integrity/integrity.h| 8
4 files changed, 33 insertions
previously sent for review few months ago. Please refer to the patch
descriptions for details.
BR,
Dmitry
Dmitry Kasatkin (6):
integrity: define '.evm' as a builtin 'trusted' keyring
evm: load x509 certificate from the kernel
evm: enable EVM when X509 certificate is lo
g moved to evm_set_key
* EVM_INIT_HMAC moved to evm_set_key
* added bitop to prevent key setting race
Changes in v2:
* use size_t for key size instead of signed int
* provide EVM_MAX_KEY_SIZE macro in
* provide EVM_MIN_KEY_SIZE macro in
Signed-off-by: Dmitry Kasatkin
---
include/l
ity. (Mimi Zohar)
Signed-off-by: Dmitry Kasatkin
---
security/integrity/Kconfig| 11 +++
security/integrity/digsig.c | 14 --
security/integrity/evm/evm_main.c | 8 +---
security/integrity/ima/Kconfig| 5 -
security/integrity/ima/ima.h
its to enable EVM if key of any type
is loaded.
Changes in v2:
* EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC
* EVM_STATE_X509_SET replaced by EVM_INIT_X509
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/evm.h| 3 +++
security/integrity/evm/evm_crypto.c | 2 ++
security/integrity/
signature we may need to re-verify
the signature and update iint->flags that there is EVM
signature.
This patch enables that by resetting evm_status to
INTEGRITY_UKNOWN state.
Changes in v2:
* Flag setting moved to EVM layer
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm
This patch imposes minimum key size limit.
It declares EVM_MIN_KEY_SIZE and EVM_MAX_KEY_SIZE in public header file.
Signed-off-by: Dmitry Kasatkin
---
include/linux/evm.h | 3 +++
security/integrity/evm/evm_crypto.c | 7 +++
2 files changed, 6 insertions(+), 4 deletions
From: Petko Manolov [pet...@mip-labs.com]
Sent: Friday, October 23, 2015 4:05 PM
To: Dmitry Kasatkin
Cc: zo...@linux.vnet.ibm.com; linux-ima-de...@lists.sourceforge.net;
linux-security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org; Dmitry
Kasatkin
Hi,
I added error printing to the patch
http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next
Dmitry
On Fri, Oct 23, 2015 at 9:31 PM, Mimi Zohar wrote:
> On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote:
>> In order to enable EVM before start
Hi,
Updated in the patch.
http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/log/?h=ima-next
Dmitry
On Fri, Oct 23, 2015 at 9:30 PM, Mimi Zohar wrote:
> On Thu, 2015-10-22 at 21:49 +0300, Dmitry Kasatkin wrote:
>> Crypto HW kernel module can possibly initialize EVM
Hi,
I will have a look to patches.
Thanks,
Dmitry
On Tue, Aug 14, 2018 at 9:34 PM James Morris wrote:
>
> On Tue, 14 Aug 2018, David Jacobson wrote:
>
> > This patchset introduces evmtest — a stand alone tool for regression
> > testing IMA.
>
> Nice!
>
> I usually run the SELinux testsuite as a
On 26/11/14 16:17, David Howells wrote:
> Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier,
> as the second part can be used to match X.509 certificates by issuer and
> serialNumber.
>
> Signed-off-by: David Howells
> ---
>
> crypto/asymmetric_keys/Makefile |
On 21/11/14 16:42, Vivek Goyal wrote:
> On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote:
>
> [..]
>> diff --git a/crypto/asymmetric_keys/x509_parser.h
>> b/crypto/asymmetric_keys/x509_parser.h
>> index 3dfe6b5d6f0b..223b72344060 100644
>> --- a/crypto/asymmetric_keys/x509_parser.h
>>
Hi David,
sign-file.c produce lots of annoying noise.
scripts/sign-file.c:153:2: warning: format not a string literal and no
format arguments [-Wformat-security]
ERR(!bd, dest_name);
^
scripts/sign-file.c:179:3: warning: format not a string literal and no
format arguments [-Wformat-security]
On 05/12/14 12:23, David Howells wrote:
> Dmitry Kasatkin wrote:
>
>> sign-file.c produce lots of annoying noise.
> How did you get it to produce that?
>
> David
>
With just "make all" on Ubuntu.
- Dmitry
--
To unsubscribe from this list: send the line &quo
On 05/12/14 16:04, David Howells wrote:
> Dmitry Kasatkin wrote:
>
>> With just "make all" on Ubuntu.
> What gcc? I don't see any warnings.
>
> David
>
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4
Changed to my private email address as I left Samsung.
Signed-off-by: Dmitry Kasatkin
---
MAINTAINERS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index ccb0fef..0ee6758 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4655,7 +4655,7 @@ F
Changed to my private email address as I left Samsung.
Signed-off-by: Dmitry Kasatkin
---
MAINTAINERS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index ccb0fef..0ee6758 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4655,7 +4655,7 @@ F
Hello,
Sorry for the ugly typo in MAINTAINERS.
- Dmitry
Dmitry Kasatkin (1):
MAINTAINERS: email update
MAINTAINERS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.1.0
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message
Hi,
Thank you. It looks correct.
Ack.
- Dmitry
On 9 January 2015 at 12:58, David Howells wrote:
> I think you're right - *adding* the two sizes makes no sense. cc'ing Dmitry
> also for his check.
>
> David
>
>
> Rasmus Villemoes wrote:
>
>> If u and v both represent negative integers and the
Hi,
Thank you. Indeed '-cmp' is much more clear.
Ack.
- Dmitry
On 9 January 2015 at 13:00, David Howells wrote:
> This looks very reasonable. cc'ing Dmitry for his check.
>
> David
> ---
> Rasmus Villemoes wrote:
>
>> The condition preceding 'return 1;' makes my head hurt. At this point,
>>
correct.
Acked-by: Dmitry Kasatkin
Dmitry
On 12 January 2015 at 13:43, David Howells wrote:
> Dmitry Kasatkin wrote:
>
>> Ack.
>
> To what email address do I translate that now?
>
> Acked-by: Dmitry Kasatkin
>
> perchance?
>
> David
--
Thanks
Hi,
Yes, please.
(in plain text)
- Dmitry
On 26 January 2015 at 22:49, Stephen Rothwell wrote:
> Hi all,
>
> I noticed commit bfd33c4b4b1a ("MAINTAINERS: email update") in the
> integrity tree today. I assume that I should also update the email
> address in my contacts list?
>
> --
> Cheers,
Looks goo, you also updated comments of location of some functions.
Acked-by: Dmitry Kasatkin
Thanks
From: Vasily Averin [v...@virtuozzo.com]
Sent: Friday, June 01, 2018 7:29 PM
To: Andrew Morton; linux-kernel@vger.kernel.org
Cc: Dmitry Kasatkin
Subject
From: Sasha Levin
Sent: Tuesday, March 12, 2019 1:16 AM
To: Dmitry Kasatkin
Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org;
linux-fsde...@vger.kernel.org; keesc...@chromium.org; sta...@vger.kernel.org;
gre...@google.com
Subject: Re: [PATCH -next] exec: Fix mem leak in
On 13/03/2019 16:38, gre...@linuxfoundation.org wrote:
On Wed, Mar 13, 2019 at 02:12:30PM +, Dmitry Kasatkin wrote:
From: Sasha Levin
Sent: Tuesday, March 12, 2019 1:16 AM
To: Dmitry Kasatkin
Cc: Al Viro; yuehaibing; linux-kernel@vger.kernel.org;
linux-fsde...@vger.kernel.org
Hello David,
I will be looking to patches today...
- Dmitry
On 04/11/13 18:22, David Howells wrote:
> Hi Mimi, Dmitry,
>
> Here's a series of patches, the last three of which attempt to fix up a
> problem with encrypted keys update method. The preceding patches are fixes or
> are preparatory fo
On Tue, Mar 4, 2014 at 4:02 AM, Mimi Zohar wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> If keys are not enabled, EVM is not visible in the configuration menu.
>> It may be difficult to figure out what to do unless you really know.
>>
>> Ot
On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar wrote:
> On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote:
>> On 3/3/2014 6:39 PM, Mimi Zohar wrote:
>> > On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> >> EVM currently uses source hard coded li
On Tue, Mar 4, 2014 at 4:09 AM, Mimi Zohar wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> This patch replaces using of hmac version configuration parameter
>> with attribute list. It allows to build kernels which works with
>> previously labeled filesys
On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar wrote:
> On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote:
>> On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar wrote:
>> > On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote:
>> >> On 3/3/2014 6:39 PM, Mimi Zohar
On Wed, Mar 5, 2014 at 6:04 PM, Mimi Zohar wrote:
> On Wed, 2014-03-05 at 11:26 +0200, Dmitry Kasatkin wrote:
>> On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar wrote:
>> > On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote:
>> >> On Tue, Mar 4, 2014 at 5:2
If keys are not enabled, EVM is not visible in the configuration menu.
It may be difficult to figure out what to do unless you really know.
Other subsystems as NFS, CIFS select keys automatically.
This patch does the same.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig | 5
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_main.c | 7 +--
2 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c6b4a73..ba9e4d7 100644
--- a
Memory allocation is unnecessary for empty files.
This patch finalize the hash without memory allocation.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_crypto.c | 20
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/security/integrity/ima
list which is
initialized from CONFIG_EVM_HMAC_XATTRS variable. It allows to build
kernel with with support of older and newer EVM HMAC formats.
Possible future extension will be to read xattr list from the kernel
command line or from securityfs entry.
Signed-off-by: Dmitry Kasatkin
---
security
Hi,
This patchset contains bug fixes, cleanups and new features
for integrity subsytem.
- Dmitry
Dmitry Kasatkin (8):
ima: fix erronous removal of security.ima xattr
integrity: fix checkpatch errors
ima: return d_name.name if d_path fails
evm: EVM does not use MD5
ima: skip memory
This patch replaces using of hmac version configuration parameter
with attribute list. It allows to build kernels which works with
previously labeled filesystems.
Currently supported attribute is 'fsuuid' which is equivalent of
former version 2.
Signed-off-by: Dmitry Kasatkin
---
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index fea9749..5aa9103 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -2,7
. 'security.ima' might be erronously removed.
This patch treats POST_SETATTR as special wildcard function and will
cause ima_must_appraise() to be true if any of the hooks rules matches.
security.ima will not be removed if any of the hooks would require
appraisal.
Signed-off-by: Dmitr
Unfixed checkpatch errors make it difficult to see new errors..
This patch fix them.
Some lines with over 80 chars remained unchanged to improve
code readability.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/evm.h | 28 +++---
security/integrity/evm/evm_crypto.c
Asynchronous hash API allows initiate hash calculation and perform
other tasks while hash is calculated.
This patch introduces using of double buffering for simultenous hashing
and reading of the next chunk of data from storage.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima
rm
file IO simulteneously with hash calculation.
- Dmitry
Dmitry Kasatkin (2):
ima: use ahash API for file hash calculation
ima: provide double buffering for hash calculation
security/integrity/ima/ima_crypto.c | 269 +++-
1 file changed, 266 insertions(+), 3
he command line.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/ima_crypto.c | 180 +++-
1 file changed, 176 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index 1bde8e6..baf7a4d 10
This patch is on the top of Joe Perches patch.
- Dmitry
On 28/02/14 16:59, Dmitry Kasatkin wrote:
> Unfixed checkpatch errors make it difficult to see new errors..
> This patch fix them.
> Some lines with over 80 chars remained unchanged to improve
> code readability.
>
> Sig
On Mon, Mar 3, 2014 at 3:41 PM, Mimi Zohar wrote:
> On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
>> Unfixed checkpatch errors make it difficult to see new errors..
>> This patch fix them.
>
> A number of these errors are a result of inconsistencies between Lin
Hello Shuah,
Thanks for the patch.
If I am correct, Mimi has fixed already this error just recently.
But it did not get into James' tree yet...
http://git.kernel.org/cgit/linux/kernel/git/zohar/linux-integrity.git/commit/?h=next-fixes&id=f60bfa151cbe2e2eb6d5eaf84a3421405e7f282a
- Dmitry
On Fr
On 28/10/13 09:47, Stephen Rothwell wrote:
> Hi James,
>
> Today's linux-next merge of the security tree got a conflict in
> crypto/Makefile between commit a62b01cd6cc1 ("crypto: create generic
> version of ablk_helper") from the crypto tree and commit ee08997fee16
> ("crypto: provide single place
On 30/10/13 20:54, Mimi Zohar wrote:
> Require all keys added to the IMA keyring be signed by an
> existing trusted key on the system trusted keyring.
>
> Changelog:
> - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
> - differentiate between regular and trusted keyring na
On 31/10/13 14:03, Mimi Zohar wrote:
> On Thu, 2013-10-31 at 10:30 +0200, Dmitry Kasatkin wrote:
>> On 30/10/13 20:54, Mimi Zohar wrote:
>>> Require all keys added to the IMA keyring be signed by an
>>> existing trusted key on the system trusted keyring.
>>&
On 31/10/13 14:43, Mimi Zohar wrote:
> On Thu, 2013-10-31 at 14:23 +0200, Dmitry Kasatkin wrote:
>> On 31/10/13 14:03, Mimi Zohar wrote:
>>> On Thu, 2013-10-31 at 10:30 +0200, Dmitry Kasatkin wrote:
>>>> On 30/10/13 20:54, Mimi Zohar wrote:
>>>>> Requir
Recent patch "KEYS: Load *.x509 files into kernel keyring" allows to bultin
multiple X509 certificates. It is easier to manage keys and certificates
when they are stored in the dedicated directory.
This patch proposes to store keys in the 'keys' directory.
Signed-off
On Thu, Jul 17, 2014 at 10:56 PM, David Howells wrote:
> Dmitry Kasatkin wrote:
>
>> When SIGNATURE=y but depends on CRYPTO=m, it selects MPILIB as module
>> producing build break. This patch makes digsig to select crypto for
>> correcting dependency.
>
> I'll
On Thu, Jul 17, 2014 at 10:55 PM, David Howells wrote:
> Dmitry Kasatkin wrote:
>
>> When ASYMMETRIC_KEYS=y, but depends on CRYPTO=m, selections will be also
>> modules.
>> In random config case OID_REGISTRY, MPILIB and ASN1 became modules producing
>> buil
Require all keys added to the EVM keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig| 8
security/integrity/evm/evm_main.c | 2 ++
2 files changed, 10 insertions(+)
diff --git a/security
Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig| 9 +
security/integrity/ima/ima_init.c | 1 +
2 files changed, 10 insertions(+)
diff --git a/security
er' master keys.
However, it is recommended to use 'trusted' master key,
because 'user' master key is in non-encrypted form.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/Kconfig | 8
security/integrity/evm/evm.h| 9
EVM key might be initialzed in the kernel by kernel module
using HW specific way. For example such method would suite
devices with ARM Trust Zone technology.
This patch tries enable EVM by checking if evm-key already
exists in the kernel keyring.
Signed-off-by: Dmitry Kasatkin
---
security
parameter 'evm=off' that allows to disable EVM.
Signed-off-by: Dmitry Kasatkin
---
security/integrity/evm/evm.h | 5 +
security/integrity/evm/evm_main.c | 19 +--
security/integrity/evm/evm_secfs.c | 3 ++-
3 files changed, 20 insertions(+), 7 deletions(-)
di
1 - 100 of 370 matches
Mail list logo
