Using the same name for ephemeral and "persistent" keys results
in deleting the "persistent" key. This patch renames the normal
kbuild asymmetric key pair name to "default_signing_key" and the
ephemeral key pair name to "ephemeral_signing_key".
d kernel module support
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
Makefile | 26 ++
1 files changed, 26 insertions(+), 0 deletions(-)
diff --git a/Makefile b/Makefile
index 9f6ca12..d0dd777 100644
--- a/Makefile
+++ b/Makefile
@@ -718,10 +718,17 @@
On Fri, 2013-03-15 at 16:35 -0400, Vivek Goyal wrote:
> Do elf executable signature verification (if one is present). If signature
> is present, it should be valid. Validly signed files are given a capability
> CAP_SIGNED.
>
> If file is unsigned, it can execute but it does not get the capability
On Tue, 2013-03-19 at 15:47 +1100, James Morris wrote:
> On Mon, 18 Mar 2013, Matthew Garrett wrote:
>
> > This patch introduces CAP_COMPROMISE_KERNEL.
>
> I'd like to see this named CAP_MODIFY_KERNEL, which is more accurate and
> less emotive. Otherwise I think core kernel developers will be
On Wed, 2013-03-20 at 11:21 -0400, Vivek Goyal wrote:
> On Tue, Mar 19, 2013 at 10:39:01AM -0400, Mimi Zohar wrote:
>
> [..]
> > > +#ifdef CONFIG_BINFMT_ELF_SIG
> > > + /* If executable is digitally signed. Lock down in memory */
> > > + /* Get file
On Wed, 2013-03-20 at 16:49 +, Matthew Garrett wrote:
> On Wed, 2013-03-20 at 12:41 -0400, Mimi Zohar wrote:
>
> > Matthrew, perhaps you could clarify whether this will be tied to MAC
> > security. Based on the kexec thread, I'm under the impression that is
> > n
On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote:
> On Wed, 2013-03-20 at 14:01 -0400, Mimi Zohar wrote:
>
> > Sorry, I'm not sure to which work you're referring. If you're referring
> > to Dmitry's "initramfs with digital signature protect
On Wed, 2013-03-20 at 20:37 +, Matthew Garrett wrote:
> On Wed, 2013-03-20 at 15:16 -0400, Mimi Zohar wrote:
> > On Wed, 2013-03-20 at 18:12 +, Matthew Garrett wrote:
> > > Well, in the absence of hardcoded in-kernel policy, there needs to be
> > > some mechanism
-7fed4a3e0363).
For partitions not being appraised, it might be a good idea to mount
file systems with the 'noexec' option to prevent executing non-verified
binaries.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
Documentation/ABI/testing/ima_policy | 4 +++-
security/int
log v1:
- squash "hmac version setting"
Changelog v0:
- add missing Kconfig depends (Mimi)
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
security/integrity/evm/Kconfig | 13 +
security/integrity/evm/evm.h| 1 +
security/integrity/evm/evm_crypto.c |
On Tue, 2013-02-05 at 13:03 -0500, Peter Jones wrote:
> It's not clear to me why we need this encapsulation - wouldn't it be
> better to add another [pointer,size] pair to the bootloader protocol
> with a structure like:
https://lkml.org/lkml/2013/1/30/68 was in response to the assumption
that th
From: Dmitry Kasatkin
Old crypto hash API internally uses shash API.
Using shash API directly is more efficient.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h| 1 +
security/integrity/ima/ima_crypto.c | 75
From: Dmitry Kasatkin
Rename hash calculation functions to reflect meaning
and change argument order in conventional way.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h| 4 ++--
security/integrity/ima/ima_api.c| 6 +++---
security
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
> appraise_type=imasig_optional will allow appraisal to pass even if no
> signatures are present on the file. If signatures are present, then it
> has to be valid digital signature, otherwise appraisal will fail.
>
> This can allow to selective
On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
> vfs_getxattr_alloc() returns -EOPNOTSUPP if filesystem does not have
> security label enabled. In that case there is no point in continuing
> further and try to fix hashes (if ima_appraise=fix was specified) as
> that will fail too. Return ear
On Tue, 2013-02-12 at 09:26 -0500, Vivek Goyal wrote:
> On Mon, Feb 11, 2013 at 05:10:14PM -0500, Mimi Zohar wrote:
> > On Mon, 2013-02-11 at 15:11 -0500, Vivek Goyal wrote:
> > > appraise_type=imasig_optional will allow appraisal to pass even if no
> > > signatures
On Tue, 2013-02-12 at 13:52 -0500, Vivek Goyal wrote:
> On Tue, Feb 12, 2013 at 12:14:07PM -0500, Mimi Zohar wrote:
>
> [..]
> > > > > --- a/security/integrity/ima/ima_appraise.c
> > > > > +++ b/security/integrity/ima/ima_appraise.c
> > > > >
On Mon, 2013-01-28 at 15:13 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
> > On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
> > > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> > >
> > > [.
On Mon, 2013-01-28 at 15:22 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 03:15:49PM -0500, Mimi Zohar wrote:
> > On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
> > > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> > >
> > > [.
On Tue, 2013-01-29 at 13:20 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Hi Mimi,
> > >
> > > By policy you mean ima rules here? So I can either enable default rules
> > > (tcb default rules f
On Tue, 2013-01-29 at 15:10 -0500, Vivek Goyal wrote:
> On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Hi Mimi,
> > >
> > > Can we add another field to ima_rule_entry, say .enforcement to control
> > > the behavior of .act
On Wed, 2013-01-30 at 06:32 +, Matthew Garrett wrote:
> On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
> > > The assumption has always been that the initramfs would be measured, for
> > >
On Wed, 2013-01-30 at 16:53 -0500, Vivek Goyal wrote:
> On Tue, Jan 22, 2013 at 05:07:31PM -0500, Mimi Zohar wrote:
>
> [..]
> > /* iint cache flags */
> > +#define IMA_ACTION_FLAGS 0xff00
> > #define IMA_DIGSIG 0x0100
> > +#define IMA_DIGSIG_RE
On Thu, 2013-01-31 at 13:41 -0500, Vivek Goyal wrote:
> On Wed, Jan 30, 2013 at 05:42:39PM -0500, Mimi Zohar wrote:
> > On Wed, 2013-01-30 at 16:53 -0500, Vivek Goyal wrote:
> > > On Tue, Jan 22, 2013 at 05:07:31PM -0500, Mimi Zohar wrote:
> > >
> > &g
On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>
> [..]
> > > Ok. I am hoping that it will be more than the kernel command line we
> > > support. In the sense that for digital signatures one needs to parse
> > > the signatu
On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>
> [..]
> > > Ok. I am hoping that it will be more than the kernel command line we
> > > support. In the sense that for digital signatures one needs to parse
> > > the signatu
On Fri, 2013-02-22 at 13:20 -0800, Randy Dunlap wrote:
> On 02/22/13 11:46, Mimi Zohar wrote:
> > Fix a build error when CONFIG_BLOCK is not enabled by defining
> > a wrapper called ima_part_pack_uuid(). The wrapper returns
> > -EINVAL, when CONFIG_BLOCK is not defined.
>
t-function-declaration]
Changleog v1:
- rename ima_part_pack_uuid() to blk_part_pack_uuid()
- resolve scripts/checkpatch.pl warnings
Changelog v0:
- fix UUID scripts/Lindent msgs
Reported-by: Randy Dunlap
Reported-by: David Rientjes
Signed-off-by: Mimi Zohar
---
include/linux/genhd.h
Commit "750943a ima: remove enforce checking duplication" combined
the 'in IMA policy' and 'enforcing file integrity' checks. For
the non-file, kernel module verification, a specific check for
'enforcing file integrity' was not added. This patch ad
Both of these patches are bug fixes for patches, which were
upstreamed in this open window. The first patch addresses
a merge issue. The second patch addresses a CONFIG_BLOCK
dependency.
thanks,
Mimi
Mimi Zohar (2):
ima: "remove enforce checking duplication" merge fix
Reported-by: Randy Dunlap
Reported-by: David Rientjes
Signed-off-by: Mimi Zohar
Acked-by: David Rientjes
Acked-by: Randy Dunlap
Cc: Jens Axboe
---
include/linux/genhd.h | 10 ++
security/integrity/ima/ima_policy.c | 11 ++-
2 files changed, 16 insertions(+), 5 dele
Commit "750943a ima: remove enforce checking duplication" combined
the 'in IMA policy' and 'enforcing file integrity' checks. For
the non-file, kernel module verification, a specific check for
'enforcing file integrity' was not added. This patch ad
On Tue, 2013-02-26 at 16:20 +, Al Viro wrote:
> On Wed, Feb 20, 2013 at 04:27:51PM -0500, Mimi Zohar wrote:
> > Hi Al,
> >
> > Are there any negative repercussions to temporarily removing the
> > o_direct flag in order to calculate the file hash?
>
On Tue, 2013-02-26 at 20:34 +, Al Viro wrote:
> On Tue, Feb 26, 2013 at 02:32:08PM -0500, Mimi Zohar wrote:
> > Before anything gets access to the file, the file needs to be measured,
> > appraised, and/or audited, based on policy. If IMA-appraisal is enabled
> > and the
On Wed, 2013-02-27 at 14:26 +0200, Kasatkin, Dmitry wrote:
> On Wed, Feb 27, 2013 at 11:21 AM, Kasatkin, Dmitry
> wrote:
> > On Wed, Feb 27, 2013 at 1:22 AM, Mimi Zohar
> > wrote:
> >> On Tue, 2013-02-26 at 20:34 +, Al Viro wrote:
> >>> On Tue, Feb 2
On Wed, 2013-02-27 at 19:00 +, Al Viro wrote:
> On Wed, Feb 27, 2013 at 11:21:15AM +0200, Kasatkin, Dmitry wrote:
> > On Wed, Feb 27, 2013 at 1:22 AM, Mimi Zohar
> > wrote:
> > > On Tue, 2013-02-26 at 20:34 +, Al Viro wrote:
> > >> On Tue, Feb 26,
On Thu, 2013-02-28 at 10:13 -0500, Vivek Goyal wrote:
> Hi Mimi,
>
> I am running into issues w.r.t IMA policy management and user space
> signing. So thought of dropping a mail and gather some ideas.
>
> Currently IMA seems to able to one policy only which does not contain
> conflicting rules. W
On Thu, 2013-02-28 at 13:51 -0500, Vivek Goyal wrote:
> On Thu, Feb 28, 2013 at 10:13:33AM -0500, Vivek Goyal wrote:
> > Hi Mimi,
> >
> > I am running into issues w.r.t IMA policy management and user space
> > signing. So thought of dropping a mail and gather some ideas.
> >
> > Currently IMA see
On Thu, 2013-02-28 at 15:57 -0500, Vivek Goyal wrote:
> Hi Mimi,
>
> You asked me to not come up with new signing scheme and look into IMA
> and make use of it. And that's what I am trying to do. As I continue
> to do implementation, new concerns crop up and I am raising these.
And I appreciate i
On Thu, 2013-02-28 at 15:08 -0500, Vivek Goyal wrote:
> - New hook is required so that we can call it after locking down the
> executable in memory. Even if we have a separate method/hook for
> bzImage verification, it does not take away the need for verifying
> /sbin/kexec excutable signatu
On Thu, 2013-02-28 at 17:20 -0500, Eric Paris wrote:
> On Thu, Feb 28, 2013 at 4:35 PM, Vivek Goyal wrote:
> > On Thu, Feb 28, 2013 at 02:23:39PM -0500, Mimi Zohar wrote:
>
> I think just a second for both of you to step back and see a slightly
> larger picture/problem might he
On Mon, 2013-02-18 at 13:21 -0500, Vivek Goyal wrote:
> On Thu, Feb 14, 2013 at 10:30:15AM -0500, Mimi Zohar wrote:
> > On Thu, 2013-02-14 at 10:03 -0500, Vivek Goyal wrote:
> > > On Wed, Feb 13, 2013 at 05:27:01PM -0500, Mimi Zohar wrote:
> > >
> > > [..
On Tue, 2013-02-19 at 16:28 -0800, Randy Dunlap wrote:
> On 02/18/13 22:03, Stephen Rothwell wrote:
> > Hi all,
> >
> > Changes since 20130218:
> >
>
> on x86_64:
>
> CC security/integrity/ima/ima_policy.o
> security/integrity/ima/ima_policy.c: In function 'ima_parse_rule':
> security/in
On Wed, 2013-02-20 at 11:30 -0800, Randy Dunlap wrote:
> On 02/20/13 08:50, Mimi Zohar wrote:
> > On Tue, 2013-02-19 at 16:28 -0800, Randy Dunlap wrote:
> >> On 02/18/13 22:03, Stephen Rothwell wrote:
> >>> Hi all,
> >>>
> >>> Changes sin
2c/0x4c0
[3.752074] [] do_filp_open+0x30/0x80
[3.752074] [] do_sys_open+0xef/0x1d0
[3.752074] [] sys_open+0x2d/0x40
[3.752074] [] syscall_call+0x7/0xb
Reported-by: Cédric BERTHION
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_crypto.c | 7
On Thu, 2013-02-21 at 08:26 -0800, Linus Torvalds wrote:
> On Thu, Feb 21, 2013 at 6:03 AM, James Morris wrote:
> > This is basically a maintenance update for the TPM driver and EVM/IMA.
>
> Hmm. There were conflicts in lib/digsig.c and ima_main.c. The digsig
> one was pretty trivial, but I'd lik
On Thu, 2013-02-21 at 10:21 -0800, Linus Torvalds wrote:
> On Thu, Feb 21, 2013 at 10:06 AM, Mimi Zohar wrote:
> >
> > Almost, and enforcing file integrity is enabled. The merged result
> > should look like what's contained in
> > linux-integrity/next
On Thu, 2013-02-21 at 13:54 -0800, David Rientjes wrote:
> On Tue, 5 Feb 2013, Mimi Zohar wrote:
>
> > diff --git a/security/integrity/ima/ima_policy.c
> > b/security/integrity/ima/ima_policy.c
> > index 4adcd0f..23f49e3 100644
> > --- a/security/integrity/ima/i
On Fri, 2013-02-22 at 10:55 -0800, Randy Dunlap wrote:
> On 02/22/13 10:43, Mimi Zohar wrote:
> > Forwarded Message
> > From: David Rientjes
> > To: Mimi Zohar
> > Cc: linux-security-mod...@vger.kernel.org, linux-kernel@vger.kernel.org,
> >
t-function-declaration]
Changelog v0:
- fix UUID scripts/Lindent msgs
Reported-by: Randy Dunlap
Reported-by: David Rientjes
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h| 13 +
security/integrity/ima/ima_policy.c | 11 ++-
2 files changed, 19 insert
On Tue, 2012-09-04 at 15:21 +0300, Kasatkin, Dmitry wrote:
> On Tue, Sep 4, 2012 at 3:07 PM, Kasatkin, Dmitry
> wrote:
> > Hi,
> >
> > Please read bellow...
> >
> > On Tue, Sep 4, 2012 at 8:55 AM, Rusty Russell wrote:
> >> OK, I took a look at the module.c parts of David and Dmitry's patchsets,
>
On Wed, 2012-09-12 at 17:04 +0930, Rusty Russell wrote:
> "H. Peter Anvin" writes:
>
> > On 09/06/2012 11:13 AM, Kees Cook wrote:
> >> Instead of (or in addition to) kernel module signing, being able to reason
> >> about the origin of a kernel module would be valuable in situations
> >> where an
On Wed, 2012-10-03 at 02:44 -0700, Eric W. Biederman wrote:
> Linus Torvalds writes:
>
> > On Tue, Oct 2, 2012 at 4:35 AM, James Morris wrote:
> >> Highlights:
> >>
> >> - Integrity: add local fs integrity verification to detect offline attacks
> >> - Integrity: add digital signature verificatio
On Thu, 2012-10-04 at 15:09 +0930, Rusty Russell wrote:
> Kees Cook writes:
>
> > On Thu, Sep 20, 2012 at 3:14 PM, Kees Cook wrote:
> >> As part of the effort to create a stronger boundary between root and
> >> kernel, Chrome OS wants to be able to enforce that kernel modules are
> >> being load
On Fri, 2012-10-05 at 17:42 +0300, Kasatkin, Dmitry wrote:
> Hello,
>
> On Fri, Oct 5, 2012 at 4:47 AM, Rusty Russell wrote:
> >
> > Hi all,
> >
> > Had a talk with Mimi, and IMA still wants xattr signatures on
> > modules like they have for other files with EVM. With Kees' patches now
>
On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> > Matthew Garrett writes:
> >
> > > On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
> > >
> > >> But what about creation of a new program which can call kexec_
On Wed, 2012-10-24 at 13:36 -0400, Vivek Goyal wrote:
> On Tue, Oct 23, 2012 at 09:19:27AM -0700, Eric W. Biederman wrote:
> > Vivek Goyal writes:
> >
> > > On Tue, Oct 23, 2012 at 09:18:54AM -0400, Vivek Goyal wrote:
> > >
> > > [..]
> > >> > >> There are 3 options for trusting /sbin/kexec. The
On Wed, 2012-10-24 at 23:44 -0700, Kees Cook wrote:
> On Wed, Oct 24, 2012 at 10:43 PM, Mimi Zohar wrote:
> > On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> >> On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> >> > Matthew Garrett write
On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote:
> On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote:
>
> [..]
> > IMA-appraisal verifies the integrity of file data, while EVM verifies
> > the integrity of the file metadata, such as LSM and IMA-apprai
On Thu, 2012-10-25 at 09:54 -0400, Vivek Goyal wrote:
> On Thu, Oct 25, 2012 at 01:43:59AM -0400, Mimi Zohar wrote:
> > On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> > > On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> > >
On Thu, 2012-10-25 at 14:55 -0400, Vivek Goyal wrote:
> On Thu, Oct 25, 2012 at 02:40:21PM -0400, Mimi Zohar wrote:
> > On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote:
> > > On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote:
> > >
> > > [..
On Thu, 2012-11-01 at 09:53 -0400, Vivek Goyal wrote:
> On Thu, Nov 01, 2012 at 09:10:03AM -0400, Vivek Goyal wrote:
>
> [..]
> > >
> > > > - So say we can sign /sbin/kexec at build time and distros can do that.
> > > > - Verify the signature at exec time using kernel keyring and if
> > > > ver
On Fri, 2012-09-21 at 12:22 +1000, James Morris wrote:
> On Thu, 20 Sep 2012, Kees Cook wrote:
>
> > Earlier proposals for appending signatures to kernel modules would not be
> > useful in Chrome OS, since it would involve adding an additional set of
> > keys to our kernel and builds for no good r
ash-verified root filesystem. Other LSMs can, for example,
> read extended attributes for signatures, etc.
>
> Signed-off-by: Kees Cook
> Acked-by: Serge E. Hallyn
> Acked-by: Eric Paris
Thanks, please include my
Acked-by: Mimi Zohar
> ---
> include/linux/security.h | 13
On Fri, 2012-10-26 at 03:39 +0100, Matthew Garrett wrote:
> On Thu, Oct 25, 2012 at 09:15:58PM -0400, Mimi Zohar wrote:
>
> > On a running system, the package installer, after verifying the package
> > integrity, would install each file with the associated 'security.ima&
On Fri, 2012-10-26 at 19:19 +0100, Matthew Garrett wrote:
> On Fri, Oct 26, 2012 at 01:59:34PM -0400, Mimi Zohar wrote:
> > On Fri, 2012-10-26 at 03:39 +0100, Matthew Garrett wrote:
> > > and it must be impossible for anything other than
> > > /sbin/kexec to
On Fri, 2012-10-26 at 13:06 -0400, Vivek Goyal wrote:
> On Fri, Oct 26, 2012 at 03:39:16AM +0100, Matthew Garrett wrote:
> > On Thu, Oct 25, 2012 at 09:15:58PM -0400, Mimi Zohar wrote:
> >
> > > On a running system, the package installer, after verifying the package
> &
On Tue, 2013-09-17 at 14:55 +0100, David Howells wrote:
> There's a slight change upstream that means that my patchset needs
> regenerating (the initconst changes). Can you bring your -next branch up to
> date with linus/master so that I can rebase on top of it?
Once -rc1 is out, James normally r
On Wed, 2013-09-18 at 12:53 +0100, David Howells wrote:
> Stephen Rothwell wrote:
>
> > Is there some reason that those fixups cannot be done in a merge commit?
> > i.e. are they more than simple text updates?
Hi Stephen, the issue is that the patches were created against a newer
kernel (eg. nex
On Mon, 2013-09-09 at 11:49 -0400, Matthew Garrett wrote:
> Some use cases require the ability to ensure that anything running in ring 0
> is trusted code. We have support for signing the kernel and kernel modules,
> but there's still a range of exported kernel interfaces that make it easy to
> mod
On Tue, 2013-09-10 at 12:44 -0700, H. Peter Anvin wrote:
> On 09/10/2013 12:17 PM, David Lang wrote:
> >>
> >> In theory these blobs are traceable to a manufacturer. It's not really
> >> an indication that it's "safe" more than it's an indication that it
> >> hasn't been changed. But I haven't chas
On Tue, 2013-09-10 at 16:48 -0700, H. Peter Anvin wrote:
> On 09/10/2013 04:43 PM, Mimi Zohar wrote:
> >
> > Why invent yet another method of verifying the integrity of a file based
> > on a signature? Why not use the existing method for appraising files?
> > Just cre
On Tue, 2013-09-10 at 17:44 -0400, Vivek Goyal wrote:
> Currently digital signature verification code assumes that it can be
> used only with 3 keyrings. IMA, EVM and MODULE keyring. Provide another
> variant where one can pass in a pointer to keyring (struct key *), and
> integrity code can try to
On Thu, 2013-09-12 at 09:17 -0700, Greg KH wrote:
> On Thu, Sep 12, 2013 at 07:43:36AM -0400, Vivek Goyal wrote:
> > On Wed, Sep 11, 2013 at 08:40:23PM -0700, Greg KH wrote:
> > > On Tue, Sep 10, 2013 at 05:44:15PM -0400, Vivek Goyal wrote:
> > > > Hi,
> > > >
> > > > Matthew has been posting patc
On Wed, 2012-09-05 at 09:59 +0930, Rusty Russell wrote:
> "Kasatkin, Dmitry" writes:
> > Hi,
> >
> > Please read bellow...
> >
> > On Tue, Sep 4, 2012 at 8:55 AM, Rusty Russell wrote:
> >> OK, I took a look at the module.c parts of David and Dmitry's patchsets,
> >> and didn't really like either,
On Tue, 2012-09-04 at 11:55 -0400, Matthew Garrett wrote:
> kexec could be used as a vector for a malicious user to use a signed kernel
> to circumvent the secure boot trust model. In the long run we'll want to
> support signed kexec payloads, but for the moment we should just disable
> loading ent
On Fri, 2012-09-07 at 09:45 +0930, Rusty Russell wrote:
> Kees Cook writes:
> > Instead of (or in addition to) kernel module signing, being able to reason
> > about the origin of a kernel module would be valuable in situations
> > where an OS already trusts a specific file system, file, etc, due t
On Fri, 2012-09-07 at 10:19 -0700, Kees Cook wrote:
> On Fri, Sep 7, 2012 at 10:12 AM, Mimi Zohar wrote:
> > On Fri, 2012-09-07 at 09:45 +0930, Rusty Russell wrote:
> >> Kees Cook writes:
> >> > Instead of (or in addition to) kernel module signing, being able to
On Fri, 2012-09-07 at 11:38 -0700, Kees Cook wrote:
> Now that kernel module origins can be reasoned about, provide a hook to
> the LSMs to make policy decisions about the module file.
>
> Signed-off-by: Kees Cook
> Acked-by: Serge E. Hallyn
> ---
> include/linux/security.h | 13 +
On Mon, 2012-12-03 at 11:56 +1030, Rusty Russell wrote:
> Mimi Zohar writes:
> > Using the same name for ephemeral and "persistent" keys results
> > in deleting the "persistent" key. This patch renames the normal
> > kbuild asymmetric key pair name to &q
On Tue, 2012-12-04 at 18:14 +, David Howells wrote:
> Rusty Russell wrote:
>
> > > +PHONY += _newmodpubkey_
> > > +_newmodpubkey_:
> > > + @rm -f $(MODSECKEY) $(MODPUBKEY)
> > > + $(Q)$(MAKE) -W kernel/modsign_pubkey.o
>
> Please don't do this. It can muck up the dependencies as make think
On Thu, 2012-10-18 at 10:43 +0800, Fengguang Wu wrote:
> Mimi,
>
> Although this occurs in the xen tree head, it's more likely related to
> ima_inode_post_setattr().
Under certain circumstances ima_inode_post_setattr() removes
'security.ima' without checking that it exists. shmem doesn't seem to
On Tue, 2012-12-11 at 14:51 +0200, Kasatkin, Dmitry wrote:
> >> Here is two patches for policy search speedup.
> >>
> >> First patch adds additional features flags to superblock.
> >> Second - implementation for IMA.
> >>
> >> Two months ago I was asking about it on mailing lists.
> >> Suggestion
On Thu, 2012-11-22 at 14:49 +0200, Dmitry Kasatkin wrote:
> This patch introduces new super block attribute flag s_feature_flags
> and SF_IMA_DISABLED flag. This flag will be used by Integrity Measurement
> Architecture (IMA). Name suggested by Bruce Fields.
The patch looks good. The patch descri
On Tue, 2012-12-11 at 08:59 -0800, Linus Torvalds wrote:
> On Tue, Dec 11, 2012 at 6:08 AM, Mimi Zohar wrote:
> > On Tue, 2012-12-11 at 14:51 +0200, Kasatkin, Dmitry wrote:
> >> >>
> >> >> Two months ago I was asking about it on mailing lists.
> >&g
On Tue, 2012-12-11 at 13:35 -0500, Eric Paris wrote:
> On Tue, Dec 11, 2012 at 1:18 PM, Mimi Zohar wrote:
>
> > The appraisal policy is based on the object metadata, such as the uid,
> > so the result is static and can be cached. The measurement policy, on
> > the other
On Tue, 2012-12-11 at 13:09 -0500, Eric Paris wrote:
> On Tue, Dec 11, 2012 at 12:55 PM, Linus Torvalds
> wrote:
>
> > And your "pseudo-filesystems" argument is pretty stupid too, since WE
> > ALREADY HAVE A FLAG FOR THAT!
> >
> > Guess where it is? Oh, it's in the place I already mentioned makes
On Tue, 2012-12-11 at 11:10 -0800, Linus Torvalds wrote:
> Anyway, the whole "you can do it at file granularity" isn't the bulk
> of my argument (the "we already have the field that makes sense" is).
> But my point is that per-inode is not only the logically more
> straightforward place to do it,
On Wed, 2012-11-14 at 21:09 -0800, Eric W. Biederman wrote:
> Vivek Goyal writes:
>
> > On Thu, Nov 08, 2012 at 01:03:17PM -0800, Eric W. Biederman wrote:
> >> Vivek Goyal writes:
> >>
> >> > On Thu, Nov 08, 2012 at 02:40:50PM -0500, Vivek Goyal wrote:
> >> >> On Tue, Nov 06, 2012 at 03:51:59PM
On Mon, 2012-11-05 at 18:20 +0100, Takashi Iwai wrote:
> Add a feature to check the firmware signature, specified via Kconfig
> CONFIG_FIRMWARE_SIG. The signature check is performed only for the
> direct fw loading without udev. Also no check for built-in firmware
> blobs is implemented yet.
>
>
On Thu, 2012-11-08 at 14:40 -0500, Vivek Goyal wrote:
> On Tue, Nov 06, 2012 at 03:51:59PM -0800, Eric W. Biederman wrote:
>
> [..]
>
> Thnking more about executable signature verification, I have another question.
>
> While verifyign the signature, we will have to read the whole executable
> in
The new kernel module syscall appraises kernel modules based
on policy. If the IMA policy requires kernel module checking,
fallback to module signature enforcing for the existing syscall,
if enabled. Otherwise return INTEGRITY_UNKNOWN.
Signed-off-by: Mimi Zohar
---
security/integrity/ima
.
Reported-by: Sven Vermeulen
Signed-off-by: Mimi Zohar
Acked-by: Hugh Dickins
---
mm/shmem.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 5e6a842..a8e1072 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1939,6 +1939,13 @@ shmem_mknod
d ifdef inclusion of integrity_audit_msg() (Fengguang Wu)
Signed-off-by: Mimi Zohar
---
Documentation/kernel-parameters.txt | 10 +++---
security/integrity/Kconfig | 15 +
security/integrity/Makefile | 1 +
security/integrity/ima/Kconfig | 12 ---
security/integrity/im
d ifdef inclusion of integrity_audit_msg() (Fengguang Wu)
Signed-off-by: Mimi Zohar
---
Documentation/kernel-parameters.txt | 10 +++---
security/integrity/Kconfig | 15 +
security/integrity/Makefile | 1 +
security/integrity/ima/Kconfig | 12 ---
security/integrity/im
Before modifying an EVM protected extended attribute or any other
metadata included in the HMAC calculation, the existing 'security.evm'
is verified. This patch adds calls to integrity_audit_msg() to audit
integrity metadata failures.
Reported-by: Sven Vermeulen
Signed-off-by:
On Thu, 2013-02-28 at 16:35 -0500, Vivek Goyal wrote:
> On Thu, Feb 28, 2013 at 02:23:39PM -0500, Mimi Zohar wrote:
>
> [..]
> > I would suggest that the ima_appraise_tcb, which is more restrictive, be
> > permitted to replace the secureboot policy.
>
> Also ima_appr
On Thu, 2013-02-28 at 20:49 -0500, Mimi Zohar wrote:
> On Thu, 2013-02-28 at 17:20 -0500, Eric Paris wrote:
> > The ima_tcb policy was meant to be larger than needed to determine a
> > trusted computing base, but it is clearly not a superset of what he is
> > hoping to acc
On Fri, 2013-03-01 at 10:12 +, Steven Whitehouse wrote:
> Hi,
>
> I'm wondering whether there is a list somewhere of fields which
> security_inode_init_security() requires are set in an inode when it is
> called? In particular, does it matter if the inode number itself is
> unset when security
On Fri, 2013-03-01 at 13:11 +, Steven Whitehouse wrote:
> Hi,
>
> On Fri, 2013-03-01 at 07:27 -0500, Mimi Zohar wrote:
> > On Fri, 2013-03-01 at 10:12 +, Steven Whitehouse wrote:
> > > Hi,
> > >
> > > I'm wondering wh
1 - 100 of 1804 matches
Mail list logo
