more flexibility,
probably a boot time override can be considered.
Thanks & Regards,
- Nayna
cc: joeyli
Signed-off-by: Michal Suchanek
---
security/integrity/Kconfig | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 232
ion
makes to the upstream.
Btw, which repository and its branch are you using ?
Thanks & Regards,
- Nayna
#ifdef CONFIG_IMA
extern int ima_bprm_check(struct linux_binprm *bprm);
extern int ima_file_check(struct file *file, int mask, int opened);
@@ -29,7 +23,7 @@ extern int
On 04/25/2019 01:19 PM, prsriva wrote:
On 2019-04-25 4:48 a.m., Nayna wrote:
On 04/23/2019 08:15 PM, Prakhar Srivastava wrote:
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
The v2 version has to be on top of the HEAD of the repository itself,
and not on the v1
function named set_module_sig_required() and renames
is_module_sig_enforced() to is_module_sig_enforced_or_required(). The
call to set_module_sig_required() is dependent on CONFIG_IMA_ARCH_POLICY
being enabled.
Signed-off-by: Mimi Zohar
---
Reviewed-by: Nayna Jain
Thanks & Reg
On 2/11/21 4:57 PM, Stefan Berger wrote:
On 2/11/21 2:54 PM, Nayna Jain wrote:
The "mrproper" target is still looking for build time generated keys
in the old path instead of certs/ directory.
This patch fixes the path as well removes the names of the files which
are no longer
On 2/11/21 5:01 PM, Stefan Berger wrote:
On 2/11/21 2:54 PM, Nayna Jain wrote:
Loading a key on the IMA trusted keyring requires the key be signed
by an existing key on the builtin or secondary trusted keyring.
Creating a Certificate Signing Request (CSR) allows the certificate
to be self
size_t i;
+
+ src_copy = match_strdup(src);
+ if (!src_copy)
+ return NULL;
The caller of this function checks for IS_ERR(..) and not
IS_ERR_OR_NULL(..). Shouldn't it return ERR_PTR(-EINVAL) instead of NULL ?
Thanks & Regards,
- Nayna
how you generate randconfig? Do you use make xconfig?
Thanks & Regards,
- Nayna
_CERT_X509_SHA256_GUID or EFI_CERT_SHA256_GUID are applied
everywhere, and does not satisfy the trust model for .platform keyring.
We should fix this, but changing now might break some existing systems.
Probably it should be discussed as separate thread from this patchset.
Thanks & Regards,
- Nayna
ert()
* is_key_on_revocation_list() -> is_cert_blacklisted()
Thanks & Regards,
- Nayna
On 1/27/21 11:11 PM, Eric Snowberg wrote:
On Jan 27, 2021, at 8:54 PM, Nayna wrote:
On 1/22/21 1:10 PM, Eric Snowberg wrote:
This fixes CVE-2020-26541.
The Secure Boot Forbidden Signature Database, dbx, contains a list of now
revoked signatures and keys previously approved to boot with
On 09/02/2019 07:52 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael,
Sorry I've taken so long to get to this series, there's just too many
patches that need reviewing :/
No problem. I understand. Thanks for reviewing.
Nayna Jain writes:
Secure boot on POWER defines dif
On 09/02/2019 07:52 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael,
Some more comments below.
Nayna Jain writes:
POWER secure boot relies on the kernel IMA security subsystem to
perform the OS kernel image signature verification.
Again this is just a design choice we've made,
-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain
+ */
+
+#include
+#include
+
+bool arch_ima_get_secureboot(void)
+{
+ return is_powerpc_os_secureboot_enabled();
+}
+
+/* Defines IMA appraise rules for secureboot */
+static const char *const arch_rules
On 10/01/2019 02:16 PM, Greg Kroah-Hartman wrote:
On Tue, Oct 01, 2019 at 02:08:53PM -0400, Nayna wrote:
Hi Greg,
On 08/26/2019 11:01 AM, Greg Kroah-Hartman wrote:
This variant was missing from sysfs.h, I guess no one noticed it before.
Turns out the powerpc secure variable code can use
> Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > >
> > > Acked-by: Dave Young
> >
> > The original "platform" keyring
key_perm_t perm,
keyring[id] = NULL;
}
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+ if (id == INTEGRITY_KEYRING_PLATFORM) {
Shouldn't it also check that keyring[id] is not NULL ?
Thanks & Regards,
- Nayna
+ set_platform
obsfucated mess and
not a good place at all for using ternary operator.
I have posted the v3 version that includes the suggested corrections by
you and Stefan. Sorry for some delay.
Michal and Sachin, I would appreciate if you can test the v3 version,
please ?
Thanks & Regards,
- Nayna
.
Fix this by adding the missing __init annotation.
Fixes: 9dc92c45177ab70e ("integrity: Define a trusted platform keyring")
Signed-off-by: Geert Uytterhoeven
Thanks for fixing it.
Reviewed-by: Nayna Jain
Thanks & Regards,
- Nayna
already made it available in my master and next.
Could you please wait few days? I would prefer to fix this issue instead
of reverting the whole patch.
Nayna posted a patch late yesterday titled "tpm: fixes uninitialized
allocated banks for IBM vtpm driver", which addresses this bug.
N
On 07/05/2019 10:13 AM, Stefan Berger wrote:
On 7/3/19 11:32 PM, Nayna Jain wrote:
The nr_allocated_banks and allocated banks are initialized as part of
tpm_chip_register. Currently, this is done as part of auto startup
function. However, some drivers, like the ibm vtpm driver, do not run
On 07/05/2019 01:50 PM, Jarkko Sakkinen wrote:
On Fri, 2019-07-05 at 11:32 -0400, Nayna wrote:
I am not sure of the purpose of tpm_stop_chip(), so I have left it as it
is. Jarkko, what do you think about the change ?
Stefan right. Your does not work, or will randomly work or not work
to SHA1_DIGEST_SIZE?
I'm looking to drop TPM_DIGEST_SIZE eventually.
I was thinking if we should use SHA1_DIGEST_SIZE directly from
, or probably
Thanks & Regards,
- Nayna
Reviewed-by: Jarkko Sakkinen
/Jarkko
---
V2: Add some missing '.'
drivers/char/tpm/t
On 11/30/2016 10:29 PM, Nayna wrote:
On 11/26/2016 09:17 PM, Jarkko Sakkinen wrote:
On Sat, Nov 26, 2016 at 07:45:39AM -0500, Nayna Jain wrote:
Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the securityfs pseudo files for displaying the
firmware event log
On 11/18/2016 09:43 PM, Jarkko Sakkinen wrote:
On Fri, Nov 18, 2016 at 05:42:01PM +0530, Nayna wrote:
On 11/17/2016 11:12 PM, Jarkko Sakkinen wrote:
On Thu, Nov 17, 2016 at 05:20:36PM +0530, Nayna wrote:
I tested this for capability TPM2_CAP_PCRS. It seems TPM2_CAP_PCRS
capability always
On 11/22/2016 04:53 PM, Jarkko Sakkinen wrote:
On Mon, Nov 14, 2016 at 05:00:50AM -0500, Nayna Jain wrote:
This commit is based on a commit by Nayna Jain. Replaced dynamically
allocated bios_dir with a static array as the size is always constant.
Suggested-by: Jason Gunthorpe
Signed-off-by
On 11/22/2016 10:12 PM, Jason Gunthorpe wrote:
On Tue, Nov 22, 2016 at 01:22:00PM +0200, Jarkko Sakkinen wrote:
On Mon, Nov 14, 2016 at 05:00:51AM -0500, Nayna Jain wrote:
Check for TPM2 chip in tpm_sysfs_add_device, tpm_bios_log_setup and
tpm_bios_log_teardown in order to make code flow
On 11/24/2016 01:07 AM, Jason Gunthorpe wrote:
On Wed, Nov 23, 2016 at 12:27:36PM -0500, Nayna Jain wrote:
sizep = of_get_property(np, "linux,sml-size", NULL);
+ if (of_property_match_string(np, "compatible", "IBM,vtpm") < 0)
+
On 11/24/2016 01:08 AM, Jason Gunthorpe wrote:
On Wed, Nov 23, 2016 at 12:27:35PM -0500, Nayna Jain wrote:
The device driver code for the event log has the init functions and
TPM 1.2 parsing logic both defined in same file(tpm_eventlog.c).
Since the initialization functions are common with
On 11/15/2016 05:18 AM, Jarkko Sakkinen wrote:
On Fri, Nov 11, 2016 at 04:02:43PM -0800, Jarkko Sakkinen wrote:
On Fri, Nov 11, 2016 at 09:51:45AM +0530, Nayna wrote:
On 10/09/2016 03:44 PM, Jarkko Sakkinen wrote:
Refactored tpm2_get_tpm_pt to tpm2_getcap_cmd, which means that it also
On 11/24/2016 10:13 PM, Jason Gunthorpe wrote:
On Thu, Nov 24, 2016 at 01:31:03PM +0530, Nayna wrote:
Since the initialization functions are common with the TPM 2.0 event
log support, this patch splits tpm_eventlog.c to have only TPM 1.2
event log parsing logic and moves the init functions
On 01/17/2017 09:43 PM, Jarkko Sakkinen wrote:
On Tue, Jan 17, 2017 at 01:23:44PM +0530, Nayna wrote:
On 01/12/2017 11:50 PM, Jarkko Sakkinen wrote:
On Thu, Jan 12, 2017 at 11:58:10AM -0500, Nayna Jain wrote:
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG
On 01/18/2017 07:15 PM, Jarkko Sakkinen wrote:
On Wed, Jan 18, 2017 at 03:44:49AM -0500, Nayna Jain wrote:
This patch implements the TPM 2.0 capability TPM_CAP_PCRS to
retrieve the active PCR banks from the TPM. This is needed
to enable extending all active banks as recommended by TPM 2.0
TCG
On 01/18/2017 07:28 PM, Jarkko Sakkinen wrote:
On Wed, Jan 18, 2017 at 03:44:50AM -0500, Nayna Jain wrote:
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused
On 01/19/2017 04:17 PM, Jarkko Sakkinen wrote:
On Wed, Jan 18, 2017 at 07:19:06PM +0530, Nayna wrote:
On 01/18/2017 07:15 PM, Jarkko Sakkinen wrote:
On Wed, Jan 18, 2017 at 03:44:49AM -0500, Nayna Jain wrote:
This patch implements the TPM 2.0 capability TPM_CAP_PCRS to
retrieve the active
On 01/12/2017 11:55 PM, Jarkko Sakkinen wrote:
On Thu, Jan 12, 2017 at 11:58:09AM -0500, Nayna Jain wrote:
This patch implements the TPM 2.0 capability TPM_CAP_PCRS to
retrieve the active PCR banks from the TPM. This is needed
to enable extending all active banks as recommended by TPM 2.0
TCG
On 01/12/2017 11:50 PM, Jarkko Sakkinen wrote:
On Thu, Jan 12, 2017 at 11:58:10AM -0500, Nayna Jain wrote:
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused
On 01/12/2017 11:50 PM, Jarkko Sakkinen wrote:
On Thu, Jan 12, 2017 at 11:58:10AM -0500, Nayna Jain wrote:
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused
On 01/31/2017 11:16 PM, Jarkko Sakkinen wrote:
On Mon, Jan 30, 2017 at 03:08:42PM +0530, Nayna wrote:
From: "Ken Goldman" mailto:kg...@linux.vnet.ibm.com>>
Date: 26-Jan-2017 2:53 AM
Subject: Re: [tpmdd-devel] [PATCH v9 2/2] tpm: add securityfs
support,for TPM 2.0 firmw
On 02/01/2017 02:20 AM, Jarkko Sakkinen wrote:
On Wed, Feb 01, 2017 at 12:14:12AM +0530, Nayna wrote:
I already sent my pull request to 4.11 and even today I found something
fishy. You declared a function local array by using a variable in "tpm:
enhance TPM 2.0 PCR extend to support mul
On 02/01/2017 08:24 PM, Jarkko Sakkinen wrote:
On Wed, Feb 01, 2017 at 04:48:37PM +0200, Jarkko Sakkinen wrote:
On Tue, Jan 31, 2017 at 10:50:06PM +0200, Jarkko Sakkinen wrote:
On Wed, Feb 01, 2017 at 12:14:12AM +0530, Nayna wrote:
I already sent my pull request to 4.11 and even today I
On 01/23/2017 08:43 PM, Jarkko Sakkinen wrote:
On Mon, Jan 23, 2017 at 02:26:27AM -0500, Nayna Jain wrote:
Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the securityfs pseudo files for displaying the
firmware event log.
This patch enables support for providing
On 01/24/2017 05:29 PM, Jarkko Sakkinen wrote:
On Mon, Jan 23, 2017 at 10:11:48PM +0530, Nayna wrote:
On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote:
On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG
On 01/26/2017 05:03 AM, Jarkko Sakkinen wrote:
On Wed, Jan 25, 2017 at 10:45:35PM +0200, Jarkko Sakkinen wrote:
On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote:
IMA extends its hash measurements in the TPM PCRs, based on policy.
The existing in-kernel TPM extend function extends
On 01/23/2017 08:49 PM, Jarkko Sakkinen wrote:
On Fri, Jan 20, 2017 at 12:05:13PM -0500, Nayna Jain wrote:
The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused
On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote:
On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote:
IMA extends its hash measurements in the TPM PCRs, based on policy.
The existing in-kernel TPM extend function extends only the SHA1
PCR bank. TPM 2.0 defines multiple PCR banks, to
On 01/26/2017 02:15 AM, Jarkko Sakkinen wrote:
On Fri, Jan 20, 2017 at 12:05:11PM -0500, Nayna Jain wrote:
IMA extends its hash measurements in the TPM PCRs, based on policy.
The existing in-kernel TPM extend function extends only the SHA1
PCR bank. TPM 2.0 defines multiple PCR banks, to
On 01/29/2017 08:10 PM, Jarkko Sakkinen wrote:
On Fri, Jan 27, 2017 at 10:25:49AM -0500, Nayna Jain wrote:
This patch add validation in tpm2_get_pcr_allocation to avoid
access beyond response buffer length.
Suggested-by: Stefan Berger
Signed-off-by: Nayna Jain
This validation looks
On 01/30/2017 02:50 AM, Jarkko Sakkinen wrote:
On Sun, Jan 29, 2017 at 10:48:39PM +0530, Nayna wrote:
On 01/29/2017 08:10 PM, Jarkko Sakkinen wrote:
On Fri, Jan 27, 2017 at 10:25:49AM -0500, Nayna Jain wrote:
This patch add validation in tpm2_get_pcr_allocation to avoid
access beyond
from a Nuvoton TPM 2.0 chip on
that same platform.
Thank You Ken.
Jarkko, I hope now these patches can be accepted for 4.11.
Thanks & Regards,
- Nayna
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@v
I
independently validated that the event log matches the TPM PCR values.
Thank You Ken !!
Thanks & Regards,
- Nayna
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slash
m_add_legacy_sysfs(struct tpm_chip *chip)
struct attribute **i;
int rc;
- if (chip->flags & (TPM_CHIP_FLAG_TPM2 | TPM_CHIP_FLAG_VIRTUAL))
- return 0;
+ if (test_bit(TPM_CHIP_FLAG_TPM2, &chip->flags) ||
+ test_bit(TPM_
On 11/12/2016 05:32 AM, Jarkko Sakkinen wrote:
On Fri, Nov 11, 2016 at 09:51:45AM +0530, Nayna wrote:
On 10/09/2016 03:44 PM, Jarkko Sakkinen wrote:
Refactored tpm2_get_tpm_pt to tpm2_getcap_cmd, which means that it also
takes capability ID as input. This is required to access
On 11/17/2016 11:12 PM, Jarkko Sakkinen wrote:
On Thu, Nov 17, 2016 at 05:20:36PM +0530, Nayna wrote:
I tested this for capability TPM2_CAP_PCRS. It seems TPM2_CAP_PCRS
capability always returns full PCR allocation, and more_data as 0, So, I
think the idea of looping over based on more_data
On 10/02/2016 12:55 AM, Jarkko Sakkinen wrote:
This commit is based on a commit by Nayna Jain. Replaced dynamically
allocated bios_dir with a static array as the size is always constant.
Suggested-by: Jason Gunthorpe
Signed-off-by: Nayna Jain
Signed-off-by: Jarkko Sakkinen
---
drivers
securityfs_remove():
if (!dentry || IS_ERR(dentry))
return;
Thanks & Regards,
- Nayna
The original version that used a counter in chip did not need it.
Jason
On 11/15/2016 07:45 AM, Jarkko Sakkinen wrote:
On Mon, Nov 14, 2016 at 04:25:14PM -0800, Jarkko Sakkinen wrote:
On Mon, Nov 14, 2016 at 02:33:23PM -0800, Jarkko Sakkinen wrote:
On Mon, Nov 14, 2016 at 05:00:47AM -0500, Nayna Jain wrote:
This patch set includes the cleanup and bug fixes
le handles;
}
}
And then the calling function, map union to the cap_data expected as per
id, and parse it.
Thanks & Regards,
- Nayna
{
struct tpm2_cmd cmd;
int rc;
- cmd.header.in = tpm2_get_tpm_pt_header;
- cmd.params.get_tpm_pt_in.cap_id
On 11/04/2016 12:58 PM, Jarkko Sakkinen wrote:
Nayna,
I've already sent these earlier this month as we had this discussion.
Please look up your emails. I can apply these if they look good for
you. Please review them.
Sure, I replied just now. I am sorry if delay in response. I wa
On 01/03/2017 03:42 AM, Jarkko Sakkinen wrote:
On Sun, Dec 11, 2016 at 12:35:33AM -0500, Nayna Jain wrote:
Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the securityfs pseudo files for displaying the
firmware event log.
This patch enables support for providing
On 01/03/2017 07:03 PM, Jarkko Sakkinen wrote:
On Tue, Jan 03, 2017 at 01:09:18PM +0530, Nayna wrote:
On 01/03/2017 03:42 AM, Jarkko Sakkinen wrote:
On Sun, Dec 11, 2016 at 12:35:33AM -0500, Nayna Jain wrote:
Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the
On 12/01/2016 05:13 PM, Jarkko Sakkinen wrote:
On Wed, Nov 30, 2016 at 10:29:00PM +0530, Nayna wrote:
On 11/26/2016 09:17 PM, Jarkko Sakkinen wrote:
On Sat, Nov 26, 2016 at 07:45:39AM -0500, Nayna Jain wrote:
Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the
On 12/12/2016 08:10 PM, Jarkko Sakkinen wrote:
On Sun, Dec 11, 2016 at 12:35:32AM -0500, Nayna Jain wrote:
Physical TPMs use Open Firmware Device Tree bindings that are similar
to the IBM Power virtual TPM to support event log. However, these
properties store the values in different
On 11/26/2016 09:45 PM, Jarkko Sakkinen wrote:
On Sat, Nov 26, 2016 at 07:45:38AM -0500, Nayna Jain wrote:
Physical TPMs use Open Firmware Device Tree bindings that are similar
to the IBM Power virtual TPM to support event log. However, these
properties store the values in different
On 11/26/2016 09:17 PM, Jarkko Sakkinen wrote:
On Sat, Nov 26, 2016 at 07:45:39AM -0500, Nayna Jain wrote:
Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the securityfs pseudo files for displaying the
firmware event log.
This patch enables support for providing
On 03/15/2017 09:22 PM, Jarkko Sakkinen wrote:
On Fri, Mar 10, 2017 at 01:45:53PM -0500, Nayna Jain wrote:
Commit 500462a9de65 "timers: Switch to a non-cascading wheel" replaced
the 'classic' timer wheel, which aimed for near 'exact' expiry of the
timers. Th
?
Thanks & Regards,
- Nayna
Signed-off-by: Jarkko Sakkinen
---
drivers/char/tpm/Makefile| 2 +-
drivers/char/tpm/tpm-chip.c | 7 +
drivers/char/tpm/tpm-dev.c | 2 +-
drivers/char/tpm/tpm-interface.c | 68 +++---
drivers/char/tpm/tpm-sysfs.c | 2 +-
drivers/
ion using TPM know whether to use
/dev/tpm0 or /dev/tpms0 ?
2. How would a userspace RM know to build on top of /dev/tpm0 or
/dev/tpms0. And if it is built on top of /dev/tpms0, can there be issues
with one RM on top of other RM.
Thanks & Regards,
- Nayna
Signed-off-by: James Bo
ntain documentation for it.
Signed-off-by: Jarkko Sakkinen
Nayna, does this look good to you?
Oops !! I don't know how it is missed. Sorry for that..My internet
connection wasn't working since my Friday evening and just started
working yesterday. So, probably somewhere got this missed a
On 02/24/2017 06:23 PM, James Bottomley wrote:
On Fri, 2017-02-24 at 12:29 +0530, Nayna wrote:
On 02/17/2017 12:55 AM, Jarkko Sakkinen wrote:
From: James Bottomley
Currently the tpm spaces are not exposed to userspace. Make this
exposure via a separate device, which can now be opened
nterface.c
index 423938e..7af1e8c 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -480,31 +480,34 @@ static const struct tpm_input_header tpm_getcap_header = {
Is tpm_getcap_header still needed ?
Thanks & Regards,
- Nayna
ssize_t tpm_getcap(s
2 for both tag
and ordinal.
Both TPM_ORD_GET_CAP and TPM_TAG_RQU_COMMAND are already defined as:
#define TPM_ORD_GET_CAP cpu_to_be32(101)
#define TPM_TAG_RQU_COMMAND cpu_to_be16(193)
and again converted to BE in tpm_buf_init().
Thanks & Regards,
- Nayna
+ if (rc)
+
On 02/03/2017 11:45 PM, Jarkko Sakkinen wrote:
On Fri, Feb 03, 2017 at 06:24:38PM +0530, Nayna wrote:
On 02/01/2017 11:23 PM, Jarkko Sakkinen wrote:
There are two type issues associated with tpm_getcap().
You must not do arithmetic with __be32 or __le32 types because sometimes
it results
ell based on if secure boot is enabled.
Thanks & Regards,
- Nayna
On 8/11/20 3:26 PM, Tyler Hicks wrote:
v2:
- Always return an ERR_PTR from ima_alloc_rule_opt_list() (Nayna)
- Add Lakshmi's Reviewed-by to both patches
- Rebased on commit 3db0d0c276a7 ("integrity: remove redundant
initialization of variable ret") of next-integ
On 7/17/20 2:11 PM, Tyler Hicks wrote:
On 2020-07-17 13:40:22, Nayna wrote:
On 7/9/20 2:19 AM, Tyler Hicks wrote:
The "appraise_flag" option is only appropriate for appraise actions
and its "blacklist" value is only appropriate when
CONFIG_IMA_APPRAISE_MODSIG is enable
(ima_rule_contains_lsm_cond(entry))
+ return false;
+
break;
default:
return false;
Should there be a check for IMA_MEASURE_ASYMMETRIC_KEYS in Opt_keyrings
in ima_parse_rule() to return immediately if not enabled ?
Thanks & Regards,
- Nayna
On 7/9/20 2:19 AM, Tyler Hicks wrote:
Ask the LSM to free its audit rule rather than directly calling kfree().
Is it to be called audit rule or filter rule ? Likewise in subject line.
Thanks & Regards,
- Nayna
c: sta...@vger.kernel.org
Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
Signed-off-by: Bruno Meneguele
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
Please ignore these one.. My command took patches recursively from
directory also.
Sorry for this.
Thanks & Regards,
- Nayna
On 09/06/2017 06:26 PM, Nayna Jain wrote:
The existing wait_for_tpm_stat() checks the chip status before
sleeping for 5 msec in a polling loop. For some funct
Please ignore these one.. My command took patches recursively from
directory also.
Sorry for this.
Thanks & Regards,
- Nayna
On 09/06/2017 06:26 PM, Nayna Jain wrote:
The TPM burstcount status indicates the number of bytes that can
be sent to the TPM without causing bus wait st
On 08/07/2017 05:22 PM, Peter Huewe wrote:
Am 7. August 2017 13:46:32 MESZ schrieb Nayna Jain :
The TPM burstcount status indicates the number of bytes that can
be sent to the TPM without causing bus wait states. Effectively,
it is the number of empty bytes in the command FIFO. Further
:
* Add module parameter to handle ignoring of burst count during
tpm tis send() operation.
* Add improvements over sleep time to reduce delays.
Nayna Jain (4):
tpm: move wait_for_tpm_stat() to respective driver files
tpm: ignore burstcount to improve tpm_tis send() performance
tpm: reduce tp
The function wait_for_tpm_stat() is currently defined in
tpm-interface file. It is a hardware specific function used
only by tpm_tis and xen-tpmfront, so it is removed from
tpm-interface.c and defined in respective driver files.
Suggested-by: Jarkko Sakkinen
Signed-off-by: Nayna Jain
Reviewed
1000 extends improved from ~9sec to ~8sec.
Fixes: 3b9af007869("tpm: replace msleep() with usleep_range() in TPM 1.2/
2.0 generic drivers")
Signed-off-by: Nayna Jain
Acked-by: Mimi Zohar
Tested-by: Jarkko Sakkinen
Reviewed-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm.h | 4 ++--
1 fi
is valid, it writes
all the bytes at once, permitting wait state.
After this change, performance on a TPM 1.2 with an 8 byte
burstcount for 1000 extends improved from ~41sec to ~14sec.
Suggested-by: Ken Goldman in
conjunction with the TPM Device Driver work group.
Signed-off-by: Nayna Jain
burstcount in a loop. If it takes
lesser time for TPM to return, this 5msec delay is longer than
necessary.
After this change, performance on a TPM 1.2 with an 8 byte
burstcount for 1000 extends improved from ~14sec to ~9sec.
Signed-off-by: Nayna Jain
---
drivers/char/tpm/tpm_tis_core.c | 10
yeah I also agree with
this.
Thanks & Regards,
- Nayna
The code is laid out so badly right now that I have really hard time
understanding it if I haven't looked at it within last couple of weeks.
It's really a trainwreck at the moment. We must clean up it up fast.
Getting thi
On 03/07/2018 09:33 PM, David Howells wrote:
Nayna Jain wrote:
+ key = key_create_or_update(make_key_ref(keyring, 1),
+ "asymmetric",
+ NULL,
+ p,
+
On 04/05/2018 03:42 PM, Jarkko Sakkinen wrote:
On Mon, Apr 02, 2018 at 09:50:06PM +0530, Nayna Jain wrote:
Commit e2fb992d82c6 ("tpm: add retry logic") introduced a new loop to
handle the TPM2_RC_RETRY error. The loop retries the command after
sleeping for the specified time
ring kexec. Because the platform keyring are builtin, it
cannot be updated from userspace.
This keyring can be enabled by setting CONFIG_PLATFORM_KEYRING. The
platform certificate can be provided using CONFIG_PLATFORM_TRUSTED_KEYS.
Signed-off-by: Nayna Jain
---
Changelog:
v2:
* Include David Howell&
Kconfig option "IMA_USE_PLATFORM_KEYRING".
Signed-off-by: Nayna Jain
---
Changelog:
v2:
* Rename integrity_load_keyring() to integrity_find_keyring()
* Fix the patch description per line length as suggested by Mimi
security/integrity/digsig.c | 15 +++
security
This patch exports the function find_keyring_by_name() to be used by
other subsystems.
Signed-off-by: Nayna Jain
---
Changelog:
v2:
* Fix the patch description per line length as suggested by Mimi
include/linux/key.h | 2 ++
security/keys/internal.h | 2 --
security/keys/keyring.c | 1
n modified.
Signed-off-by: Roberto Sassu
Acked-by: Mimi Zohar
Reviewed-by: Jarkko Sakkinen
Mimi, Nayna, can you help with testing this (because of the IMA change)?
Sure, I will try to do by end of my day tomorrow,
Thanks & Regards,
- Nayna
/Jarkko
ob parser
Josh Boyer (2):
efi: Import certificates from UEFI Secure Boot
efi: Allow the "db" UEFI variable to be suppressed
Nayna Jain (3):
integrity: Define a trusted platform keyring
integrity: Load certs to the platform keyring
ima: Support platform
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
The patch refactors integrity_load_x509(), making it a wrapper for a new
function named integrity_add_key(). This patch also defines a new
function named integrity_load_cert() for loading the platform keys.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
---
security
: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
v2:
- Fixed the checkpatch.pl warnings
security/integrity/platform_certs/load_uefi.c | 45 +--
1 file changed, 35 insertions(+), 10 deletions(-)
diff --git a/security/integrity
x'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-by: Josh Bo
-appraisal access to those original keys, now
loaded on the platform keyring, needed for verifying the kernel image
and initramfs signatures.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
- replace 'rc' with 'xattr_len' when calling integrity_
1 - 100 of 256 matches
Mail list logo
