ch statement is unchanged except for having to
> dereference the status and cause variables (since they're now pointers),
> and fixing the style of a block comment to appease checkpatch.
>
> Suggested-by: Mimi Zohar
> Signed-off-by: Thiago Jung Bauermann
Reviewed-by: Mimi Zohar
Hi Thiago,
> diff --git a/security/integrity/ima/ima_policy.c
> b/security/integrity/ima/ima_policy.c
> index fca7a3f23321..a7a20a8c15c1 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1144,6 +1144,12 @@ void ima_delete_rules(void)
> }
>
e.
>
> Add a new "ima-modsig" defined template descriptor with the new fields as
> well as the ones from the "ima-sig" descriptor.
>
> Change ima_store_measurement() to accept a struct modsig * argument so that
> it can be passed along to the templates via st
Hi Thiago,
On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote:
>
> @@ -326,6 +356,10 @@ int ima_appraise_measurement(enum ima_hooks func,
> case INTEGRITY_UNKNOWN:
> break;
> case INTEGRITY_NOXATTRS:/* No EVM protected xattrs. */
> +
Hi Thiago,
On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote:
> If the IMA template contains the "modsig" or "d-modsig" field, then the
> modsig should be added to the measurement list when the file is appraised.
>
> And that is what normally happens, but if a measurement rule caused
On Tue, 2019-05-28 at 16:23 -0300, Thiago Jung Bauermann wrote:
> Mimi Zohar writes:
>
> > Hi Thiago,
> >
> >> diff --git a/security/integrity/ima/ima_policy.c
> >> b/security/integrity/ima/ima_policy.c
> >> index fca7a3f23321..a7a20a8c15c1 100644
&
Hi Michal,
On Wed, 2022-02-09 at 13:01 +0100, Michal Suchánek wrote:
> > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> > > index dea74d7717c0..1cde9b6c5987 100644
> > > --- a/arch/powerpc/Kconfig
> > > +++ b/arch/powerpc/Kconfig
> > > @@ -560,6 +560,22 @@ config KEXEC_FILE
> > > c
Hi Michal,
On Tue, 2022-01-11 at 12:37 +0100, Michal Suchanek wrote:
> Hello,
>
> This is a refresh of the KEXEC_SIG series.
> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing
> with appended signatures in the kernel.
>
> powerpc supports IMA_KEXEC but that's an exceptio
[Cc'ing Nageswara R Sastry]
Hi Michal,
On Tue, 2022-01-11 at 12:37 +0100, Michal Suchanek wrote:
> Hello,
>
> This is a refresh of the KEXEC_SIG series.
>
> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing
> with appended signatures in the kernel.
tools/testing/selftes
Hi Michal,
On Tue, 2022-01-11 at 12:37 +0100, Michal Suchanek wrote:
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index dea74d7717c0..1cde9b6c5987 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -560,6 +560,22 @@ config KEXEC_FILE
> config ARCH_HAS_KEXEC_PURG
Hi Michal,
On Sun, 2022-02-13 at 21:59 -0500, Mimi Zohar wrote:
>
> On Tue, 2022-01-11 at 12:37 +0100, Michal Suchanek wrote:
> > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> > index dea74d7717c0..1cde9b6c5987 100644
> > --- a/arch/powerpc/Kconfig
> &
On Mon, 2022-02-14 at 16:55 +0100, Michal Suchánek wrote:
> Hello,
>
> On Mon, Feb 14, 2022 at 10:14:16AM -0500, Mimi Zohar wrote:
> > Hi Michal,
> >
> > On Sun, 2022-02-13 at 21:59 -0500, Mimi Zohar wrote:
> >
> > >
> > > On Tue, 2022-01-11
Hi Thiago,
On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote:
> This patch introduces the modsig keyword to the IMA policy syntax to
> specify that a given hook should expect the file to have the IMA signature
> appended to it. Here is how it can be used in a rule:
>
> appraise func=
e_id_str we can
> use one hooks list for both the enum and the string array, making sure they
> are always in sync (suggested by Mimi Zohar).
>
> Finally, by using the printf pattern for the function token directly
> instead of using the pt macro we can simplify policy_func_show even
On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote:
> If the file doesn't have an xattr, ima_appraise_measurement sets cause to
> "missing-hash" while if there's an xattr but it's a digest instead of a
> signature it sets cause to "IMA-signature-required".
>
> Fix it by setting cause t
On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote:
> These changes are too small to warrant their own patches:
>
> The keyid and sig_size members of struct signature_v2_hdr are in BE format,
> so use a type that makes this assumption explicit. Also, use beXX_to_cpu
> instead of __beXX
On Wed, 2017-06-21 at 14:45 -0300, Thiago Jung Bauermann wrote:
> Hello Mimi,
>
> Thanks for your review, and for queuing the other patches in this series.
>
> Mimi Zohar writes:
> > On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote:
> >> This patch in
On Tue, 2017-07-04 at 23:22 -0300, Thiago Jung Bauermann wrote:
> Mimi Zohar writes:
>
> > On Wed, 2017-06-21 at 14:45 -0300, Thiago Jung Bauermann wrote:
> >> Mimi Zohar writes:
> >> > On Wed, 2017-06-07 at 22:49 -0300, Thiago Jung Bauermann wrote:
Hi Julia,
On Tue, 2017-10-17 at 12:11 +0200, Julia Lawall wrote:
>
> On Tue, 17 Oct 2017, Dan Carpenter wrote:
>
> > On Tue, Oct 17, 2017 at 10:56:42AM +0200, Julia Lawall wrote:
> > >
> > >
> > > On Tue, 17 Oct 2017, Dan Carpenter wrote:
> > >
> > > > On Mon, Oct 16, 2017 at 09:35:12PM +0300, J
On Tue, 2017-10-17 at 11:50 +, alexander.stef...@infineon.com
wrote:
> > > Replace the specification of data structures by pointer dereferences
> > > as the parameter for the operator "sizeof" to make the corresponding
> > > size
> > > determination a bit safer according to the Linux coding sty
On Tue, 2017-10-17 at 14:58 +0200, Julia Lawall wrote:
>
> On Tue, 17 Oct 2017, Mimi Zohar wrote:
>
> > On Tue, 2017-10-17 at 11:50 +, alexander.stef...@infineon.com
> > wrote:
> > > > > Replace the specification of data structures by pointer dereference
On Tue, 2017-10-17 at 20:41 +0200, SF Markus Elfring wrote:
> Do you find my wording “This issue was detected by using the
> Coccinelle software.” insufficient?
The question is not whether it is insufficient, but whether it is
appropriate. Detecting Coccinelle issues is one step. The next step
On Wed, 2017-10-18 at 14:18 +1100, Michael Ellerman wrote:
> Mimi Zohar writes:
> > On Tue, 2017-10-17 at 12:11 +0200, Julia Lawall wrote:
> >> On Tue, 17 Oct 2017, Dan Carpenter wrote:
> >> > On Tue, Oct 17, 2017 at 10:56:42AM +0200, Julia Lawall wrote:
>
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
> diff --git a/security/integrity/ima/ima_main.c
> b/security/integrity/ima/ima_main.c
> index 6a2d960fbd92..0d3390de7432 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -246,7 +246,35
DULE_SIG_FORMAT option so that IMA can select it
> and be able to use validate_module_signature without having to depend on
> CONFIG_MODULE_SIG.
>
> Signed-off-by: Thiago Jung Bauermann
Reviewed-by: Mimi Zohar
One minor comment below...
> ---
> include/linux/module.h
rify an already parsed PKCS#7 message. For this
> purpose, add function verify_pkcs7_message_signature which takes a struct
> pkcs7_message for verification instead of the raw bytes that
> verify_pkcs7_signature takes.
>
> Signed-off-by: Thiago Jung Bauermann
Reviewed-b
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
> Hello,
>
> The main highlight in this version is that it fixes a bug where the modsig
> wasn't being included in the measurement list if the appraised file was
> already measured by another rule. The fix is in the last patch.
>
> A
On Thu, 2017-10-26 at 20:47 -0200, Thiago Jung Bauermann wrote:
> Mimi Zohar writes:
>
> > On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
> >> IMA will use the module_signature format for append signatures, so export
> >> the relevant definitions
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
Below are a few additional comments.
> @@ -200,18 +239,28 @@ int ima_read_xattr(struct dentry *dentry,
> */
> int ima_appraise_measurement(enum ima_hooks func,
>struct integrity_iint_cache *iint,
> -
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> IMA will need to obtain the keyring used to verify file signatures so that
> it can verify the module-style signature appended to files.
>
> Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
>
he xattr sig is factored out from
> asymmetric_verify() so that it can be used by the new function.
>
> Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
> ---
> security/integrity/digsig_asymmetric.c | 44
> +-
> securit
ains that
> CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
>
> Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
> ---
> security/integrity/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/Kconfig b/security/integ
to
be refactored. In this case, verify_pkcs7_signature() verifies the
signature using keys on the builtin and secondary keyrings. IMA-
appraisal needs to verify the signature using keys on its keyring.
The patch itself looks good!
Reviewed-by: Mimi Zohar
> Signed-off-by: Thiago Jung Bauermann
> Cc:
) so sig->digest is always initialized to zero.
>
> Signed-off-by: Thiago Jung Bauermann
> Cc: David Howells
> Cc: Herbert Xu
> Cc: "David S. Miller"
Reviewed-by: Mimi Zohar
> ---
> crypto/asymmetric_keys/pkcs7_verify.c | 25 +
>
its usage should be independent of other
changes.
Mimi
>
> Suggested-by: Mimi Zohar
> Signed-off-by: Thiago Jung Bauermann
> ---
> Documentation/security/IMA-templates.rst | 5
> security/integrity/ima/ima_template.c | 4 ++-
> security/integrity/ima/ima_templ
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> This patch actually implements the appraise_type=imasig|modsig option,
> allowing IMA to read and verify modsig signatures.
>
> In case both are present in the same file, IMA will first check whether the
> key used by the xattr sign
name. Perhaps something
like has_signature or is_signed() would be preferable.
Mimi
>
> Suggested-by: Mimi Zohar
> Signed-off-by: Thiago Jung Bauermann
> ---
> security/integrity/ima/ima.h | 5 +
> security/integrity/ima/ima_appraise.c | 7 +++---
ting the segment size to half
of the totalram_pages.
- Fixed kernel test robot reports as enumerated in the respective
patch changelog.
Changelog v2:
- Canonical measurement list support added
- Redefined the ima_kexec_hdr struct to use well defined sizes
Andreas Steffen (1):
ima: platform-i
From: Thiago Jung Bauermann
The IMA kexec buffer allows the currently running kernel to pass
the measurement list via a kexec segment to the kernel that will be
kexec'd. The second kernel can check whether the previous kernel sent
the buffer and retrieve it.
This is the architecture-specific par
From: Thiago Jung Bauermann
The IMA kexec buffer allows the currently running kernel to pass
the measurement list via a kexec segment to the kernel that will be
kexec'd.
This is the architecture-specific part of setting up the IMA kexec
buffer for the next kernel. It will be used in the next pat
otation of ima_init_template_list()
Changelog v2:
- fix lookup_template_desc() preemption imbalance (kernel test robot)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_main.c | 1 +
security/integrity/ima/ima_templ
The configured IMA measurement list template format can be replaced at
runtime on the boot command line, including a custom template format.
This patch adds support for restoring a measuremement list containing
multiple builtin/custom template formats.
Signed-off-by: Mimi Zohar
---
security
ystems
expecting the binary_runtime_measurements list to be in platform native
format.
Changelog v3:
- restore PCR value properly
Signed-off-by: Mimi Zohar
---
Documentation/kernel-parameters.txt | 4
security/integrity/ima/ima.h | 6 ++
security/integrity/ima/ima
l IMA functions (Mimi)
- move code from ima_template.c to ima_kexec.c (Mimi)
Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
---
include/linux/ima.h| 12
kernel/kexec_file.c| 4 ++
security/integrity/ima/ima.h | 1 +
securit
-off-by: Mimi Zohar
---
security/integrity/ima/ima_crypto.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index 38f2ed8..802d5d2 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security
.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig | 12 +
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue.c | 53 --
3 files changed, 64 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/Kconfig
dr_v1->template_name_len (Colin King)
Changelog v2:
- redefined ima_kexec_hdr to use types with well defined sizes (M. Ellerman)
- defined missing ima_load_kexec_buffer() stub function
Changelog v1:
- call ima_load_kexec_buffer() (Thiago)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/
try is the delimiter between soft
boots.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_queue.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_queue.c
b/security/integrity/ima/ima_queue.c
index 4b1bb77..12d1b04 100644
---
On Thu, 2016-09-29 at 16:37 -0500, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > The TPM PCRs are only reset on a hard reboot. In order to validate a
> > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list
> > of the running kernel must
On Tue, 2016-11-08 at 21:46 +0200, Dmitry Kasatkin wrote:
> On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann
> wrote:
> > From: Mimi Zohar
> >
> > The TPM PCRs are only reset on a hard reboot. In order to validate a
> > TPM's quote after a soft reboot
On Tue, 2016-11-08 at 22:05 +0200, Dmitry Kasatkin wrote:
> On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann
> wrote:
> > From: Mimi Zohar
> >
> > In preparation for serializing the binary_runtime_measurements, this patch
> > maintains the amount of memory
On Tue, 2016-11-08 at 15:47 -0500, Mimi Zohar wrote:
> On Tue, 2016-11-08 at 21:46 +0200, Dmitry Kasatkin wrote:
> > On Fri, Oct 21, 2016 at 5:44 AM, Thiago Jung Bauermann
> > > +/* Restore the serialized binary measurement list without extending
> &g
m/linux/kernel/git/zohar/linux-integrity.git
Changelog v7:
- Updated to reflect Dmitry Kasatkin's patch review
- Rebased on top of "next-fixes" branch
Andreas Steffen (1):
ima: platform-independent hash value
Mimi Zohar (7):
ima: on soft reboot, restore the measurement list
ima: pe
try is the delimiter between soft
boots.
Changelog v7:
- use boolean for indicating hash should be added to hash table.
(Reported by Dmitry Kasatkin)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_queue.c | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git
(Thiago)
Changelog v3:
- include the ima_kexec_hdr size in the binary_runtime_measurement size.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig | 12 +
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue.c | 53 --
3
igned long for size arguments.
- Use CONFIG_IMA_KEXEC to build this code only when necessary.
Signed-off-by: Thiago Jung Bauermann
Acked-by: "Eric W. Biederman"
Signed-off-by: Mimi Zohar
---
arch/powerpc/include/asm/ima.h | 16 +
arch/powerpc/include/asm/kexec.h
alled during __setup before normal initialization. (kernel
test robot)
- remove __init annotation of ima_init_template_list()
Changelog v2:
- fix lookup_template_desc() preemption imbalance (kernel test robot)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h | 2 ++
security/inte
r() stub function
Changelog v1:
- call ima_load_kexec_buffer() (Thiago)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 21
security/integrity/ima/ima_init.c | 2 +
security/integrity/ima/ima_kexec.c| 44 +
"synchronize_rcu" (reported by Dmitry Kasatkin)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_template.c | 52 +--
1 file changed, 49 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_template.c
b/security/integrity/ima/ima_templa
ystems
expecting the binary_runtime_measurements list to be in platform native
format.
Changelog v3:
- restore PCR value properly
Signed-off-by: Mimi Zohar
---
Documentation/kernel-parameters.txt | 4
security/integrity/ima/ima.h | 6 ++
security/integrity/ima/ima
l IMA functions (Mimi)
- move code from ima_template.c to ima_kexec.c (Mimi)
Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
Acked-by: "Eric W. Biederman"
---
include/linux/ima.h| 12
kernel/kexec_file.c| 4 ++
security/integr
Jung Bauermann
Acked-by: "Eric W. Biederman"
Signed-off-by: Mimi Zohar
---
arch/Kconfig| 3 +
arch/powerpc/Kconfig| 1 +
arch/powerpc/include/asm/ima.h | 13 +++
arch/powerpc/include/asm/kexec.h| 1
-off-by: Mimi Zohar
---
security/integrity/ima/ima_crypto.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index 38f2ed830dd6..802d5d20f36f 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b
On Wed, 2016-11-30 at 15:52 +1100, Michael Ellerman wrote:
> Andrew Morton writes:
>
> > On Tue, 29 Nov 2016 23:45:46 +1100 Michael Ellerman
> > wrote:
> >
> >> This is v11 of the kexec_file_load() for powerpc series.
> >>
> >> I've stripped this down to the minimum we need, so we can get this
m/linux/kernel/git/zohar/linux-integrity.git
Changelog v8:
- Additional change, based on Dmitry Kataskin's review, and Acks
Changelog v7:
- Updated to reflect Dmitry Kasatkin's patch review
- Rebased on top of "next-fixes" branch
Andreas Steffen (1):
ima: platform-independent hash val
Jung Bauermann
Acked-by: "Eric W. Biederman"
Signed-off-by: Mimi Zohar
---
arch/Kconfig| 3 +
arch/powerpc/Kconfig| 1 +
arch/powerpc/include/asm/ima.h | 13 +++
arch/powerpc/include/asm/kexec.h| 1
se types with well defined sizes (M. Ellerman)
- defined missing ima_load_kexec_buffer() stub function
Changelog v1:
- call ima_load_kexec_buffer() (Thiago)
Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
---
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h
try is the delimiter between soft
boots.
Changelog v7:
- use boolean for indicating hash should be added to hash table.
(Reported by Dmitry Kasatkin)
Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
---
security/integrity/ima/ima_queue.c | 16 ++--
1 file changed, 10 insertions(+), 6
(Thiago)
Changelog v3:
- include the ima_kexec_hdr size in the binary_runtime_measurement size.
Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
---
security/integrity/ima/Kconfig | 12 +
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue.c | 53
igned long for size arguments.
- Use CONFIG_IMA_KEXEC to build this code only when necessary.
Signed-off-by: Thiago Jung Bauermann
Acked-by: "Eric W. Biederman"
Signed-off-by: Mimi Zohar
---
arch/powerpc/include/asm/ima.h | 16 +
arch/powerpc/include/asm/kexec.h
l IMA functions (Mimi)
- move code from ima_template.c to ima_kexec.c (Mimi)
Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
Acked-by: "Eric W. Biederman"
Acked-by: Dmitry Kasatkin
---
include/linux/ima.h| 12
kernel/kexec_file.c
alled during __setup before normal initialization. (kernel
test robot)
- remove __init annotation of ima_init_template_list()
Changelog v2:
- fix lookup_template_desc() preemption imbalance (kernel test robot)
Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
---
security/integrity/ima/ima.h
"synchronize_rcu" (reported by Dmitry Kasatkin)
Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
---
security/integrity/ima/ima_template.c | 52 +--
1 file changed, 49 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_template.c
ystems
expecting the binary_runtime_measurements list to be in platform native
format.
Changelog v3:
- restore PCR value properly
Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
---
Documentation/kernel-parameters.txt | 4
security/integrity/ima/ima.h | 6 ++
security/in
-off-by: Mimi Zohar
---
security/integrity/ima/ima_crypto.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_crypto.c
b/security/integrity/ima/ima_crypto.c
index 38f2ed830dd6..802d5d20f36f 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b
On Wed, 2016-11-30 at 08:03 -0500, Mimi Zohar wrote:
> On Wed, 2016-11-30 at 15:52 +1100, Michael Ellerman wrote:
> Thaigo tested the patches yesterday. Everything seemed fine. After
> cherry picking the kexec_file_load() patches and rebasing the
> restore_kexec patches on top of i
Hi Dave,
On Wed, 2016-06-22 at 09:20 +0800, Dave Young wrote:
> On 06/20/16 at 10:44pm, Thiago Jung Bauermann wrote:
> > Hello,
> >
> > This patch series implements a mechanism which allows the kernel to pass on
> > a buffer to the kernel that will be kexec'd. This buffer is passed as a
> > segme
rialized measurement list across the kexec.
Mimi
*https://lists.infradead.org/pipermail/kexec/2016-June/016157.html
Mimi Zohar (6):
ima: on soft reboot, restore the measurement list
ima: permit duplicate measurement list entries
ima: maintain memory size needed for serializing the measurement
hiago)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 10 ++
security/integrity/ima/ima_init.c | 2 +
security/integrity/ima/ima_kexec.c| 55 +++
security/integrity/ima/ima_queue.c| 10 ++
security/integrit
try is the delimiter between soft
boots.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_queue.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_queue.c
b/security/integrity/ima/ima_queue.c
index 4b1bb77..12d1b04 100644
---
In preparation for serializing the binary_runtime_measurements, this patch
maintains the amount of memory required.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig | 12 ++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue.c | 49
ormat.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_fs.c| 2 +-
security/integrity/ima/ima_kexec.c | 51 ++
3 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima.h b/sec
Bauermann
Signed-off-by: Mimi Zohar
---
include/linux/ima.h| 15 +++
kernel/kexec_file.c| 3 ++
security/integrity/ima/ima_kexec.c | 83 ++
3 files changed, 101 insertions(+)
diff --git a/include/linux/ima.h b/include/linux/ima.h
template per boot.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_main.c | 1 +
security/integrity/ima/ima_template.c | 37 +++
3 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/security
The configured IMA measurement list template format can be replaced at
runtime on the boot command line, including a custom template format.
This patch adds support for restoring a measuremement list containing
multiple builtin/custom template formats.
Signed-off-by: Mimi Zohar
---
security
Hi Petko,
Thank you for review!
On Fri, 2016-08-05 at 11:44 +0300, Petko Manolov wrote:
> On 16-08-04 08:24:29, Mimi Zohar wrote:
> > The TPM PCRs are only reset on a hard reboot. In order to validate a
> > TPM's quote after a soft reboot (eg. kexec -e), the IMA measure
On Tue, 2016-08-09 at 15:19 +1000, Balbir Singh wrote:
>
> On 04/08/16 22:24, Mimi Zohar wrote:
> > The TPM PCRs are only reset on a hard reboot. In order to validate a
> > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list
> > of the running
On Tue, 2016-08-09 at 20:59 +1000, Michael Ellerman wrote:
> Mimi Zohar writes:
>
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index b5728da..84e8d36 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/i
On Tue, 2016-08-09 at 10:19 -0300, Thiago Jung Bauermann wrote:
> Am Dienstag, 09 August 2016, 09:01:13 schrieb Mimi Zohar:
> > On Tue, 2016-08-09 at 20:59 +1000, Michael Ellerman wrote:
> > > Mimi Zohar writes:
> > > > diff --git a/security/integrity/ima/ima.h
&g
On Tue, 2016-08-09 at 13:35 +, David Laight wrote:
> Also why '__packed' - guarantees sub-optimal code generation.
> Much better to include explicit padding to align everything.
This patch set does not define a new format, but piggy backs on top of
the existing /ima/binary_runtime_measurement
On Tue, 2016-08-09 at 09:55 -0400, Mimi Zohar wrote:
> On Tue, 2016-08-09 at 10:19 -0300, Thiago Jung Bauermann wrote:
> > Am Dienstag, 09 August 2016, 09:01:13 schrieb Mimi Zohar:
> > > On Tue, 2016-08-09 at 20:59 +1000, Michael Ellerman wrote:
> > > > Mimi Zohar
On Wed, 2016-08-10 at 19:52 +1000, Michael Ellerman wrote:
> Thiago Jung Bauermann writes:
>
> > Am Mittwoch, 10 August 2016, 13:41:08 schrieb Michael Ellerman:
> >> Thiago Jung Bauermann writes:
> >> > Am Dienstag, 09 August 2016, 09:01:13 schrieb Mimi Zohar:
On Thu, 2016-08-11 at 17:38 +1000, Balbir Singh wrote:
>
> On 09/08/16 22:36, Mimi Zohar wrote:
> > On Tue, 2016-08-09 at 15:19 +1000, Balbir Singh wrote:
> >>
> >> On 04/08/16 22:24, Mimi Zohar wrote:
> >>> The TPM PCRs are only reset on a hard reboot.
On Thu, 2016-08-25 at 19:17 -0300, Thiago Jung Bauermann wrote:
> Am Donnerstag, 25 August 2016, 14:12:43 schrieb Andrew Morton:
> > I grabbed these two patch series. I also merged the "IMA:
> > Demonstration code for kexec buffer passing." demonstration patch just
> > to get things a bit of testi
ch of:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
Mimi
Andreas Steffen (1):
ima: platform-independent hash value
Mimi Zohar (7):
ima: on soft reboot, restore the measurement list
ima: permit duplicate measurement list entries
ima: maintain memory size needed f
types with well defined sizes (M. Ellerman)
- defined missing ima_load_kexec_buffer() stub function
Changelog v1:
- call ima_load_kexec_buffer() (Thiago)
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 18
security/inte
try is the delimiter between soft
boots.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_queue.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/ima_queue.c
b/security/integrity/ima/ima_queue.c
index 4b1bb77..12d1b04 100644
---
In preparation for serializing the binary_runtime_measurements, this patch
maintains the amount of memory required.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig | 12 ++
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue.c | 49
ormat.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_fs.c| 2 +-
security/integrity/ima/ima_kexec.c | 51 ++
3 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima.h b/sec
Signed-off-by: Mimi Zohar
---
include/linux/ima.h| 12 ++
kernel/kexec_file.c| 4 ++
security/integrity/ima/ima_kexec.c | 88 ++
3 files changed, 104 insertions(+)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index
101 - 200 of 245 matches
Mail list logo
