="uneven misaligned splits, may sleep"
Yes, that's the one I saw. I don't have time to follow it up at the
moment, but Nayna is aware of it.
Yes Eric, we identified this as a separate issue of misalignment and
plan to post a separate patch to address it.
Thanks & Regards,
- Nayna
Oops, Please ignore this patch.
By mistake I posted the wrong version. I am sorry for the confusion, I
will resend the right version.
Thanks & Regards,
- Nayna
On 3/6/20 12:39 PM, Nayna Jain wrote:
Every time a new architecture defines the IMA architecture specific
funct
Hi Michael,
On 10/15/2019 07:29 AM, Michael Ellerman wrote:
Nayna Jain writes:
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 45
Hi Mimi,
On 10/11/2019 09:19 AM, Mimi Zohar wrote:
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
Asymmetric private keys are used to sign multiple files. The kernel
currently support checking against the blacklisted keys. However, if the
public key is blacklisted, any file signed by
wouldn't have random architectures adding random "me me me
tooo!!!" type code.
Thanks Linus for your feedback. I will do the patch for Kconfig cleanup.
Thanks & Regards,
- Nayna
On 06/14/2019 02:34 AM, Greg Kroah-Hartman wrote:
On Thu, Jun 13, 2019 at 04:50:27PM -0400, Nayna Jain wrote:
As part of PowerNV secure boot support, OS verification keys are stored
and controlled by OPAL as secure variables. These need to be exposed to
the userspace so that sysadmins can
On 06/12/2019 07:04 PM, Daniel Axtens wrote:
Hi Nayna,
Since OPAL can support different types of backend which can vary in the
variable interpretation, a new OPAL API call named OPAL_SECVAR_BACKEND, is
added to retrieve the supported backend version. This helps the consumer
to know how to
quot;tpm: fixes uninitialized allocated banks for IBM vtpm driver"
addresses this bug.
Thanks & Regards,
- Nayna
On 07/05/2019 10:13 AM, Stefan Berger wrote:
On 7/3/19 11:32 PM, Nayna Jain wrote:
The nr_allocated_banks and allocated banks are initialized as part of
tpm_chip_register. Currently, this is done as part of auto startup
function. However, some drivers, like the ibm vtpm driver, do not run
On 07/05/2019 01:50 PM, Jarkko Sakkinen wrote:
On Fri, 2019-07-05 at 11:32 -0400, Nayna wrote:
I am not sure of the purpose of tpm_stop_chip(), so I have left it as it
is. Jarkko, what do you think about the change ?
Stefan right. Your does not work, or will randomly work or not work
obsfucated mess and
not a good place at all for using ternary operator.
I have posted the v3 version that includes the suggested corrections by
you and Stefan. Sorry for some delay.
Michal and Sachin, I would appreciate if you can test the v3 version,
please ?
Thanks & Regards,
- Nayna
On 07/05/2019 02:05 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael, Oliver,
Nayna Jain writes:
As part of PowerNV secure boot support, OS verification keys are stored
and controlled by OPAL as secure variables. These need to be exposed to
the userspace so that sysadmins can perform
On 08/26/2019 10:01 AM, Greg Kroah-Hartman wrote:
On Mon, Aug 26, 2019 at 09:23:36AM -0400, Nayna Jain wrote:
+static struct bin_attribute update_attr = {
+ .attr = {.name = "update", .mode = 0200},
+ .size = VARIABLE_MAX_SIZE,
+ .write = update_write,
+};
Ah, do
On 08/21/2019 12:30 PM, Greg Kroah-Hartman wrote:
On Wed, Aug 21, 2019 at 11:08:21AM -0400, Nayna Jain wrote:
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-secvar
@@ -0,0 +1,27 @@
+What: /sys/firmware/secvar
+Date: August 2019
+Contact: Nayna Jain
+Description
On 08/22/2019 01:18 AM, Oliver O'Halloran wrote:
On Wed, 2019-08-21 at 11:08 -0400, Nayna Jain wrote:
PowerNV secure variables, which store the keys used for OS kernel
verification, are managed by the firmware. These secure variables need to
be accessed by the userspace for addition/del
On 08/26/2019 10:56 AM, Greg Kroah-Hartman wrote:
On Mon, Aug 26, 2019 at 09:23:36AM -0400, Nayna Jain wrote:
+static struct kobj_attribute size_attr = __ATTR_RO(size);
Wait, why not just normal ATTR_RO()?
Oh!! Sorry. I am not seeing this macro in sysfs.h. am I missing something
On 09/02/2019 07:52 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael,
Sorry I've taken so long to get to this series, there's just too many
patches that need reviewing :/
No problem. I understand. Thanks for reviewing.
Nayna Jain writes:
Secure boot on POWER defines dif
On 09/02/2019 07:52 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael,
Some more comments below.
Nayna Jain writes:
POWER secure boot relies on the kernel IMA security subsystem to
perform the OS kernel image signature verification.
Again this is just a design choice we've made,
-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain
+ */
+
+#include
+#include
+
+bool arch_ima_get_secureboot(void)
+{
+ return is_powerpc_os_secureboot_enabled();
+}
+
+/* Defines IMA appraise rules for secureboot */
+static const char *const arch_rules
On 10/01/2019 09:33 AM, Rob Herring wrote:
On Fri, Sep 27, 2019 at 10:25:52AM -0400, Nayna Jain wrote:
PowerNV represents both the firmware and Host OS secureboot state of the
system via device tree. This patch adds the documentation to give
the definition of the nodes and the properties
.
Reported-by: Nayna Jain
Signed-off-by: Greg Kroah-Hartman
---
I'll queue this up to my tree for 5.4-rc1, but if you want to take this
in your tree earlier, feel free to do so.
include/linux/sysfs.h | 9 +
1 file changed, 9 insertions(+)
diff --git a/include/linux/sysfs.h b/include/
On 10/01/2019 02:16 PM, Greg Kroah-Hartman wrote:
On Tue, Oct 01, 2019 at 02:08:53PM -0400, Nayna wrote:
Hi Greg,
On 08/26/2019 11:01 AM, Greg Kroah-Hartman wrote:
This variant was missing from sysfs.h, I guess no one noticed it before.
Turns out the powerpc secure variable code can use
On 10/02/2019 05:49 PM, Mimi Zohar wrote:
On Tue, 2019-10-01 at 12:07 -0400, Nayna wrote:
On 09/30/2019 09:04 PM, Thiago Jung Bauermann wrote:
Hello,
Hi,
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
new file mode 100644
index ..39401b67f19e
On 10/15/2019 07:29 AM, Michael Ellerman wrote:
Nayna Jain writes:
PowerNV systems uses kernel based bootloader, thus its secure boot
implementation uses kernel IMA security subsystem to verify the kernel
before kexec. Since the verification policy might differ based on the
secure boot mode
more flexibility,
probably a boot time override can be considered.
Thanks & Regards,
- Nayna
cc: joeyli
Signed-off-by: Michal Suchanek
---
security/integrity/Kconfig | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 232
On 6/6/23 16:51, Jarkko Sakkinen wrote:
On Tue Jun 6, 2023 at 8:26 PM EEST, Nayna Jain wrote:
On PowerVM guest, variable data is prefixed with 8 bytes of timestamp.
Extract ESL by stripping off the timestamp before passing to ESL parser.
Cc: sta...@vger.kenrnel.org # v6.3
?
Aah yes
On 9/29/20 2:14 AM, Joel Stanley wrote:
On Fri, 25 Sep 2020 at 18:19, Mimi Zohar wrote:
Hi Nayna,
On Wed, 2020-09-23 at 14:25 -0400, Nayna Jain wrote:
Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
module rather than builtin, even if CONFIG_I2C=y is defined. This
On 11/9/22 08:46, Greg Kroah-Hartman wrote:
On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
securityfs is meant for Linux security subsystems to expose policies/logs
or any other information. However, there are various firmware security
features which expose their variables for
On 11/10/22 04:58, Greg Kroah-Hartman wrote:
On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
On 11/9/22 08:46, Greg Kroah-Hartman wrote:
On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
securityfs is meant for Linux security subsystems to expose policies/logs
or any other
On 11/17/22 16:27, Greg Kroah-Hartman wrote:
On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
On 11/10/22 04:58, Greg Kroah-Hartman wrote:
On Wed, Nov 09, 2022 at 03:10:37PM -0500, Nayna wrote:
On 11/9/22 08:46, Greg Kroah-Hartman wrote:
On Sun, Nov 06, 2022 at 04:07:42PM -0500
On 11/20/22 22:14, James Bottomley wrote:
On Sun, 2022-11-20 at 17:13 +0100, Greg Kroah-Hartman wrote:
On Sat, Nov 19, 2022 at 01:20:09AM -0500, Nayna wrote:
On 11/17/22 16:27, Greg Kroah-Hartman wrote:
On Mon, Nov 14, 2022 at 06:03:43PM -0500, Nayna wrote:
On 11/10/22 04:58, Greg Kroah
On 11/19/22 06:48, Ritesh Harjani (IBM) wrote:
Hello Nayna,
Hi Ritesh,
On 22/11/09 03:10PM, Nayna wrote:
On 11/9/22 08:46, Greg Kroah-Hartman wrote:
On Sun, Nov 06, 2022 at 04:07:42PM -0500, Nayna Jain wrote:
securityfs is meant for Linux security subsystems to expose policies/logs
or
On 11/22/22 18:21, Nayna wrote:
From the perspective of our use case, we need to expose firmware
security objects to userspace for management. Not all of the objects
pre-exist and we would like to allow root to create them from userspace.
From a unification perspective, I have considered
On 11/23/22 10:57, Greg Kroah-Hartman wrote:
On Wed, Nov 23, 2022 at 10:05:49AM -0500, Nayna wrote:
On 11/22/22 18:21, Nayna wrote:
From the perspective of our use case, we need to expose firmware
security objects to userspace for management. Not all of the objects
pre-exist and we would
c: sta...@vger.kernel.org
Fixes: d958083a8f64 ("x86/ima: define arch_get_ima_policy() for x86")
Signed-off-by: Bruno Meneguele
Reviewed-by: Nayna Jain
Tested-by: Nayna Jain
Thanks & Regards,
- Nayna
to enable both signature
verification and measurement of the kernel image.
Thanks & Regards,
- Nayna
eir requirement.
IMA_KEXEC is for the kernel images signed using sign-file (appended
signatures, not PECOFF), provides measurement along with verification,
and is tied to secureboot state of the system at boot time.
Thanks & Regards,
- Nayna
On 11/12/21 03:30, Michal Suchánek wrote:
Hello,
On Thu, Nov 11, 2021 at 05:26:41PM -0500, Nayna wrote:
On 11/8/21 07:05, Michal Suchánek wrote:
Hello,
On Mon, Nov 08, 2021 at 09:18:56AM +1100, Daniel Axtens wrote:
Michal Suchánek writes:
On Fri, Nov 05, 2021 at 09:55:52PM +1100
On 11/16/21 04:53, Michal Suchánek wrote:
On Mon, Nov 15, 2021 at 06:53:53PM -0500, Nayna wrote:
On 11/12/21 03:30, Michal Suchánek wrote:
Hello,
On Thu, Nov 11, 2021 at 05:26:41PM -0500, Nayna wrote:
On 11/8/21 07:05, Michal Suchánek wrote:
Hello,
The other part is that distributions
ec,$one
vmr$dat,$inptail
lvx$inptail,0,$inp
addi $inp,$inp,16
Acked-by: Nayna Jain
Tested-by: Nayna Jain
o, it sounds like this is needed only for secure firmware variables
and does not include
other firmware variables which are not security relevant ? Is that
correct understanding ?
Thanks & Regards,
- Nayna
thew who can give us more insights...
Thanks & Regards,
- Nayna
On 06/03/2019 03:29 AM, Greg KH wrote:
On Mon, Jun 03, 2019 at 04:04:32PM +1000, Daniel Axtens wrote:
Hi Nayna,
As PowerNV moves towards secure boot, we need a place to put secure
variables. One option that has been canvassed is to make our secure
variables look like EFI variables. This is
On 06/11/2019 01:19 AM, Satheesh Rajendran wrote:
On Mon, Jun 10, 2019 at 04:33:57PM -0400, Nayna Jain wrote:
PowerNV secure boot relies on the kernel IMA security subsystem to
perform the OS kernel image signature verification. Since each secure
boot mode has different IMA policy
On 06/12/2019 02:17 AM, Daniel Axtens wrote:
Nayna Jain writes:
From: Claudio Carvalho
The X.509 certificates trusted by the platform and other information
required to secure boot the OS kernel are wrapped in secure variables,
which are controlled by OPAL.
This patch adds support to read
h while posting the patches ?
Secondly, I see that you add the powerpc support in Patch 2 and then
modify it again in Patch 5 after cleanup. Why not add the support for
powerpc after the clean up ? This will reduce some rework and also
probably simplify patches.
Thanks & Regards,
- Nayna
exec/elf_64.c:160: undefined
reference to `verify_appended_signature'"
I see it happened because I didn't have MODULE_SIG enabled. Enabling
MODULE_SIG fixes it.
I wonder why not to add "depends on MODULE_SIG" rather than on
MODULE_SIG_FORMAT.
Thanks & Regards,
- Nayna
On 12/9/21 04:21, Michal Suchánek wrote:
Hello,
Hi,
On Wed, Dec 08, 2021 at 08:51:47PM -0500, Nayna wrote:
On 11/25/21 13:02, Michal Suchanek wrote:
Copy the code from s390x
Signed-off-by: Michal Suchanek
---
arch/powerpc/Kconfig| 11 +++
arch/powerpc/kexec/elf_64.c
acklisted binary kernel images from being kexec'd"
Thanks & Regards,
- Nayna
d kernel image signature and additionally
includes both the signed and unsigned file hashes in the IMA measurement
list, extends the IMA PCR in the TPM, and prevents blacklisted binary
kernel images from being kexec'd."
Thanks & Regards,
- Nayna
x-efi/yrzuiivizmfgj...@google.com/
[2] https://lore.kernel.org/all/20220122005637.28199-1-na...@linux.ibm.com/
Thanks & Regards,
- Nayna
erface separate from this and have its
own platform specific interface.
I would be happy to hear the ideas.
[1] https://lore.kernel.org/linux-efi/yrzuiivizmfgj...@google.com/
[2] https://lore.kernel.org/all/20220122005637.28199-1-na...@linux.ibm.com/
Thanks & Regards,
- Nayna
On 6/22/22 18:29, Casey Schaufler wrote:
On 6/22/2022 2:56 PM, Nayna Jain wrote:
securityfs is meant for linux security subsystems to expose
policies/logs
or any other information. However, there are various firmware security
features which expose their variables for user management via
or PowerVM PLPAR
Platform KeyStore, the arch specific version is implemented in Patch 2.
Access to EFI variables should be implemented by EFI arch specific
interface and PowerNV will have to do the same if it needs to.
Hope it helps.
Thanks & Regards,
- Nayna
in get_powerpc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Claudio Carvalho (1):
powerpc/powernv: Add support for OPAL_SECVAR_GET
Nayna Jain (2
From: Claudio Carvalho
The X.509 certificates trusted by the platform and other information
required to secure boot the OS kernel are wrapped in secure variables,
which are controlled by OPAL.
This patch adds support to read OPAL secure variables through
OPAL_SECVAR_GET call. It returns the data
PowerNV secure boot defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secboot.h | 21 +
arch/powerpc/platforms/powernv
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 14 +
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/ima_arch.c | 54 ++
include/linux/ima.h| 3 +-
4 files
different architectures to select it.
Suggested-by: Linus Torvalds
Signed-off-by: Nayna Jain
Cc: Ard Biesheuvel
Cc: Philipp Rudo
Cc: Michael Ellerman
---
v2:
* Fixed the issue identified by Mimi. Thanks Mimi, Ard, Heiko and Michael for
discussing the fix.
arch/powerpc/Kconfig | 1 +
different architectures to select it.
Suggested-by: Linus Torvalds
Signed-off-by: Nayna Jain
Cc: Ard Biesheuvel
Cc: Philipp Rudo
Cc: Michael Ellerman
---
v3:
* Updated and tested the patch with improvements suggested by Michael.
It now uses "imply" instead of "select".
From: Nayna Jain
Every time a new architecture defines the IMA architecture specific
functions - arch_ima_get_secureboot() and arch_ima_get_policy(), the IMA
include file needs to be updated. To avoid this "noise", this patch
defines a new IMA Kconfig IMA_SECURE_AND_OR_TRUSTED_B
powerpc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc/ima: add support to initia
This patch defines a function to detect the secure boot state of a
PowerNV system.
The PPC_SECURE_BOOT config represents the base enablement of secure boot
for powerpc.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 10 +
arch/powerpc/include/asm/secure_boot.h
state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel/secure_boot.c | 24
2 files changed, 30 insertions(+)
diff
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 34 +-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/ima_arch.c
retrieve the policy
defined pcr and template based on the func.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 ++
security/integrity/ima/ima_main.c | 51 ---
2 files changed, 36 insertions(+), 18 deletions(-)
diff --git a/security/integrity/ima/ima.h b
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
misleading when called for checking against blacklisted hash of a
binary.
This patch adds a wrapper function is_binary_blacklisted() to return
-EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi
policy option
"appraise_flag=check_blacklist".
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 8 +++
security/integrity/ima/ima_appraise.c | 31 +++
security/integrity/ima/ima_main.
This patch updates the arch-specific policies for PowerNV system to make
sure that the binary hash is not blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc
define IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel
ECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc/ima: add support to initialize ima policy rules
powerpc: detect the trusted boot state of the system
powerpc/ima: define
This patch defines a function to detect the secure boot state of a
PowerNV system.
The PPC_SECURE_BOOT config represents the base enablement of secure boot
for powerpc.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 10
arch/powerpc/include/asm/secure_boot.h
define IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel
state of a PowerNV system. The state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel/secure_boot.c | 26 ++
2 files
This patch defines an arch-specific trusted boot only policy and a
combined secure and trusted boot policy.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 33 -
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel
an IMA
hook or as an auxiliary measurement record. In both cases the buffer
measurement is based on policy. This patch modifies the function to
conditionally retrieve the policy defined PCR and template for the IMA
hook case.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
misleading when called for checking against blacklisted hash of a
binary.
This patch adds a wrapper function is_binary_blacklisted() to return
-EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi
217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
b blacklisted-hash
77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 4
security/integrity/ima/ima.h | 8 +
This patch updates the arch-specific policies for PowerNV system to make
sure that the binary hash is not blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc
s feedbacks:
* adds sysfs documentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: A
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +
arch/powerpc/include/asm/secvar.h| 35 +
arch/powerpc/kernel/Makefile | 2
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
---
Documentation/ABI/testing/sysfs-secvar | 39 +
arch/powerpc/Kconfig | 11 ++
arch/powerpc/kernel/Makefile
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/Kconfig | 1 +
security/integrity/Kconfig| 8 ++
security/integrity/Makefile | 4 +-
.../integrity/platform_certs/load_powerpc.c | 86
On 10/24/19 12:38 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+bool is_ppc_trustedboot_enabled(void)
+{
+ struct device_node *node;
+ bool enabled = false;
+
+ node = get_ppc_fw_sb_node();
+ enabled = of_property_read_bool(node, "trusted-en
On 10/24/19 12:26 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
This patch defines a function to detect the secure boot state of a
PowerNV system.
+bool is_ppc_secureboot_enabled(void)
+{
+ struct device_node *node;
+ bool enabled = false;
+
+ node
On 10/24/19 12:35 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+/*
+ * The "secure_rules" are enabled only on "secureboot" enabled systems.
+ * These rules verify the file signatures against known good values.
+ * The "appraise_type=ima
On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote:
On 10/23/19 8:47 PM, Nayna Jain wrote:
Hi Nayna,
+void process_buffer_measurement(const void *buf, int size,
+ const char *eventname, enum ima_hooks func,
+ int pcr)
{
int ret = 0;
struct
On 10/24/19 12:48 PM, Lakshmi Ramasubramanian wrote:
On 10/23/2019 8:47 PM, Nayna Jain wrote:
+/*
+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list,
based
+ * on policy.
+ *
+ * Returns -EPERM if the
de it default "yes" if the pre-requisites are satisfied
* fixed an error message for more clarity
v7 (on behalf of Nayna, by Eric Richter):
* secvar-sysfs now a bool rather than a tristate option
* added documentation for backend sysfs entry
v6 (on behalf of Nayna, by Eric Richter):
* update
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
Signed-off-by: Eric Richter
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +
arch/powerpc/include/asm/secvar.h| 35 +
arch/powerpc/kernel
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Eric Richter
---
Documentation/ABI/testing/sysfs-secvar | 46 +
arch/powerpc/Kconfig | 11 ++
arch
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Signed-off-by: Eric Richter
---
security/integrity/Kconfig| 9 ++
security/integrity/Makefile | 4 +-
.../integrity/platform_certs/load_powerpc.c | 98 +++
3 files changed
, removed select for LOAD_PPC_KEYS, instead
made it default "yes" if the pre-requisites are satisfied
* fixed an error message for more clarity
v7 (on behalf of Nayna, by Eric Richter):
* secvar-sysfs now a bool rather than a tristate option
* added documentation for backend sys
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
Signed-off-by: Eric Richter
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 ++
arch/powerpc/include/asm/secvar.h| 35 +++
arch/powerpc
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Eric Richter
---
Documentation/ABI/testing/sysfs-secvar | 46 ++
arch/powerpc/Kconfig | 11 ++
arch
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Signed-off-by: Eric Richter
---
security/integrity/Kconfig | 9 +++
security/integrity/Makefile | 4 +-
security/integrity/platform_certs/load_powerpc.c | 99
account the ability of enabling "sig_enforce" on the boot
command line (module.sig_enforce=1).
This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG
instead.
Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
Signed-off-by: N
1 - 100 of 225 matches
Mail list logo
