From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.4
Date: Wed, 11 Sep 2019 17:29:25 -0400 [thread overview]
Message-ID: <1568237365.5783.39.camel@linux.ibm.com> (raw)
Hi Linus,
The major feature in this pull request is IMA support for measuring
and appraising appended file signatures. In addition are a couple of
bug fixes and code cleanup to use struct_size().
In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image may be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.
Similarly, the initramfs may contain an appended signature.
(Stephen is carrying a patch to address a merge conflict with the
security tree.)
thanks,
Mimi
The following changes since commit 609488bc979f99f805f34e9a32c1e3b71179d10b:
Linux 5.3-rc2 (2019-07-28 12:47:02 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
for you to fetch changes up to 2a7f0e53daf29ca6dc9fbe2a27158f13474ec1b5:
ima: ima_api: Use struct_size() in kzalloc() (2019-08-29 14:23:30 -0400)
----------------------------------------------------------------
Gustavo A. R. Silva (2):
ima: use struct_size() in kzalloc()
ima: ima_api: Use struct_size() in kzalloc()
Mimi Zohar (2):
ima: initialize the "template" field with the default template
sefltest/ima: support appended signatures (modsig)
Sascha Hauer (2):
ima: always return negative code for error
ima: fix freeing ongoing ahash_request
Stephen Rothwell (1):
MODSIGN: make new include file self contained
Thiago Jung Bauermann (11):
MODSIGN: Export module signature definitions
PKCS#7: Refactor verify_pkcs7_signature()
PKCS#7: Introduce pkcs7_get_digest()
integrity: Select CONFIG_KEYS instead of depending on it
ima: Add modsig appraise_type option for module-style appended signatures
ima: Factor xattr_verify() out of ima_appraise_measurement()
ima: Implement support for module-style appended signatures
ima: Collect modsig
ima: Define ima-modsig template
ima: Store the measurement again when appraising a modsig
ima: Fix use after free in ima_read_modsig()
Documentation/ABI/testing/ima_policy | 6 +-
Documentation/security/IMA-templates.rst | 3 +
arch/s390/Kconfig | 2 +-
arch/s390/kernel/machine_kexec_file.c | 24 +--
certs/system_keyring.c | 61 +++++--
crypto/asymmetric_keys/pkcs7_verify.c | 33 ++++
include/crypto/pkcs7.h | 4 +
include/linux/module.h | 3 -
include/linux/module_signature.h | 46 +++++
include/linux/verification.h | 10 ++
init/Kconfig | 6 +-
kernel/Makefile | 1 +
kernel/module.c | 1 +
kernel/module_signature.c | 46 +++++
kernel/module_signing.c | 56 +-----
scripts/Makefile | 2 +-
security/integrity/Kconfig | 2 +-
security/integrity/digsig.c | 43 ++++-
security/integrity/ima/Kconfig | 13 ++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 60 ++++++-
security/integrity/ima/ima_api.c | 27 ++-
security/integrity/ima/ima_appraise.c | 194 ++++++++++++++-------
security/integrity/ima/ima_crypto.c | 10 +-
security/integrity/ima/ima_main.c | 24 ++-
security/integrity/ima/ima_modsig.c | 168 ++++++++++++++++++
security/integrity/ima/ima_policy.c | 71 ++++++--
security/integrity/ima/ima_template.c | 31 +++-
security/integrity/ima/ima_template_lib.c | 64 ++++++-
security/integrity/ima/ima_template_lib.h | 4 +
security/integrity/integrity.h | 20 +++
.../selftests/kexec/test_kexec_file_load.sh | 38 +++-
32 files changed, 871 insertions(+), 203 deletions(-)
create mode 100644 include/linux/module_signature.h
create mode 100644 kernel/module_signature.c
create mode 100644 security/integrity/ima/ima_modsig.c
next reply other threads:[~2019-09-11 21:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-11 21:29 Mimi Zohar [this message]
2019-09-16 20:38 ` [GIT PULL] integrity subsystem updates for v5.4 Linus Torvalds
2019-09-16 22:13 ` Mimi Zohar
2019-09-27 16:08 ` Mimi Zohar
2019-09-28 3:00 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1568237365.5783.39.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).