* [GIT PULL] integrity: susbystem updates for v6.6 (take 2)
@ 2023-08-29 20:17 Mimi Zohar
2023-08-30 16:34 ` pr-tracker-bot
0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2023-08-29 20:17 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-integrity, linux-kernel
Hi Linus,
Two IMA changes, a code cleanup, and a kernel-doc update.
- With commit 099f26f22f58 ("integrity: machine keyring CA
configuration") certificates may be loaded onto the IMA keyring,
directly or indirectly signed by keys on either the "builtin" or the
"machine" keyrings. With the ability for the system/machine owner to
sign the IMA policy itself without needing to recompile the kernel,
update the IMA architecture specific policy rules to require the IMA
policy itself be signed.
[As commit 099f26f22f58 was upstreamed in linux-6.4, updating the IMA
architecture specific policy now to require signed IMA policies may
break userspace expectations.]
- IMA only checked the file data hash was not on the system blacklist
keyring for files with an appended signature (e.g. kernel modules,
Power kernel image). Check all file data hashes regardless of how it
was signed.
thanks,
Mimi
The following changes since commit 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4:
Linux 6.5-rc4 (2023-07-30 13:23:47 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.6
for you to fetch changes up to 55e2b69649be38f1788b38755070875b96111d2f:
kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments (2023-08-07 09:55:42 -0400)
----------------------------------------------------------------
integrity-v6.6
----------------------------------------------------------------
Coiby Xu (1):
ima: require signed IMA policy when UEFI secure boot is enabled
Eric Snowberg (1):
integrity: Always reference the blacklist keyring with appraisal
Nayna Jain (1):
ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
Wenyu Liu (1):
kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments
Documentation/ABI/testing/ima_policy | 6 +++---
arch/powerpc/kernel/ima_arch.c | 8 ++++----
kernel/kexec_file.c | 2 +-
security/integrity/ima/Kconfig | 12 ------------
security/integrity/ima/ima_appraise.c | 12 +++++++-----
security/integrity/ima/ima_efi.c | 3 +++
security/integrity/ima/ima_kexec.c | 2 +-
security/integrity/ima/ima_policy.c | 17 +++++------------
8 files changed, 24 insertions(+), 38 deletions(-)hh
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [GIT PULL] integrity: susbystem updates for v6.6 (take 2)
2023-08-29 20:17 [GIT PULL] integrity: susbystem updates for v6.6 (take 2) Mimi Zohar
@ 2023-08-30 16:34 ` pr-tracker-bot
0 siblings, 0 replies; 2+ messages in thread
From: pr-tracker-bot @ 2023-08-30 16:34 UTC (permalink / raw)
To: Mimi Zohar; +Cc: Linus Torvalds, linux-integrity, linux-kernel
The pull request you sent on Tue, 29 Aug 2023 16:17:55 -0400:
> git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.6
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/1a35914f738c564060a14388f52a06669b09e0b3
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-08-30 18:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-29 20:17 [GIT PULL] integrity: susbystem updates for v6.6 (take 2) Mimi Zohar
2023-08-30 16:34 ` pr-tracker-bot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.