[GIT PULL] integrity subsystem updates for v5.19

* [GIT PULL] integrity subsystem updates for v5.19
@ 2022-05-24 20:46 Mimi Zohar
  2022-05-24 20:53 ` pr-tracker-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Mimi Zohar @ 2022-05-24 20:46 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-integrity, linux-kernel

Hi Linus,

New is IMA support for including fs-verity file digests and signatures
in the IMA
measurement list as well as verifying the fs-verity file digest based
signatures, both based on policy.

In addition, are two bug fixes:
- avoid reading UEFI variables, which cause a page fault, on Apple Macs
with T2 chips.
- remove the original "ima" template Kconfig option to address a boot
command line ordering issue.

The rest is a mixture of code/documentation cleanup.

thanks,

Mimi

The following changes since commit 3123109284176b1532874591f7c81f3837bbdc17:

  Linux 5.18-rc1 (2022-04-03 14:08:21 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.19

for you to fetch changes up to 048ae41bb0806cde340f4e5d5030398037ab0be8:

  integrity: Fix sparse warnings in keyring_handler (2022-05-16 17:06:16 -0400)

----------------------------------------------------------------
integrity-v5.19

----------------------------------------------------------------
Aditya Garg (1):
      efi: Do not import certificates from UEFI Secure Boot for T2 Macs

Colin Ian King (1):
      ima: remove redundant initialization of pointer 'file'.

GUO Zihua (1):
      ima: remove the IMA_TEMPLATE Kconfig option

Mimi Zohar (8):
      ima: fix 'd-ng' comments and documentation
      ima: use IMA default hash algorithm for integrity violations
      fs-verity: define a function to return the integrity protected file digest
      ima: define a new template field named 'd-ngv2' and templates
      ima: permit fsverity's file digests in the IMA measurement list
      ima: support fs-verity file digest based version 3 signatures
      fsverity: update the documentation
      Merge branch 'next-integrity.fsverity-v9' into next-integrity

Stefan Berger (3):
      evm: Return INTEGRITY_PASS for enum integrity_status value '0'
      evm: Clean up some variables
      integrity: Fix sparse warnings in keyring_handler

 Documentation/ABI/testing/ima_policy               |  45 +++++++-
 Documentation/admin-guide/kernel-parameters.txt    |   3 +-
 Documentation/filesystems/fsverity.rst             |  35 ++++---
 Documentation/security/IMA-templates.rst           |  11 +-
 fs/verity/Kconfig                                  |   1 +
 fs/verity/fsverity_private.h                       |   7 --
 fs/verity/measure.c                                |  43 ++++++++
 include/linux/fsverity.h                           |  18 ++++
 security/integrity/digsig.c                        |   3 +-
 security/integrity/evm/evm.h                       |   3 -
 security/integrity/evm/evm_crypto.c                |   2 +-
 security/integrity/evm/evm_main.c                  |   2 +-
 security/integrity/ima/Kconfig                     |  14 ++-
 security/integrity/ima/ima_api.c                   |  47 ++++++++-
 security/integrity/ima/ima_appraise.c              | 114 ++++++++++++++++++++-
 security/integrity/ima/ima_main.c                  |   4 +-
 security/integrity/ima/ima_policy.c                |  82 +++++++++++++--
 security/integrity/ima/ima_template.c              |   4 +
 security/integrity/ima/ima_template_lib.c          |  94 ++++++++++++++---
 security/integrity/ima/ima_template_lib.h          |   4 +
 security/integrity/integrity.h                     |  27 ++++-
 .../integrity/platform_certs/keyring_handler.c     |   6 +-
 .../integrity/platform_certs/keyring_handler.h     |   8 ++
 security/integrity/platform_certs/load_uefi.c      |  33 ++++++
 24 files changed, 531 insertions(+), 79 deletions(-)

^ permalink raw reply	[flat|nested] 2+ messages in thread