linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: James Morris <jmorris@namei.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
	linux-integrity <linux-integrity@vger.kernel.org>
Subject: [GIT PULL] linux-integrity patches for Linux 4.21
Date: Fri, 14 Dec 2018 08:52:32 -0500	[thread overview]
Message-ID: <1544795552.3879.7.camel@linux.ibm.com> (raw)

Hi James,

In Linux 4.19, a new LSM hook named security_kernel_load_data was
upstreamed, allowing LSMs and IMA to prevent the kexec_load
syscall.  Different signature verification methods exist for verifying
the kexec'ed kernel image.  This pull request adds additional support
in IMA to prevent loading unsigned kernel images via the kexec_load
syscall, independently of the IMA policy rules, based on the runtime
"secure boot" flag.  An initial IMA kselftest is included.

In addition, this pull request defines a new, separate keyring named
".platform" for storing the preboot/firmware keys needed for verifying
the kexec'ed kernel image's signature and includes the associated IMA
kexec usage of the ".platform" keyring.

(David Howell's and Josh Boyer's patches for reading the
preboot/firmware keys, which were previously posted for a different
use case scenario, are included here.)

Mimi

The following changes since commit 26b76320a8a550472bbb8f42257df83fcb8d8df6:

  Merge tag 'v4.20-rc2' into next-general (2018-11-12 09:07:41 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity

for you to fetch changes up to eed9de3b4f47114f440980203ca27c5fab70f529:

  ima: Use inode_is_open_for_write (2018-12-12 22:09:34 -0500)

----------------------------------------------------------------
Dave Howells (2):
      efi: Add EFI signature data types
      efi: Add an EFI signature blob parser

Eric Richter (1):
      x86/ima: define arch_get_ima_policy() for x86

Josh Boyer (2):
      efi: Import certificates from UEFI Secure Boot
      efi: Allow the "db" UEFI variable to be suppressed

Mimi Zohar (4):
      integrity: support new struct public_key_signature encoding field
      x86/ima: retry detecting secure boot mode
      ima: don't measure/appraise files on efivarfs
      selftests/ima: kexec_load syscall test

Nayna Jain (7):
      x86/ima: define arch_ima_get_secureboot
      ima: prevent kexec_load syscall based on runtime secureboot flag
      ima: refactor ima_init_policy()
      ima: add support for arch specific policies
      integrity: Define a trusted platform keyring
      integrity: Load certs to the platform keyring
      ima: Support platform keyring for kernel appraisal

Nikolay Borisov (1):
      ima: Use inode_is_open_for_write

Stefan Berger (1):
      docs: Extend trusted keys documentation for TPM 2.0

 Documentation/security/keys/trusted-encrypted.rst  |  31 +++-
 arch/x86/kernel/Makefile                           |   4 +
 arch/x86/kernel/ima_arch.c                         |  75 ++++++++
 include/linux/efi.h                                |  34 ++++
 include/linux/ima.h                                |  15 ++
 security/integrity/Kconfig                         |  11 ++
 security/integrity/Makefile                        |   5 +
 security/integrity/digsig.c                        | 110 ++++++++----
 security/integrity/digsig_asymmetric.c             |   1 +
 security/integrity/ima/Kconfig                     |  10 +-
 security/integrity/ima/ima_appraise.c              |  14 +-
 security/integrity/ima/ima_main.c                  |  21 ++-
 security/integrity/ima/ima_policy.c                | 171 +++++++++++++-----
 security/integrity/integrity.h                     |  23 ++-
 security/integrity/platform_certs/efi_parser.c     | 108 ++++++++++++
 security/integrity/platform_certs/load_uefi.c      | 194 +++++++++++++++++++++
 .../integrity/platform_certs/platform_keyring.c    |  58 ++++++
 tools/testing/selftests/Makefile                   |   1 +
 tools/testing/selftests/ima/Makefile               |  11 ++
 tools/testing/selftests/ima/config                 |   4 +
 tools/testing/selftests/ima/test_kexec_load.sh     |  54 ++++++
 21 files changed, 863 insertions(+), 92 deletions(-)
 create mode 100644 arch/x86/kernel/ima_arch.c
 create mode 100644 security/integrity/platform_certs/efi_parser.c
 create mode 100644 security/integrity/platform_certs/load_uefi.c
 create mode 100644 security/integrity/platform_certs/platform_keyring.c
 create mode 100644 tools/testing/selftests/ima/Makefile
 create mode 100644 tools/testing/selftests/ima/config
 create mode 100755 tools/testing/selftests/ima/test_kexec_load.sh


             reply	other threads:[~2018-12-14 14:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-14 13:52 Mimi Zohar [this message]
2018-12-17 19:28 ` [GIT PULL] linux-integrity patches for Linux 4.21 James Morris
2018-12-17 19:32   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1544795552.3879.7.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).