Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.4
Date: Wed, 11 Sep 2019 17:29:25 -0400
Message-ID: <1568237365.5783.39.camel@linux.ibm.com> (raw)

Hi Linus,

The major feature in this pull request is IMA support for measuring
and appraising appended file signatures.  In addition are a couple of
bug fixes and code cleanup to use struct_size().

In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image may be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.
 Similarly, the initramfs may contain an appended signature.

(Stephen is carrying a patch to address a merge conflict with the
security tree.)

thanks,

Mimi

The following changes since commit 609488bc979f99f805f34e9a32c1e3b71179d10b:

  Linux 5.3-rc2 (2019-07-28 12:47:02 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity

for you to fetch changes up to 2a7f0e53daf29ca6dc9fbe2a27158f13474ec1b5:

  ima: ima_api: Use struct_size() in kzalloc() (2019-08-29 14:23:30 -0400)

----------------------------------------------------------------
Gustavo A. R. Silva (2):
      ima: use struct_size() in kzalloc()
      ima: ima_api: Use struct_size() in kzalloc()

Mimi Zohar (2):
      ima: initialize the "template" field with the default template
      sefltest/ima: support appended signatures (modsig)

Sascha Hauer (2):
      ima: always return negative code for error
      ima: fix freeing ongoing ahash_request

Stephen Rothwell (1):
      MODSIGN: make new include file self contained

Thiago Jung Bauermann (11):
      MODSIGN: Export module signature definitions
      PKCS#7: Refactor verify_pkcs7_signature()
      PKCS#7: Introduce pkcs7_get_digest()
      integrity: Select CONFIG_KEYS instead of depending on it
      ima: Add modsig appraise_type option for module-style appended signatures
      ima: Factor xattr_verify() out of ima_appraise_measurement()
      ima: Implement support for module-style appended signatures
      ima: Collect modsig
      ima: Define ima-modsig template
      ima: Store the measurement again when appraising a modsig
      ima: Fix use after free in ima_read_modsig()

 Documentation/ABI/testing/ima_policy               |   6 +-
 Documentation/security/IMA-templates.rst           |   3 +
 arch/s390/Kconfig                                  |   2 +-
 arch/s390/kernel/machine_kexec_file.c              |  24 +--
 certs/system_keyring.c                             |  61 +++++--
 crypto/asymmetric_keys/pkcs7_verify.c              |  33 ++++
 include/crypto/pkcs7.h                             |   4 +
 include/linux/module.h                             |   3 -
 include/linux/module_signature.h                   |  46 +++++
 include/linux/verification.h                       |  10 ++
 init/Kconfig                                       |   6 +-
 kernel/Makefile                                    |   1 +
 kernel/module.c                                    |   1 +
 kernel/module_signature.c                          |  46 +++++
 kernel/module_signing.c                            |  56 +-----
 scripts/Makefile                                   |   2 +-
 security/integrity/Kconfig                         |   2 +-
 security/integrity/digsig.c                        |  43 ++++-
 security/integrity/ima/Kconfig                     |  13 ++
 security/integrity/ima/Makefile                    |   1 +
 security/integrity/ima/ima.h                       |  60 ++++++-
 security/integrity/ima/ima_api.c                   |  27 ++-
 security/integrity/ima/ima_appraise.c              | 194 ++++++++++++++-------
 security/integrity/ima/ima_crypto.c                |  10 +-
 security/integrity/ima/ima_main.c                  |  24 ++-
 security/integrity/ima/ima_modsig.c                | 168 ++++++++++++++++++
 security/integrity/ima/ima_policy.c                |  71 ++++++--
 security/integrity/ima/ima_template.c              |  31 +++-
 security/integrity/ima/ima_template_lib.c          |  64 ++++++-
 security/integrity/ima/ima_template_lib.h          |   4 +
 security/integrity/integrity.h                     |  20 +++
 .../selftests/kexec/test_kexec_file_load.sh        |  38 +++-
 32 files changed, 871 insertions(+), 203 deletions(-)
 create mode 100644 include/linux/module_signature.h
 create mode 100644 kernel/module_signature.c
 create mode 100644 security/integrity/ima/ima_modsig.c


                 reply index

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1568237365.5783.39.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox