Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [GIT PULL] integrity subsystem updates for v5.4
@ 2019-09-11 21:29 Mimi Zohar
  0 siblings, 0 replies; only message in thread
From: Mimi Zohar @ 2019-09-11 21:29 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: linux-security-module, linux-integrity, linux-kernel

Hi Linus,

The major feature in this pull request is IMA support for measuring
and appraising appended file signatures.  In addition are a couple of
bug fixes and code cleanup to use struct_size().

In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image may be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.
 Similarly, the initramfs may contain an appended signature.

(Stephen is carrying a patch to address a merge conflict with the
security tree.)

thanks,

Mimi

The following changes since commit 609488bc979f99f805f34e9a32c1e3b71179d10b:

  Linux 5.3-rc2 (2019-07-28 12:47:02 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity

for you to fetch changes up to 2a7f0e53daf29ca6dc9fbe2a27158f13474ec1b5:

  ima: ima_api: Use struct_size() in kzalloc() (2019-08-29 14:23:30 -0400)

----------------------------------------------------------------
Gustavo A. R. Silva (2):
      ima: use struct_size() in kzalloc()
      ima: ima_api: Use struct_size() in kzalloc()

Mimi Zohar (2):
      ima: initialize the "template" field with the default template
      sefltest/ima: support appended signatures (modsig)

Sascha Hauer (2):
      ima: always return negative code for error
      ima: fix freeing ongoing ahash_request

Stephen Rothwell (1):
      MODSIGN: make new include file self contained

Thiago Jung Bauermann (11):
      MODSIGN: Export module signature definitions
      PKCS#7: Refactor verify_pkcs7_signature()
      PKCS#7: Introduce pkcs7_get_digest()
      integrity: Select CONFIG_KEYS instead of depending on it
      ima: Add modsig appraise_type option for module-style appended signatures
      ima: Factor xattr_verify() out of ima_appraise_measurement()
      ima: Implement support for module-style appended signatures
      ima: Collect modsig
      ima: Define ima-modsig template
      ima: Store the measurement again when appraising a modsig
      ima: Fix use after free in ima_read_modsig()

 Documentation/ABI/testing/ima_policy               |   6 +-
 Documentation/security/IMA-templates.rst           |   3 +
 arch/s390/Kconfig                                  |   2 +-
 arch/s390/kernel/machine_kexec_file.c              |  24 +--
 certs/system_keyring.c                             |  61 +++++--
 crypto/asymmetric_keys/pkcs7_verify.c              |  33 ++++
 include/crypto/pkcs7.h                             |   4 +
 include/linux/module.h                             |   3 -
 include/linux/module_signature.h                   |  46 +++++
 include/linux/verification.h                       |  10 ++
 init/Kconfig                                       |   6 +-
 kernel/Makefile                                    |   1 +
 kernel/module.c                                    |   1 +
 kernel/module_signature.c                          |  46 +++++
 kernel/module_signing.c                            |  56 +-----
 scripts/Makefile                                   |   2 +-
 security/integrity/Kconfig                         |   2 +-
 security/integrity/digsig.c                        |  43 ++++-
 security/integrity/ima/Kconfig                     |  13 ++
 security/integrity/ima/Makefile                    |   1 +
 security/integrity/ima/ima.h                       |  60 ++++++-
 security/integrity/ima/ima_api.c                   |  27 ++-
 security/integrity/ima/ima_appraise.c              | 194 ++++++++++++++-------
 security/integrity/ima/ima_crypto.c                |  10 +-
 security/integrity/ima/ima_main.c                  |  24 ++-
 security/integrity/ima/ima_modsig.c                | 168 ++++++++++++++++++
 security/integrity/ima/ima_policy.c                |  71 ++++++--
 security/integrity/ima/ima_template.c              |  31 +++-
 security/integrity/ima/ima_template_lib.c          |  64 ++++++-
 security/integrity/ima/ima_template_lib.h          |   4 +
 security/integrity/integrity.h                     |  20 +++
 .../selftests/kexec/test_kexec_file_load.sh        |  38 +++-
 32 files changed, 871 insertions(+), 203 deletions(-)
 create mode 100644 include/linux/module_signature.h
 create mode 100644 kernel/module_signature.c
 create mode 100644 security/integrity/ima/ima_modsig.c


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-11 21:29 [GIT PULL] integrity subsystem updates for v5.4 Mimi Zohar

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox