[GIT PULL] integrity subsystem updates for v5.17

[GIT PULL] integrity subsystem updates for v5.17

[Mimi Zohar]

Hi Linus,

The few changes are all kexec related:

- The MOK keys are loaded onto the .platform keyring in order to verify
the kexec kernel image signature.  However, the MOK keys should only be
trusted when secure boot is enable.  Before loading the MOK keys onto
the .platform keyring, make sure the system is booted in secure boot
mode.

- When carrying the IMA measurement list across kexec, limit dumping
the measurement list to when dynamic debug or CONFIG_DEBUG is enabled.

- kselftest: add kexec_file_load selftest support for PowerNV and other
cleanup.

thanks,

Mimi


The following changes since commit 136057256686de39cc3a07c2e39ef6bc43003ff6:

  Linux 5.16-rc2 (2021-11-21 13:47:39 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17

for you to fetch changes up to 65e38e32a959dbbb0bf5cf1ae699789f81759be6:

  selftests/kexec: Enable secureboot tests for PowerPC (2022-01-05 11:44:57 -0500)

----------------------------------------------------------------
integrity-v5.17

----------------------------------------------------------------
Bruno Meneguele (1):
      ima: silence measurement list hexdump during kexec

Lee, Chun-Yi (1):
      integrity: Do not load MOK and MOKx when secure boot be disabled

Mimi Zohar (2):
      selftest/kexec: fix "ignored null byte in input" warning
      selftests/kexec: update searching for the Kconfig

Nageswara R Sastry (1):
      selftests/kexec: Enable secureboot tests for PowerPC

Takashi Iwai (1):
      ima: Fix undefined arch_ima_get_secureboot() and co

 include/linux/ima.h                                | 30 ++++++-------
 security/integrity/ima/ima_kexec.c                 |  6 +--
 security/integrity/platform_certs/load_uefi.c      |  5 +++
 tools/testing/selftests/kexec/Makefile             |  2 +-
 tools/testing/selftests/kexec/kexec_common_lib.sh  | 51 +++++++++++++++++-----
 .../selftests/kexec/test_kexec_file_load.sh        | 13 ++++--
 6 files changed, 74 insertions(+), 33 deletions(-)

Re: [GIT PULL] integrity subsystem updates for v5.17

[Linus Torvalds]

On Mon, Jan 10, 2022 at 2:02 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
>   git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17

Side note: I can't find the key you're using for the tag signing anywhere.

This isn't new, and I've seen this key before, and I suspect it's just
another new key update that the complete breakdown of all the pgp
keyservers makes hard to get out.

You used to use RSA key 8D2302082EFE723A379ECCD26B792466B03E715A,
which I have, the last few pulls you've been using EDDSA key
1D5D554518DE57A8AAF51E3ECBC19CD1B02AE7E5 that I can't actually find.

It also isn't in the kernel.org pgpkeys repo.

You could try submitting it there:

  https://korg.docs.kernel.org/pgpkeys.html#submitting-keys-to-the-keyring

Oh, how I hate pgp. I thought that having git wrap all the key
verification would make it usable (counter-example: the incredible
garbage that is pgp signed email), but then the keyservers stopped
working, and so the keys themselves end up being a problem.

              Linus

Re: [GIT PULL] integrity subsystem updates for v5.17

[pr-tracker-bot]

The pull request you sent on Mon, 10 Jan 2022 17:02:02 -0500:

> git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/84bfcc0b6994057905cf98d2c5cedef48b3322b5

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

Re: [GIT PULL] integrity subsystem updates for v5.17

[Mimi Zohar]

On Tue, 2022-01-11 at 13:21 -0800, Linus Torvalds wrote:
> On Mon, Jan 10, 2022 at 2:02 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> >   git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17
> 
> Side note: I can't find the key you're using for the tag signing anywhere.
> 
> This isn't new, and I've seen this key before, and I suspect it's just
> another new key update that the complete breakdown of all the pgp
> keyservers makes hard to get out.
> 
> You used to use RSA key 8D2302082EFE723A379ECCD26B792466B03E715A,
> which I have, the last few pulls you've been using EDDSA key
> 1D5D554518DE57A8AAF51E3ECBC19CD1B02AE7E5 that I can't actually find.

Yes, I received the Nitrokey Start and followed the maintainer-pgp-
guide (and Nitrokey) directions at the time.  It was hard finding a
working gpg server, but I finally found one, at least I thought I found
one.

> 
> It also isn't in the kernel.org pgpkeys repo.
> 
> You could try submitting it there:
> 
>   https://korg.docs.kernel.org/pgpkeys.html#submitting-keys-to-the-keyring
> 
> Oh, how I hate pgp. I thought that having git wrap all the key
> verification would make it usable (counter-example: the incredible
> garbage that is pgp signed email), but then the keyservers stopped
> working, and so the keys themselves end up being a problem.

Submitted.

Mimi

Re: [GIT PULL] integrity subsystem updates for v5.17

[Linus Torvalds]

On Tue, Jan 11, 2022 at 2:55 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Yes, I received the Nitrokey Start and followed the maintainer-pgp-
> guide (and Nitrokey) directions at the time.  It was hard finding a
> working gpg server, but I finally found one, at least I thought I found
> one.

You probably _did_ find a working pgp server, but with all the pgp
poisoning, the replication of the keys doesn't tend to work very well
any more.

So if I don't then happen to use the same server, I won't get the key updates.

Oh well. It's not like pgp wasn't always a UI disaster. It's just that
key replication _used_ to work fairly well.

               Linus