* [GIT PULL] integrity subsystem updates for v5.13
@ 2021-04-28 13:46 Mimi Zohar
2021-05-01 22:49 ` Linus Torvalds
2021-05-01 22:49 ` pr-tracker-bot
0 siblings, 2 replies; 4+ messages in thread
From: Mimi Zohar @ 2021-04-28 13:46 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-integrity, linux-kernel
Hi Linus,
In addition to loading the kernel module signing key onto the builtin
keyring, load it onto the IMA keyring as well. In addition are six
trivial changes and bug fixes.
thanks,
Mimi
The following changes since commit 92063f3ca73aab794bd5408d3361fd5b5ea33079:
integrity: double check iint_cache was initialized (2021-03-22 14:54:11 -0400)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.13
for you to fetch changes up to 781a5739489949fd0f32432a9da17f7ddbccf1cc:
ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies (2021-04-26 21:54:23 -0400)
----------------------------------------------------------------
integrity-v5.13
----------------------------------------------------------------
Gustavo A. R. Silva (1):
ima: Fix fall-through warnings for Clang
Jiele Zhao (2):
ima: Fix function name error in comment.
integrity: Add declarations to init_once void arguments.
Li Huafei (1):
ima: Fix the error code for restoring the PCR value
Mimi Zohar (2):
ima: without an IMA policy loaded, return quickly
Merge branch 'ima-module-signing-v4' into next-integrity
Nayna Jain (4):
keys: cleanup build time module signing keys
ima: enable signing of modules with build time generated key
ima: enable loading of build time generated key on .ima keyring
ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
Makefile | 6 ++---
certs/Kconfig | 2 +-
certs/Makefile | 10 +++++++
certs/system_certificates.S | 14 +++++++++-
certs/system_keyring.c | 50 ++++++++++++++++++++++++++++-------
include/keys/system_keyring.h | 7 +++++
init/Kconfig | 6 ++---
security/integrity/digsig.c | 2 ++
security/integrity/iint.c | 2 +-
security/integrity/ima/ima_main.c | 9 ++++++-
security/integrity/ima/ima_policy.c | 2 ++
security/integrity/ima/ima_template.c | 4 +--
12 files changed, 92 insertions(+), 22 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] integrity subsystem updates for v5.13
2021-04-28 13:46 [GIT PULL] integrity subsystem updates for v5.13 Mimi Zohar
@ 2021-05-01 22:49 ` Linus Torvalds
2021-05-02 4:27 ` Mimi Zohar
2021-05-01 22:49 ` pr-tracker-bot
1 sibling, 1 reply; 4+ messages in thread
From: Linus Torvalds @ 2021-05-01 22:49 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, linux-kernel
On Wed, Apr 28, 2021 at 6:47 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> In addition to loading the kernel module signing key onto the builtin
> keyring, load it onto the IMA keyring as well.
This clashed pretty badly with the other cert changes.
I think the end result looks nice and clean (the cert updates mesh
well with the _intention_ of your code, just not with the
implementation), but you should really double-check that I didn't mess
anything up in the merge and whatever test-case you have for IMA still
works.
I only verified that the kernel module signing key still works for
modules - no IMA test-case.
Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] integrity subsystem updates for v5.13
2021-04-28 13:46 [GIT PULL] integrity subsystem updates for v5.13 Mimi Zohar
2021-05-01 22:49 ` Linus Torvalds
@ 2021-05-01 22:49 ` pr-tracker-bot
1 sibling, 0 replies; 4+ messages in thread
From: pr-tracker-bot @ 2021-05-01 22:49 UTC (permalink / raw)
To: Mimi Zohar; +Cc: Linus Torvalds, linux-integrity, linux-kernel
The pull request you sent on Wed, 28 Apr 2021 09:46:57 -0400:
> git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.13
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/e6f0bf09f0669b3c2cd77fa906830123279a0a21
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [GIT PULL] integrity subsystem updates for v5.13
2021-05-01 22:49 ` Linus Torvalds
@ 2021-05-02 4:27 ` Mimi Zohar
0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2021-05-02 4:27 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-integrity, linux-kernel
On Sat, 2021-05-01 at 15:49 -0700, Linus Torvalds wrote:
> On Wed, Apr 28, 2021 at 6:47 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > In addition to loading the kernel module signing key onto the builtin
> > keyring, load it onto the IMA keyring as well.
>
> This clashed pretty badly with the other cert changes.
>
> I think the end result looks nice and clean (the cert updates mesh
> well with the _intention_ of your code, just not with the
> implementation), but you should really double-check that I didn't mess
> anything up in the merge and whatever test-case you have for IMA still
> works.
>
> I only verified that the kernel module signing key still works for
> modules - no IMA test-case.
I'm really sorry I forgot to mention in the pull request that Stephen
was carrying a merge conflict fix. Everything looks good. I tested
it, making sure that the kernel module signing key is loaded onto the
builtin and/or IMA keyrings properly.
thanks,
Mimi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-02 4:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-28 13:46 [GIT PULL] integrity subsystem updates for v5.13 Mimi Zohar
2021-05-01 22:49 ` Linus Torvalds
2021-05-02 4:27 ` Mimi Zohar
2021-05-01 22:49 ` pr-tracker-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).