From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.4
Date: Wed, 11 Sep 2019 17:29:25 -0400 [thread overview]
Message-ID: <1568237365.5783.39.camel@linux.ibm.com> (raw)
Hi Linus,
The major feature in this pull request is IMA support for measuring
and appraising appended file signatures. In addition are a couple of
bug fixes and code cleanup to use struct_size().
In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image may be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.
Similarly, the initramfs may contain an appended signature.
(Stephen is carrying a patch to address a merge conflict with the
security tree.)
thanks,
Mimi
The following changes since commit 609488bc979f99f805f34e9a32c1e3b71179d10b:
Linux 5.3-rc2 (2019-07-28 12:47:02 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
for you to fetch changes up to 2a7f0e53daf29ca6dc9fbe2a27158f13474ec1b5:
ima: ima_api: Use struct_size() in kzalloc() (2019-08-29 14:23:30 -0400)
----------------------------------------------------------------
Gustavo A. R. Silva (2):
ima: use struct_size() in kzalloc()
ima: ima_api: Use struct_size() in kzalloc()
Mimi Zohar (2):
ima: initialize the "template" field with the default template
sefltest/ima: support appended signatures (modsig)
Sascha Hauer (2):
ima: always return negative code for error
ima: fix freeing ongoing ahash_request
Stephen Rothwell (1):
MODSIGN: make new include file self contained
Thiago Jung Bauermann (11):
MODSIGN: Export module signature definitions
PKCS#7: Refactor verify_pkcs7_signature()
PKCS#7: Introduce pkcs7_get_digest()
integrity: Select CONFIG_KEYS instead of depending on it
ima: Add modsig appraise_type option for module-style appended signatures
ima: Factor xattr_verify() out of ima_appraise_measurement()
ima: Implement support for module-style appended signatures
ima: Collect modsig
ima: Define ima-modsig template
ima: Store the measurement again when appraising a modsig
ima: Fix use after free in ima_read_modsig()
Documentation/ABI/testing/ima_policy | 6 +-
Documentation/security/IMA-templates.rst | 3 +
arch/s390/Kconfig | 2 +-
arch/s390/kernel/machine_kexec_file.c | 24 +--
certs/system_keyring.c | 61 +++++--
crypto/asymmetric_keys/pkcs7_verify.c | 33 ++++
include/crypto/pkcs7.h | 4 +
include/linux/module.h | 3 -
include/linux/module_signature.h | 46 +++++
include/linux/verification.h | 10 ++
init/Kconfig | 6 +-
kernel/Makefile | 1 +
kernel/module.c | 1 +
kernel/module_signature.c | 46 +++++
kernel/module_signing.c | 56 +-----
scripts/Makefile | 2 +-
security/integrity/Kconfig | 2 +-
security/integrity/digsig.c | 43 ++++-
security/integrity/ima/Kconfig | 13 ++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 60 ++++++-
security/integrity/ima/ima_api.c | 27 ++-
security/integrity/ima/ima_appraise.c | 194 ++++++++++++++-------
security/integrity/ima/ima_crypto.c | 10 +-
security/integrity/ima/ima_main.c | 24 ++-
security/integrity/ima/ima_modsig.c | 168 ++++++++++++++++++
security/integrity/ima/ima_policy.c | 71 ++++++--
security/integrity/ima/ima_template.c | 31 +++-
security/integrity/ima/ima_template_lib.c | 64 ++++++-
security/integrity/ima/ima_template_lib.h | 4 +
security/integrity/integrity.h | 20 +++
.../selftests/kexec/test_kexec_file_load.sh | 38 +++-
32 files changed, 871 insertions(+), 203 deletions(-)
create mode 100644 include/linux/module_signature.h
create mode 100644 kernel/module_signature.c
create mode 100644 security/integrity/ima/ima_modsig.c
next reply other threads:[~2019-09-11 21:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-11 21:29 Mimi Zohar [this message]
2019-09-16 20:38 ` [GIT PULL] integrity subsystem updates for v5.4 Linus Torvalds
2019-09-16 22:13 ` Mimi Zohar
2019-09-27 16:08 ` Mimi Zohar
2019-09-28 3:00 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1568237365.5783.39.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.