All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, James.Bottomley@HansenPartnership.com,
	linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
	mathew.j.martineau@linux.intel.com, matthewgarrett@google.com,
	sashal@kernel.org, jamorris@linux.microsoft.com,
	linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: [PATCH 0/4] KEYS: Measure keys when they are created or updated
Date: Tue, 07 Jan 2020 19:43:46 +0000	[thread overview]
Message-ID: <20200107194350.3782-1-nramas@linux.microsoft.com> (raw)

commit 88e70da170e8 ("IMA: Define an IMA hook to measure keys")
in next-integrity added an IMA hook to measure keys when they
are created or updated in the system. This hook is defined in
ima_asymmetric_keys.c which was built if
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE was defined.
But this config is a tristate (and not a bool type).
If CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE was set to "m" in
the .config, ima_asymmetric_keys.c was built as a kernel module
when it is not a kernel module. This issue was reported by
"kbuild test robot <lkp@intel.com>".

This change defines a new config namely
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS to enable building
ima_asymmetric_keys.c. This new config is enabled when both
CONFIG_IMA and CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE are defined.

Lakshmi Ramasubramanian (4):
  IMA: Define an IMA hook to measure keys
  KEYS: Call the IMA hook to measure keys
  IMA: Add support to limit measuring keys
  IMA: Read keyrings= option from the IMA policy

 Documentation/ABI/testing/ima_policy         | 10 ++-
 include/linux/ima.h                          | 14 +++
 security/integrity/ima/Kconfig               |  9 ++
 security/integrity/ima/Makefile              |  1 +
 security/integrity/ima/ima.h                 |  8 +-
 security/integrity/ima/ima_api.c             |  8 +-
 security/integrity/ima/ima_appraise.c        |  4 +-
 security/integrity/ima/ima_asymmetric_keys.c | 58 +++++++++++++
 security/integrity/ima/ima_main.c            |  9 +-
 security/integrity/ima/ima_policy.c          | 91 ++++++++++++++++++--
 security/keys/key.c                          | 10 +++
 11 files changed, 204 insertions(+), 18 deletions(-)
 create mode 100644 security/integrity/ima/ima_asymmetric_keys.c

-- 
2.17.1

WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, James.Bottomley@HansenPartnership.com,
	linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
	mathew.j.martineau@linux.intel.com, matthewgarrett@google.com,
	sashal@kernel.org, jamorris@linux.microsoft.com,
	linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: [PATCH 0/4] KEYS: Measure keys when they are created or updated
Date: Tue,  7 Jan 2020 11:43:46 -0800	[thread overview]
Message-ID: <20200107194350.3782-1-nramas@linux.microsoft.com> (raw)

commit 88e70da170e8 ("IMA: Define an IMA hook to measure keys")
in next-integrity added an IMA hook to measure keys when they
are created or updated in the system. This hook is defined in
ima_asymmetric_keys.c which was built if
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE was defined.
But this config is a tristate (and not a bool type).
If CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE was set to "m" in
the .config, ima_asymmetric_keys.c was built as a kernel module
when it is not a kernel module. This issue was reported by
"kbuild test robot <lkp@intel.com>".

This change defines a new config namely
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS to enable building
ima_asymmetric_keys.c. This new config is enabled when both
CONFIG_IMA and CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE are defined.

Lakshmi Ramasubramanian (4):
  IMA: Define an IMA hook to measure keys
  KEYS: Call the IMA hook to measure keys
  IMA: Add support to limit measuring keys
  IMA: Read keyrings= option from the IMA policy

 Documentation/ABI/testing/ima_policy         | 10 ++-
 include/linux/ima.h                          | 14 +++
 security/integrity/ima/Kconfig               |  9 ++
 security/integrity/ima/Makefile              |  1 +
 security/integrity/ima/ima.h                 |  8 +-
 security/integrity/ima/ima_api.c             |  8 +-
 security/integrity/ima/ima_appraise.c        |  4 +-
 security/integrity/ima/ima_asymmetric_keys.c | 58 +++++++++++++
 security/integrity/ima/ima_main.c            |  9 +-
 security/integrity/ima/ima_policy.c          | 91 ++++++++++++++++++--
 security/keys/key.c                          | 10 +++
 11 files changed, 204 insertions(+), 18 deletions(-)
 create mode 100644 security/integrity/ima/ima_asymmetric_keys.c

-- 
2.17.1


             reply	other threads:[~2020-01-07 19:43 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-07 19:43 Lakshmi Ramasubramanian [this message]
2020-01-07 19:43 ` [PATCH 0/4] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2020-01-07 19:43 ` [PATCH 1/4] IMA: Define an IMA hook to measure keys Lakshmi Ramasubramanian
2020-01-07 19:43   ` Lakshmi Ramasubramanian
2020-01-07 22:26   ` James Bottomley
2020-01-07 22:26     ` James Bottomley
2020-01-07 19:43 ` [PATCH 2/4] KEYS: Call the " Lakshmi Ramasubramanian
2020-01-07 19:43   ` Lakshmi Ramasubramanian
2020-01-07 22:51   ` Mimi Zohar
2020-01-07 22:51     ` Mimi Zohar
2020-01-07 19:43 ` [PATCH 3/4] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2020-01-07 19:43   ` Lakshmi Ramasubramanian
2020-01-07 19:43 ` [PATCH 4/4] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
2020-01-07 19:43   ` Lakshmi Ramasubramanian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200107194350.3782-1-nramas@linux.microsoft.com \
    --to=nramas@linux.microsoft.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=dhowells@redhat.com \
    --cc=eric.snowberg@oracle.com \
    --cc=jamorris@linux.microsoft.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mathew.j.martineau@linux.intel.com \
    --cc=matthewgarrett@google.com \
    --cc=sashal@kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.