Re: [PATCH v3 08/10] evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Unsupported filesystems currently do not enforce any signatures. Add > support for signature enforcement of the "original" and "portable & > immutable" signatures when EVM_INIT_X509 is enabled. > > The "original" signature type contains

Re: [PATCH v3 01/10] ima: Rename backing_inode to real_inode

Hi Stefan, On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Rename the backing_inode variable to real_inode since it gets its value > from real_inode(). > > Suggested-by: Amir Goldstein > Co-developed-by: Mimi Zohar > Signed-off-by: Stefan Berger > Acked-by: Amir Goldstein Thanks

Re: [PATCH v3 02/10] security: allow finer granularity in permitting copy-up of security xattrs

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Copying up xattrs is solely based on the security xattr name. For finer > granularity add a dentry parameter to the security_inode_copy_up_xattr > hook definition, allowing decisions to be based on the xattr content as > well. > >

Re: [PATCH v3 04/10] evm: Use the metadata inode to calculate metadata hash

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Changes to file attributes (mode bits, uid, gid) on the lower layer are > not taken into account when d_backing_inode() is used when a file is > accessed on the overlay layer and this file has not yet been copied up. > This is because

Re: [PATCH v3 10/10] evm: Rename is_unsupported_fs to is_unsupported_hmac_fs

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Rename is_unsupported_fs to is_unsupported_hmac_fs since now only HMAC is > unsupported. > > Co-developed-by: Mimi Zohar > Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar

Re: [PATCH v3 09/10] fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > Now that EVM supports RSA signatures for previously completely > unsupported filesystems rename the flag SB_I_EVM_UNSUPPORTED to > SB_I_EVM_HMAC_UNSUPPORTED to reflect that only HMAC is not supported. > > Suggested-by: Amir Goldstein >

Re: [PATCH v3 07/10] ima: re-evaluate file integrity on file metadata change

> @@ -286,7 +288,8 @@ static int process_measurement(struct file *file, const > struct cred *cred, > } > > /* > - * On stacked filesystems, detect and re-evaluate file data changes. > + * On stacked filesystems, detect and re-evaluate file data and > + * metadata

Re: [PATCH v3 03/10] evm: Implement per signature type decision in security_inode_copy_up_xattr

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote: > To support "portable and immutable signatures" on otherwise unsupported > filesystems, determine the EVM signature type by the content of a file's > xattr. If the file has the appropriate signature type then allow it to be > copied up. All

Re: [PATCH v2] tpm: Fix suspend/shutdown on some boards by preserving chip Locality

On Tue Mar 19, 2024 at 11:38 PM EET, Jarkko Sakkinen wrote: > On Tue Mar 19, 2024 at 9:57 PM EET, Jarkko Sakkinen wrote: > > On Wed Mar 13, 2024 at 7:02 PM EET, Adam Alves wrote: > > > Hi Jarkko, > > > > > > Thank you very much for kindly reviewing this proposal. > > > > > > After one week without

Re: [PATCH v2] tpm: Fix suspend/shutdown on some boards by preserving chip Locality

On Tue Mar 19, 2024 at 9:57 PM EET, Jarkko Sakkinen wrote: > On Wed Mar 13, 2024 at 7:02 PM EET, Adam Alves wrote: > > Hi Jarkko, > > > > Thank you very much for kindly reviewing this proposal. > > > > After one week without any issues with my PC hanging, it happened > > again. It seems that the

[PATCH v2] MAINTAINERS: Update URL's for KEYS/KEYRINGS_INTEGRITY and TPM DEVICE DRIVER

Add TPM driver test suite URL to the MAINTAINERS files and move the wiki URL to more appropriate location. Link: https://gitlab.com/jarkkojs/linux-tpmdd-test Link: https://kernsec.org/wiki/index.php/Linux_Kernel_Integrity Cc: Jason Gunthorpe Cc: Mimi Zohar Cc: Peter Huewe Cc:

Re: [PATCH] MAINTAINERS: Update W's for KEYS/KEYRINGS_INTEGRITY and TPM DEVICE RIVER

On Tue Feb 27, 2024 at 8:22 PM EET, Jarkko Sakkinen wrote: > On Mon Feb 26, 2024 at 12:11 PM EET, James Bottomley wrote: > > On Mon, 2024-02-26 at 11:26 +0200, Jarkko Sakkinen wrote: > > > On Mon Feb 26, 2024 at 8:49 AM EET, James Bottomley wrote: > > > > On Mon, 2024-02-26 at 08:22 +0200, Jarkko

Re: [PATCH v2] tpm: Fix suspend/shutdown on some boards by preserving chip Locality

On Thu Mar 14, 2024 at 6:31 PM EET, Adam Alves wrote: > Hi Jarkko, > > I have an update here. I would like you to check if it makes sense > before I submit a patch. > > The problem might be related to the chip itself which leaves the idle > state whenever the locality is relinquished. There's no

Re: [PATCH v2] tpm: Fix suspend/shutdown on some boards by preserving chip Locality

On Wed Mar 13, 2024 at 7:02 PM EET, Adam Alves wrote: > Hi Jarkko, > > Thank you very much for kindly reviewing this proposal. > > After one week without any issues with my PC hanging, it happened > again. It seems that the fix I am proposing is not final (it only > reduced the frequency since it

Re: [ima-evm-utils: PATCH v2 1/1] Change license to LGPL-2.0-or-later and GPL-2.0-or-later

On 18.03.2024 18:42, Dmitry Kasatkin wrote: [...] >> To address this issue, change the project license to GPL-2.0-or-later >> and libimaevm to LGPL 2.0 or later. Acked-by: Alberto Mardegan -- С уважением, Альберто Мардеган Ведущий разработчик https://auroraos.ru/