On Tue, 2018-07-24 at 12:31 +, Udit Agarwal wrote:
> Yes the secure keys and CAAM are correlated. Secure keys depends on
> NXP CAAM crypto HW accelerator. Secure key is a random data of
> length X (passed using keyctl command) & derived using CAAM. Blob of
> this data is also created using
On Tue, 2018-07-24 at 12:31 +, Udit Agarwal wrote:
> Yes the secure keys and CAAM are correlated. Secure keys depends on
> NXP CAAM crypto HW accelerator. Secure key is a random data of
> length X (passed using keyctl command) & derived using CAAM. Blob of
> this data is also created using
On Fri, 2018-07-20 at 11:16 +0530, Udit Agarwal wrote:
> Secure keys are derieved using CAAM crypto block.
>
> Secure keys derieved are the random number symmetric keys from CAAM.
> Blobs corresponding to the key are formed using CAAM. User space
> will only be able to view the blob of the key.
On Fri, 2018-07-20 at 11:16 +0530, Udit Agarwal wrote:
> Secure keys are derieved using CAAM crypto block.
>
> Secure keys derieved are the random number symmetric keys from CAAM.
> Blobs corresponding to the key are formed using CAAM. User space
> will only be able to view the blob of the key.
Thanks, Randy.
On Thu, 2018-07-19 at 13:15 -0700, Randy Dunlap wrote:
> From: Randy Dunlap
>
> Fix build error when CONFIG_FW_LOADER=m, CONFIG_FW_LOADER_USER_HELPER=y,
> CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y, and CONFIG_SECURITY=y:
>
> ERROR: "security_kernel_load_data"
>
Thanks, Randy.
On Thu, 2018-07-19 at 13:15 -0700, Randy Dunlap wrote:
> From: Randy Dunlap
>
> Fix build error when CONFIG_FW_LOADER=m, CONFIG_FW_LOADER_USER_HELPER=y,
> CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y, and CONFIG_SECURITY=y:
>
> ERROR: "security_kernel_load_data"
>
On Tue, 2018-07-17 at 14:40 +1000, Stephen Rothwell wrote:
> Hi all,
>
> After merging the integrity tree, today's linux-next build (x86_64
> allmodconfig) failed like this:
>
> security/integrity/ima/ima_main.c:549:5: error: redefinition of
> 'ima_load_data'
> int ima_load_data(enum
On Tue, 2018-07-17 at 14:40 +1000, Stephen Rothwell wrote:
> Hi all,
>
> After merging the integrity tree, today's linux-next build (x86_64
> allmodconfig) failed like this:
>
> security/integrity/ima/ima_main.c:549:5: error: redefinition of
> 'ima_load_data'
> int ima_load_data(enum
On Sat, 2018-07-14 at 19:30 -0700, Kees Cook wrote:
> On Fri, Jul 13, 2018 at 11:06 AM, Mimi Zohar wrote:
> > Both the init_module and finit_module syscalls call either directly
> > or indirectly the security_kernel_read_file LSM hook. This patch
> > replaces the direc
On Sat, 2018-07-14 at 19:30 -0700, Kees Cook wrote:
> On Fri, Jul 13, 2018 at 11:06 AM, Mimi Zohar wrote:
> > Both the init_module and finit_module syscalls call either directly
> > or indirectly the security_kernel_read_file LSM hook. This patch
> > replaces the direc
On Tue, 2018-07-10 at 08:56 +0200, Ard Biesheuvel wrote:
> On 10 July 2018 at 08:51, Ard Biesheuvel wrote:
> > On 9 July 2018 at 21:41, Mimi Zohar wrote:
> >> On Mon, 2018-07-02 at 17:30 +0200, Ard Biesheuvel wrote:
> >>> On 2 July 2018 at 16:38, Mimi Zoha
On Tue, 2018-07-10 at 08:56 +0200, Ard Biesheuvel wrote:
> On 10 July 2018 at 08:51, Ard Biesheuvel wrote:
> > On 9 July 2018 at 21:41, Mimi Zohar wrote:
> >> On Mon, 2018-07-02 at 17:30 +0200, Ard Biesheuvel wrote:
> >>> On 2 July 2018 at 16:38, Mimi Zoha
On Tue, 2018-07-03 at 19:32 +0300, Jarkko Sakkinen wrote:
> On Mon, 2018-07-02 at 13:00 -0400, Mimi Zohar wrote:
> > On Mon, 2018-07-02 at 11:24 -0400, Stefan Berger wrote:
> > > Rather than accessing the TPM functions by passing a NULL pointer for
> > > the tpm_
On Tue, 2018-07-03 at 19:32 +0300, Jarkko Sakkinen wrote:
> On Mon, 2018-07-02 at 13:00 -0400, Mimi Zohar wrote:
> > On Mon, 2018-07-02 at 11:24 -0400, Stefan Berger wrote:
> > > Rather than accessing the TPM functions by passing a NULL pointer for
> > > the tpm_
On Tue, 2018-07-03 at 07:19 -0400, Stefan Berger wrote:
> Remove the unused is_ima_appraise_enabled() function.
is_ima_appraise_enabled() was introduced to coordinate between IMA and
the lockdown patch set. Before removing it, let's wait and see if it
is still needed by the lockdown patches.
On Tue, 2018-07-03 at 07:19 -0400, Stefan Berger wrote:
> Remove the unused is_ima_appraise_enabled() function.
is_ima_appraise_enabled() was introduced to coordinate between IMA and
the lockdown patch set. Before removing it, let's wait and see if it
is still needed by the lockdown patches.
o get rid of
> the ima_used_chip variable and use the new ima_tpm_chip variable instead
> for determining whether to call TPM functions.
>
> Signed-off-by: Stefan Berger
> Acked-by: Jarkko Sakkinen
Signed-off-by: Mimi Zohar
Jarkko, would you mind staging this patch with the rest of the patch
set?
o get rid of
> the ima_used_chip variable and use the new ima_tpm_chip variable instead
> for determining whether to call TPM functions.
>
> Signed-off-by: Stefan Berger
> Acked-by: Jarkko Sakkinen
Signed-off-by: Mimi Zohar
Jarkko, would you mind staging this patch with the rest of the patch
set?
Hi Stefan,
On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote:
> Get rid of ima_used_chip and use ima_tpm_chip variable instead for
> determining whether to use the TPM chip.
I don't see a need for separating this change from the previous patch.
Could you squash this patch with the previous
Hi Stefan,
On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote:
> Get rid of ima_used_chip and use ima_tpm_chip variable instead for
> determining whether to use the TPM chip.
I don't see a need for separating this change from the previous patch.
Could you squash this patch with the previous
On Fri, 2018-06-29 at 15:13 +0300, Jarkko Sakkinen wrote:
> On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote:
> > This series of patches converts IMA's usage of the tpm_chip to find a TPM
> > chip initially and use it until the machine is shut down. To do this we need
> > to introduce a kref
On Fri, 2018-06-29 at 15:13 +0300, Jarkko Sakkinen wrote:
> On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote:
> > This series of patches converts IMA's usage of the tpm_chip to find a TPM
> > chip initially and use it until the machine is shut down. To do this we need
> > to introduce a kref
On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote:
> Rather than accessing the TPM functions using a NULL pointer, which
> causes a lookup for a suitable chip every time, get a hold of a tpm_chip
> and access the TPM functions using this chip. We call the tpm_chip
> ima_tpm_chip and protect
On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote:
> Rather than accessing the TPM functions using a NULL pointer, which
> causes a lookup for a suitable chip every time, get a hold of a tpm_chip
> and access the TPM functions using this chip. We call the tpm_chip
> ima_tpm_chip and protect
On Tue, 2018-06-12 at 12:27 +0800, Zhouyang Jia wrote:
> When kmem_cache_create fails, the lack of error-handling code may
> cause unexpected results.
>
> This patch adds error-handling code after calling kmem_cache_create.
The slab is being create during __init. Under what circumstances do
you
On Tue, 2018-06-12 at 12:27 +0800, Zhouyang Jia wrote:
> When kmem_cache_create fails, the lack of error-handling code may
> cause unexpected results.
>
> This patch adds error-handling code after calling kmem_cache_create.
The slab is being create during __init. Under what circumstances do
you
On Thu, 2018-05-31 at 19:11 +0800, Yisheng Xie wrote:
> match_string() returns the index of an array for a matching string,
> which can be used instead of open coded variant.
>
> Reviewed-by: Mimi Zohar
> Reviewed-by: Andy Shevchenko
> Cc: Mimi Zohar
> Cc: Dmitry Kasatki
On Thu, 2018-05-31 at 19:11 +0800, Yisheng Xie wrote:
> match_string() returns the index of an array for a matching string,
> which can be used instead of open coded variant.
>
> Reviewed-by: Mimi Zohar
> Reviewed-by: Andy Shevchenko
> Cc: Mimi Zohar
> Cc: Dmitry Kasatki
On Sun, 2018-05-27 at 23:15 +0100, Colin King wrote:
> From: Colin Ian King
>
> The allocation of 'temp' is not kfree'd and hence there is a memory
> leak on each call of evm_read_xattrs. Fix this by kfree'ing it
> after copying data from it back to the user space buffer 'buf'.
>
> Detected by
On Sun, 2018-05-27 at 23:15 +0100, Colin King wrote:
> From: Colin Ian King
>
> The allocation of 'temp' is not kfree'd and hence there is a memory
> leak on each call of evm_read_xattrs. Fix this by kfree'ing it
> after copying data from it back to the user space buffer 'buf'.
>
> Detected by
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Changelog v4:
- call new LSM security_kernel_arg hook
Changelog v2:
- call security_kernel_read_blob()
- rename the READING_FIRMWARE_FALLBACK
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Changelog v4:
- call new LSM security_kernel_arg hook
Changelog v2:
- call security_kernel_read_blob()
- rename the READING_FIRMWARE_FALLBACK
Hi Dan,
On Tue, 2018-05-29 at 12:05 +0300, Dan Carpenter wrote:
> Not really related to this patch except I was looking at the function:
>
> security/integrity/evm/evm_secfs.c
>191 ab = audit_log_start(NULL, GFP_KERNEL,
> AUDIT_INTEGRITY_EVM_XATTR);
>192 if
Hi Dan,
On Tue, 2018-05-29 at 12:05 +0300, Dan Carpenter wrote:
> Not really related to this patch except I was looking at the function:
>
> security/integrity/evm/evm_secfs.c
>191 ab = audit_log_start(NULL, GFP_KERNEL,
> AUDIT_INTEGRITY_EVM_XATTR);
>192 if
Hi Colin,
On Sun, 2018-05-27 at 23:55 +0100, Colin King wrote:
> From: Colin Ian King
>
> In the case where the allocation of xattr fails and xattr is NULL, the
> error exit return path via label 'out' will dereference xattr when
> kfree'ing xattr-name. Fix this by only kfree'ing xattr->name
Hi Colin,
On Sun, 2018-05-27 at 23:55 +0100, Colin King wrote:
> From: Colin Ian King
>
> In the case where the allocation of xattr fails and xattr is NULL, the
> error exit return path via label 'out' will dereference xattr when
> kfree'ing xattr-name. Fix this by only kfree'ing xattr->name
On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote:
Thank you for the sample code below. It needs to be broken up into
proper patches, with some changes, but it is a good start.
Mimi
> diff --git a/drivers/base/firmware_loader/fallback.c
> b/drivers/base/firmware_loader/fallback.c
>
On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote:
Thank you for the sample code below. It needs to be broken up into
proper patches, with some changes, but it is a good start.
Mimi
> diff --git a/drivers/base/firmware_loader/fallback.c
> b/drivers/base/firmware_loader/fallback.c
>
On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote:
> I already nacked this approach because the two cases don't
> share a bit of code. When I looked closer it was even crazier.
It hasn't been clear what you meant by "the two cases don't share a
bit of code". The first attempt called
On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote:
> I already nacked this approach because the two cases don't
> share a bit of code. When I looked closer it was even crazier.
It hasn't been clear what you meant by "the two cases don't share a
bit of code". The first attempt called
the hook (eg. loadpin, init_module, IMA).
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Eric Biederman <ebied...@xmission.com>
Cc: Luis R. Rodriguez <mcg...@kernel.org>
Cc: Kees Cook <keesc...@chromium.org>
Cc: David Howells <dhowe...@redhat.com>
the hook (eg. loadpin, init_module, IMA).
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R. Rodriguez
Cc: Kees Cook
Cc: David Howells
Cc: Casey Schaufler
Changelog v3:
- Rename security_kernel_read_file to security_kernel_read_data().
Changelog v2:
- Define a generic
d by Luis.
- removed the CONFIG_CFG80211_REQUIRE_SIGNED_REGDB ifdef. If both REGDB
and an IMA-appraisal policy require signed firmware, for now require
both signatures. Subsequent patches might change this.
- Still unclear if the pre-allocated firmware buffer can be accessed
Mimi Zohar (7)
d by Luis.
- removed the CONFIG_CFG80211_REQUIRE_SIGNED_REGDB ifdef. If both REGDB
and an IMA-appraisal policy require signed firmware, for now require
both signatures. Subsequent patches might change this.
- Still unclear if the pre-allocated firmware buffer can be accessed
Mimi Zohar (7)
signatures. This build time
policy is automatically enabled at runtime. The build time policy rules
persist after loading a custom policy.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/Kconfig | 58 +
security/integri
In order for LSMs and IMA-appraisal to differentiate between the
original and new syscalls, both the original and new syscalls must call
an LSM hook. This patch adds a call to security_kernel_read_data() in
the original kexec syscall.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc
With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: Matthew Garrett
signatures. This build time
policy is automatically enabled at runtime. The build time policy rules
persist after loading a custom policy.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig | 58 +
security/integrity/ima/ima_policy.c | 46
In order for LSMs and IMA-appraisal to differentiate between the
original and new syscalls, both the original and new syscalls must call
an LSM hook. This patch adds a call to security_kernel_read_data() in
the original kexec syscall.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R
With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Matthew Garrett
---
security/integrity/ima/ima_main.c | 7 +++
1 file changed, 7 insertions(+)
diff
The original kexec_load syscall can not verify file signatures. This
patch differentiates between the kexec_load and kexec_file_load
syscalls.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Eric Biederman <ebied...@xmission.com>
Cc: Luis R. Rodriguez <mcg...@kernel.org
The original kexec_load syscall can not verify file signatures. This
patch differentiates between the kexec_load and kexec_file_load
syscalls.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R. Rodriguez
Cc: Kees Cook
Cc: David Howells
Changelog v3:
- use switch/case
---
security
signature?
Is it dependent on the type of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zoh
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: Kees Cook <keesc...@chromium.org>
Changelog:
- call security_ker
signature?
Is it dependent on the type of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zoh
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Changelog:
- call security_kernel_read_blob()
- rename the READING_FIRMWARE_FALLBACK kernel_read_file_id enumeration
On Mon, 2018-05-21 at 19:58 +0800, Yisheng Xie wrote:
> match_string() returns the index of an array for a matching string,
> which can be used intead of open coded variant.
>
> Cc: Mimi Zohar <zo...@linux.vnet.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasat...@gmail.com&g
On Mon, 2018-05-21 at 19:58 +0800, Yisheng Xie wrote:
> match_string() returns the index of an array for a matching string,
> which can be used intead of open coded variant.
>
> Cc: Mimi Zohar
> Cc: Dmitry Kasatkin
> Cc: James Morris
> Cc: "Serge E. H
On Sat, 2018-05-19 at 03:13 +1000, James Morris wrote:
> On Thu, 17 May 2018, Eric W. Biederman wrote:
>
> > Nacked-by: "Eric W. Biederman"
> >
> > Nack on this sharing nonsense. These two interfaces do not share any
> > code in their implementations other than the if
On Sat, 2018-05-19 at 03:13 +1000, James Morris wrote:
> On Thu, 17 May 2018, Eric W. Biederman wrote:
>
> > Nacked-by: "Eric W. Biederman"
> >
> > Nack on this sharing nonsense. These two interfaces do not share any
> > code in their implementations other than the if statement to distinguish
On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote:
> On 2018-05-18 10:39, Mimi Zohar wrote:
> > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> > > On 05/18/2018 08:53 AM, Mimi Zohar wrote:
> >
> > [..]
> >
> > > >>>>
On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote:
> On 2018-05-18 10:39, Mimi Zohar wrote:
> > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> > > On 05/18/2018 08:53 AM, Mimi Zohar wrote:
> >
> > [..]
> >
> > > >>>>
On Fri, 2018-05-18 at 07:58 -0700, Casey Schaufler wrote:
> On 5/18/2018 4:30 AM, Mimi Zohar wrote:
> > Having to define a separate LSM hook for each of the original, non
> > kernel_read_file(), buffer based method callers, kind of makes sense,
> > as the callers th
On Fri, 2018-05-18 at 07:58 -0700, Casey Schaufler wrote:
> On 5/18/2018 4:30 AM, Mimi Zohar wrote:
> > Having to define a separate LSM hook for each of the original, non
> > kernel_read_file(), buffer based method callers, kind of makes sense,
> > as the callers th
On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> On 05/18/2018 08:53 AM, Mimi Zohar wrote:
[..]
> >>>> If so, which ones? We could probably refactor the current
> >>>> integrity_audit_message() and have ima_parse_rule() call into it to get
> >>
On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote:
> On 05/18/2018 08:53 AM, Mimi Zohar wrote:
[..]
> >>>> If so, which ones? We could probably refactor the current
> >>>> integrity_audit_message() and have ima_parse_rule() call into it to get
> >>
On Fri, 2018-05-18 at 07:49 -0400, Stefan Berger wrote:
> On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
[...]
> >>> auxiliary record either by being converted to a syscall auxiliary record
> >>> by using current->audit_context rather than NULL when calling
> >>> audit_log_start(), or
On Fri, 2018-05-18 at 07:49 -0400, Stefan Berger wrote:
> On 05/17/2018 05:30 PM, Richard Guy Briggs wrote:
[...]
> >>> auxiliary record either by being converted to a syscall auxiliary record
> >>> by using current->audit_context rather than NULL when calling
> >>> audit_log_start(), or
On Thu, 2018-05-17 at 22:37 -0500, Eric W. Biederman wrote:
> Casey Schaufler <ca...@schaufler-ca.com> writes:
>
> > On 5/17/2018 7:48 AM, Mimi Zohar wrote:
> >> In order for LSMs and IMA-appraisal to differentiate between the original
> >> and new syscalls
On Thu, 2018-05-17 at 22:37 -0500, Eric W. Biederman wrote:
> Casey Schaufler writes:
>
> > On 5/17/2018 7:48 AM, Mimi Zohar wrote:
> >> In order for LSMs and IMA-appraisal to differentiate between the original
> >> and new syscalls (eg. kexec, kernel modules
The original kexec_load syscall can not verify file signatures. This
patch differentiates between the kexec_load and kexec_file_load
syscalls.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Eric Biederman <ebied...@xmission.com>
Cc: Luis R. Rodriguez <mcg...@kernel.org
The original kexec_load syscall can not verify file signatures. This
patch differentiates between the kexec_load and kexec_file_load
syscalls.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R. Rodriguez
Cc: Kees Cook
Cc: David Howells
---
security/integrity/ima/ima.h| 1
ef8e2e ("ima: define a set of appraisal rules requiring file
signatures")
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_policy.c | 28 +++-
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/security/in
ef8e2e ("ima: define a set of appraisal rules requiring file
signatures")
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_policy.c | 28 +++-
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c
b/security/in
Don't differentiate between kernel_read_file_id READING_FIRMWARE and
READING_FIRMWARE_PREALLOC_BUFFER enumerations.
Fixes: a098ecd firmware: support loading into a pre-allocated buffer (since 4.8)
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcg...@sus
Don't differentiate between kernel_read_file_id READING_FIRMWARE and
READING_FIRMWARE_PREALLOC_BUFFER enumerations.
Fixes: a098ecd firmware: support loading into a pre-allocated buffer (since 4.8)
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Cc: Serge E
the security hook name is inappropriate. Instead of defining a new LSM
hook, this patch defines security_kernel_read_blob() as a wrapper for
the existing LSM security_kernel_file_read() hook.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Eric Biederman <ebied...@xmission.com>
the security hook name is inappropriate. Instead of defining a new LSM
hook, this patch defines security_kernel_read_blob() as a wrapper for
the existing LSM security_kernel_file_read() hook.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R. Rodriguez
Cc: Kees Cook
Cc: David How
In order for LSMs and IMA-appraisal to differentiate between the
original and new syscalls, both the original and new syscalls must call
an LSM hook. This patch adds a call to security_kernel_read_blob() in
the original kexec syscall.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc
In order for LSMs and IMA-appraisal to differentiate between the
original and new syscalls, both the original and new syscalls must call
an LSM hook. This patch adds a call to security_kernel_read_blob() in
the original kexec syscall.
Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Luis R
of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
of buffer allocated (eg. DMA)? For example,
qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent().
With an IMA policy requiring signed firmware, this patch would prevent
loading firmware into a pre-allocated buffer.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howel
signatures. This build time
policy is automatically enabled at runtime. The build time policy rules
persist after loading a custom policy.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/Kconfig | 58 +
security/integri
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: Kees Cook <keesc...@chromium.org>
Changelog:
- call security_ker
signatures. This build time
policy is automatically enabled at runtime. The build time policy rules
persist after loading a custom policy.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig | 58 +
security/integrity/ima/ima_policy.c | 46
Add an LSM hook prior to allowing firmware sysfs fallback loading.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Changelog:
- call security_kernel_read_blob()
- rename the READING_FIRMWARE_FALLBACK kernel_read_file_id enumeration
With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: Matthew Garrett
With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Matthew Garrett
---
security/integrity/ima/ima_main.c | 10 ++
1 file changed, 10 insertions(+)
diff
equent patches might change this.
- Still unclear if the pre-allocated firmware buffer can be accessed
prior to the signature verification completes.
Mimi Zohar (9):
ima: based on policy verify firmware signatures (pre-allocated buffer)
ima: fix updating the ima_appraise fla
equent patches might change this.
- Still unclear if the pre-allocated firmware buffer can be accessed
prior to the signature verification completes.
Mimi Zohar (9):
ima: based on policy verify firmware signatures (pre-allocated buffer)
ima: fix updating the ima_appraise fla
Hi Petr,
On Thu, 2018-05-17 at 12:47 +0200, Petr Vorel wrote:
> Previous definition was too late and caused problems in powerpc allyesconfig:
> security/integrity/ima/ima_kexec.c:18:0: warning: "pr_fmt" redefined
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> In file included from
Hi Petr,
On Thu, 2018-05-17 at 12:47 +0200, Petr Vorel wrote:
> Previous definition was too late and caused problems in powerpc allyesconfig:
> security/integrity/ima/ima_kexec.c:18:0: warning: "pr_fmt" redefined
> #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>
> In file included from
On Wed, 2018-05-16 at 16:28 -0400, Stefan Berger wrote:
> On 05/15/2018 09:40 AM, Mimi Zohar wrote:
> > Hi Stefan,
> >
> > On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
> >> From: Mimi Zohar <zo...@linux.vnet.ibm.com>
> >>
> >> Th
On Wed, 2018-05-16 at 16:28 -0400, Stefan Berger wrote:
> On 05/15/2018 09:40 AM, Mimi Zohar wrote:
> > Hi Stefan,
> >
> > On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
> >> From: Mimi Zohar
> >>
> >> The AUDIT_INTEGRITY_RULE is used for a
Hi Stefan,
On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
> From: Mimi Zohar <zo...@linux.vnet.ibm.com>
>
> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
> the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY
>
Hi Stefan,
On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote:
> From: Mimi Zohar
>
> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
> the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY
> to reflect the IMA policy rules.
On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote:
> One aspect that was always a concern to some is whether the firmware files
> were modified directly to have the signature attached to them. That may
> run afoul of the "no modification" license that most blobs are shipped
> under. Does IMA
On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote:
> One aspect that was always a concern to some is whether the firmware files
> were modified directly to have the signature attached to them. That may
> run afoul of the "no modification" license that most blobs are shipped
> under. Does IMA
On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
[...]
> > At runtime, in the case
> > that regdb is enabled and a custom policy requires IMA-appraisal
> > firmware signature verification, then both signature verification
> > methods will verify the signatures. If either fails, then
On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote:
[...]
> > At runtime, in the case
> > that regdb is enabled and a custom policy requires IMA-appraisal
> > firmware signature verification, then both signature verification
> > methods will verify the signatures. If either fails, then
701 - 800 of 2982 matches
Mail list logo