[ANNOUNCE] Linux Security Summit North America 2018 - CFP
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT NORTH AMERICA 2018 27-28 August VANCOUVER, CANADA == DESCRIPTION The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. LSS will be held this year as two separate events, one in North America (LSS-NA), and one in Europe (LSS-EU), to facilitate broader participation in Linux Security development. Note that this CFP is for LSS-NA; a separate CFP will be announced for LSS-EU in May. We encourage everyone to attend both events. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length. * Panel Discussion Topics: 45 minutes in length. * Short Topics: 30 minutes in total, including at least 10 minutes discussion. * BoF Sessions. Topic areas include, but are not limited to: * Kernel self-protection * Access control * Cryptography and key management * Integrity control * Hardware Security * Iot and embedded security * Virtualization and containers * System-specific system hardening * Case studies * Security tools * Security UX * Emerging technologies, threats & techniques Proposals should be submitted via: https://events.linuxfoundation.org/events/linux-security-summit-north-america-2018/program/cfp/ DATES * CFP Close: June 3, 2018 * CFP Notifications: June 11, 2018 * Schedule Announced: June 25, 2018 * Event: August 27-28, 2018 WHO SHOULD ATTEND We're seeking a diverse range of attendees, and welcome participation by people involved in Linux security development, operations, and research. The LSS is a unique global event which provides the opportunity to present and discuss your work or research with key Linux security community members and maintainers. It’s also useful for those who wish to keep up with the latest in Linux security development, and to provide input to the development process. WEB SITE https://events.linuxfoundation.org/events/linux-security-summit-north-america-2018/ TWITTER For event updates and announcements, follow: https://twitter.com/LinuxSecSummit PROGRAM COMMITTEE The program committee for LSS 2018 is: * James Morris, Microsoft * Serge Hallyn, Cisco * Paul Moore, Red Hat * Stephen Smalley, NSA * Elena Reshetova, Intel * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM * David A. Wheeler, Institute for Defense Analyses The program committee may be contacted as a group via email: lss-pc () lists.linuxfoundation.org
Re: [PATCH v2] tpm: Move Linux RNG connection to hwrng
On Tue, 30 Jan 2018, Jarkko Sakkinen wrote: > On Sat, Jan 27, 2018 at 12:20:18PM +0530, PrasannaKumar Muralidharan wrote: > > Hi Jarkko, > > > > On 17 November 2017 at 19:27, Jarkko Sakkinen > > <jarkko.sakki...@linux.intel.com> wrote: > > > On Fri, Nov 17, 2017 at 03:28:53PM +0200, Jarkko Sakkinen wrote: > > > > > > At least signed-off-by from PrassanaKumar is missing from the 2nd > > > commit. I'll add it. > > > > I had the impression that my signed-off-by will be present in this > > change. But it is missing in [1]. Is it supposed to be that way? > > > > 1. > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=6e592a065d51d26f9d62b8b7501a5114076af8b4 > > > > Thanks, > > PrasannaKumar > > Yes, it would be senseful. > > James, would it still be possible to amend this tag to security tree? Nope, it's been pushed to Linus. -- James Morris <jmor...@namei.org>
Re: [PATCH] pkcs7: fix check for self-signed certificate
On Sun, 26 Nov 2017, Eric Biggers wrote: > From: Eric Biggers <ebigg...@google.com> > > pkcs7_validate_trust_one() used 'x509->next == x509' to identify a > self-signed certificate. That's wrong; ->next is simply the link in the > linked list of certificates in the PKCS#7 message. It should be > checking ->signer instead. Fix it. > > Fortunately this didn't actually matter because when we re-visited > 'x509' on the next iteration via 'x509->signer', it was already seen and > not verified, so we returned -ENOKEY anyway. > > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > crypto/asymmetric_keys/pkcs7_trust.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/pkcs7_trust.c > b/crypto/asymmetric_keys/pkcs7_trust.c > index f6a009d88a33..1f4e25f10049 100644 > --- a/crypto/asymmetric_keys/pkcs7_trust.c > +++ b/crypto/asymmetric_keys/pkcs7_trust.c > @@ -69,7 +69,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message > *pkcs7, >/* Self-signed certificates form roots of their own, and if we > * don't know them, then we can't accept them. > */ > - if (x509->next == x509) { > + if (x509->signer == x509) { > kleave(" = -ENOKEY [unknown self-signed]"); > return -ENOKEY; > } > -- Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [PATCH] pkcs7: return correct error code if pkcs7_check_authattrs() fails
On Sun, 26 Nov 2017, Eric Biggers wrote: > From: Eric Biggers <ebigg...@google.com> > > If pkcs7_check_authattrs() returns an error code, we should pass that > error code on, rather than using ENOMEM. > > Fixes: 99db44350672 ("PKCS#7: Appropriately restrict authenticated attributes > and content type") > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > crypto/asymmetric_keys/pkcs7_parser.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/pkcs7_parser.c > b/crypto/asymmetric_keys/pkcs7_parser.c > index c1ca1e86f5c4..a6dcaa659aa8 100644 > --- a/crypto/asymmetric_keys/pkcs7_parser.c > +++ b/crypto/asymmetric_keys/pkcs7_parser.c > @@ -148,8 +148,10 @@ struct pkcs7_message *pkcs7_parse_message(const void > *data, size_t datalen) > } > > ret = pkcs7_check_authattrs(ctx->msg); > - if (ret < 0) > + if (ret < 0) { > + msg = ERR_PTR(ret); > goto out; > + } > > msg = ctx->msg; > ctx->msg = NULL; Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [PATCH] X.509: fix buffer overflow detection in sprint_oid()
On Sun, 26 Nov 2017, Eric Biggers wrote: > > Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings") > Cc: Takashi Iwai <ti...@suse.de> > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > lib/oid_registry.c | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [PATCH] X.509: fix comparisons of ->pkey_algo
On Sun, 26 Nov 2017, Eric Biggers wrote: > From: Eric Biggers <ebigg...@google.com> > > ->pkey_algo used to be an enum, but was changed to a string by commit > 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum"). But > two comparisons were not updated. Fix them to use strcmp(). > > This bug broke signature verification in certain configurations, > depending on whether the string constants were deduplicated or not. > > Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum") > Cc: <sta...@vger.kernel.org> # v4.6+ > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > crypto/asymmetric_keys/pkcs7_verify.c| 2 +- > crypto/asymmetric_keys/x509_public_key.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [PATCH] crypto: rsa - fix buffer overread when stripping leading zeroes
On Sun, 26 Nov 2017, Eric Biggers wrote: > Fixes: 5a7de97309f5 ("crypto: rsa - return raw integers for the ASN.1 parser") > Cc: <sta...@vger.kernel.org> # v4.8+ > Cc: Tudor Ambarus <tudor-dan.amba...@nxp.com> > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > crypto/rsa_helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/crypto/rsa_helper.c b/crypto/rsa_helper.c > index 0b66dc824606..cad395d70d78 100644 > --- a/crypto/rsa_helper.c > +++ b/crypto/rsa_helper.c > @@ -30,7 +30,7 @@ int rsa_get_n(void *context, size_t hdrlen, unsigned char > tag, > return -EINVAL; > > if (fips_enabled) { > - while (!*ptr && n_sz) { > + while (n_sz && !*ptr) { > ptr++; > n_sz--; > } Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [PATCH] X.509: reject invalid BIT STRING for subjectPublicKey
On Sun, 26 Nov 2017, Eric Biggers wrote: > Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") > Cc: <sta...@vger.kernel.org> # v3.7+ > Signed-off-by: Eric Biggers <ebigg...@google.com> > --- > crypto/asymmetric_keys/x509_cert_parser.c | 2 ++ > 1 file changed, 2 insertions(+) Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [PATCH] ASN.1: check for error from ASN1_OP_END__ACT actions
On Sun, 26 Nov 2017, Eric Biggers wrote: > Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder") > Cc: <sta...@vger.kernel.org> # v3.7+ > Signed-off-by: Eric Biggers <ebigg...@google.com> Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
Re: [GIT PULL] KEYS: Fixes and crypto fixes
On Wed, 27 Sep 2017, Eric Biggers wrote: > On Thu, Sep 28, 2017 at 09:14:58AM +1000, James Morris wrote: > > On Wed, 27 Sep 2017, David Howells wrote: > > > > > (2) Fixing big_key to use safe crypto from Jason A. Donenfeld. > > > > > > > I'm concerned about the lack of crypto review mentioned by Jason -- I > > wonder if we can get this rewrite any more review from crypto folk. > > > > Also, are there any tests for this code? If not, it would be good to make > > some. > > > > There is a test for the big_key key type in the keyutils test suite. I also > manually tested Jason's change. And as far as I can tell there isn't > actually a > whole lot to test besides adding a big_key larger than BIG_KEY_FILE_THRESHOLD > bytes, reading it back, and verifying that the data is unchanged --- since > that > covers the code that was changed. An earlier version of the patch produced a > warning with CONFIG_DEBUG_SG=y since it put the aead_request on the stack, but > that's been fixed. > Ok, thanks a lot. > It would be great if someone else would comment on the crypto too, but for > what > it's worth I'm satisfied with the crypto changes. GCM is a much better choice > than ECB as long as we don't repeat (key, IV) pairs --- which we don't. And > in > any case ECB mode makes no sense in this context; you'd need a *very* good > reason to actually choose to encrypt something with ECB mode. Unfortunately > it > tends to be a favorite of people who don't understand encryption modes... Adding Herbert. -- James Morris <jmor...@namei.org>
Re: [GIT PULL] KEYS: Fixes and crypto fixes
On Wed, 27 Sep 2017, David Howells wrote: > (2) Fixing big_key to use safe crypto from Jason A. Donenfeld. > I'm concerned about the lack of crypto review mentioned by Jason -- I wonder if we can get this rewrite any more review from crypto folk. Also, are there any tests for this code? If not, it would be good to make some. -- James Morris <jmor...@namei.org>
[ANNOUNCE] Linux Security Summit 2017 - CFP
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT 2017 14-15 September LOS ANGELES, USA == DESCRIPTION The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. LSS this year will be co-located with the Open Source Summit and the Linux Plumbers Conference. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * Kernel self-protection * Access control * Cryptography and key management * Integrity control * Hardware Security * Iot and embedded security * Virtualization and containers * System-specific system hardening * Case studies * Security tools * Security UX * Emerging technologies, threats & techniques Proposals should be submitted via: http://events.linuxfoundation.org/events/linux-security-summit/program/cfp DATES * CFP Close: June 5, 2017 * CFP Notifications: June 12, 2017 * Schedule Announced: June 19, 2017 * Slide Submission: August 31, 2017 WHO SHOULD ATTEND We're seeking a diverse range of attendees, and welcome participation by people involved in Linux security development, operations, and research. The LSS is a unique global event which provides the opportunity to present and discuss your work or research with key Linux security community members and maintainers. It’s also useful for those who wish to keep up with the latest in Linux security development, and to provide input to the development process. WEB SITE http://events.linuxfoundation.org/events/linux-security-summit TWITTER For event updates and announcements, follow: https://twitter.com/LinuxSecSummit PROGRAM COMMITTEE The program committee for LSS 2017 is: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Elena Reshetova, Intel * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM * David A. Wheeler, Institute for Defense Analyses The program committee may be contacted as a group via email: lss-pc () lists.linuxfoundation.org
Re: [PATCH] KEYS: Add placeholder for KDF usage with DH
On Tue, 31 May 2016, David Howells wrote: > Hi James, > > > Could you pass this along to Linus as soon as possible, please? This > > alters a new keyctl function added in the current merge window to allow for > > a future extension planned for the next merge window. > > Is this likely to go to Linus before -rc2? If not, we'll need to do things > differently. It should be ok, I'll see how it goes with Linus. -- James Morris <jmor...@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ANNOUNCE] Linux Security Summit 2016 - CFP
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT 2016 25-26 AUGUST TORONTO, CANADA == DESCRIPTION The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Discussion topics * Subsystem reports * Breakout development sessions WEB SITE http://events.linuxfoundation.org/events/linux-security-summit TWITTER For event updates and announcements, follow: https://twitter.com/LinuxSecSummit DATES / LOCATION The Linux Security Summit for 2016 will be held August 25th and 26th in Toronto, Canada. It will be co-located with LinuxCon. The Linux Security Summit CFP is now open, and will close on June 10th. Accepted speakers will be notified by June 17th. WHO SHOULD ATTEND We're seeking a diverse range of attendees, and welcome participation by people involved in Linux security development, operations, and research. The LSS is a unique global event which provides the opportunity to present and discuss your work or research with key Linux security community members and maintainers. It’s also useful for those who wish to keep up with the latest in Linux security development, and to provide input to the development process. CALL FOR PARTICIPATION The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. One-page abstracts are encouraged. * Discussion Topics: 30 minutes in length. Topic areas include, but are not limited to: * Kernel self-protection * Access control * Cryptography and key management * Integrity control * Hardware security * Trust systems * Storage and file systems * Virtualization and containers * Case studies * Identity management * Code analysis * Security analytics * Secure development and operational practices * Emerging technologies, threats & techniques Proposals should be submitted via the event web site: http://events.linuxfoundation.org/events/linux-security-summit/program/cfp PROGRAM COMMITTEE The Linux Security Summit for 2016 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Elena Reshetova, Intel * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss...@lists.linuxfoundation.org
Re: [GIT PULL] KEYS: Miscellaneous bits for security/next
On Fri, 4 Mar 2016, David Howells wrote: > Hi James, > > Could you pull this into security/next, please? > Done. -- James Morris <jmor...@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] keys, trusted: select hash algorithm for TPM2 chips
On Thu, 5 Nov 2015, Jarkko Sakkinen wrote: > v4: > > * Added missing select CRYPTO_HASH_INFO in drivers/char/tpm/Kconfig > > Signed-off-by: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com> Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT PULL] Move cert handling to certs/ directory
On Mon, 24 Aug 2015, David Howells wrote: Hi James, Sorry for the late request, but can you pull this please? It's a set of commits that puts a bit of polish on the previous module signing patches. It moves the certificate handling to its own directory rather than sharing in the kernel/ directory. It then moves key generation into the certs/ directory rather than doing it in the root. This allows us to simplify the kernel/Makefile and slightly simplify the new certs/Makefile. It also keeps the various generated files in the same place to make them easier to find and clean up. Pulled to my next branch, thanks. - James -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/4] ASN.1: Fix handling of CHOICE in ASN.1 compiler
On Wed, 5 Aug 2015, David Howells wrote: Fix the handling of CHOICE types in the ASN.1 compiler to make SEQUENCE and SET elements in a CHOICE be correctly rendered as skippable and conditional as appropriate. What are the security implications of these bugs? It's pretty late in the -rc cycle. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[CFP] Reminder: Linux Security Summit 2015 CFP closes this Friday 5th June
Just a reminder to folk who've done interesting things in Linux security this year, the CFP for LSS 2015 is open until this Friday, 5th June. See the following link for details: http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015 This is not just for kernel developers, or even developers -- any interesting/novel application of Linux security or research is welcome. We're also looking for round-table discussion topics, and people to lead those discussions. Get your proposals in soon! - James -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT PULL] Keyrings: PKCS#7 fixup
On Fri, 25 Jul 2014, David Howells wrote: Hi James, Here's a fixup for the problem that Stephen spotted. David --- The following changes since commit 633706a2ee81637be37b6bc02c5336950cc163b5: Merge branch 'keys-fixes' into keys-next (2014-07-22 21:55:45 +0100) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-next-20140725 for you to fetch changes up to 8f3438ccea149647ad1849651d1e14c7b8b85e63: PKCS#7: Missing inclusion of linux/err.h (2014-07-25 11:33:53 +0100) Thanks, pulled. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT PULL] Keyrings and asymmetric keys patches for 3.17
On Tue, 22 Jul 2014, David Howells wrote: I have a number of sets of patches for you to pull. I've git-merged them together into a single branch (keys-next) as there are some conflicts and tagged the end. Pulled, thanks. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ANNOUNCE] Linux Security Summit 2013 - CFP
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT 2013 19-20 SEPTEMBER NEW ORLEANS, USA == DESCRIPTION The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Subsystem reports * Breakout development sessions WEB SITE http://kernsec.org/wiki/index.php/Linux_Security_Summit_2013 DATES / LOCATION The Linux Security Summit for 2013 will be held across 19 and 20 September in New Orleans, USA. It will be co-located with LinuxCon, as well as Linux Plumbers. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the LinuxCon site for details on registration, travel, and accommodation: https://events.linuxfoundation.org/events/linuxcon The Linux Security Summit CFP is now open, and will close on 14th June. Accepted speakers will be notified by 21st of June. WHO SHOULD ATTEND The event is open to all registered LinuxCon attendees. You do not have to be a security person to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. CALL FOR PARTICIPATION The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. PROGRAM COMMITTEE The Linux Security Summit for 2013 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Quark Security * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 14/16] X.509: Add an ASN.1 decoder
On Tue, 18 Sep 2012, Alan Cox wrote: On Tue, 18 Sep 2012 18:34:12 +0100 David Howells dhowe...@redhat.com wrote: Alan Cox a...@lxorguk.ukuu.org.uk wrote: Why do this in the kernel.That appears to be completely insane. A number of reasons: (1) The UEFI signature/key database may contain ASN.1 X.509 certificates and we may need to use those very early in the boot process, during initrd. Ok that makes some sense. I'd like to see some serious effort at code review and testing before this code is merged. - James -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ANN] Linux Security Summit 2012 - Announcement and CFP
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT 2012 SAN DIEGO, CA, USA == DESCRIPTION The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Refereed presentations * Short talks * Roundtable discussions * Breakout development sessions WEB SITE http://kernsec.org/wiki/index.php/Linux_Security_Summit_2012 DATES / LOCATION The Linux Security Summit for 2012 will be held across 30 and 31 August in San Diego, CA, USA. It will be co-located with LinuxCon[1], as well as Linux Plumbers and the Kernel Summit. Note that Linux Security Summit attendees and speakers must be registered to attend LinuxCon. See the LinuxCon site for details on registration, travel, and accommodation: https://events.linuxfoundation.org/events/linuxcon The Linux Security Summit CFP is now open, and will close on 23rd of May. Accepted speakers will be notified by 1st of June. WHO SHOULD ATTEND The event is open to all registered LinuxCon attendees. You do not have to be a security person to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. CALL FOR PARTICIPATION The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length, including at least 10 minutes of discussion. Papers are encouraged. * Short Talks: 30 minutes in length, discussion-oriented. Slides should be minimal. * Roundtable Discussion Topics Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org Abstracts should be approximately 150 words in total. PROGRAM COMMITTEE The Linux Security Summit for 2012 is organized by: * James Morris, Oracle * Serge Hallyn, Canonical * Paul Moore, Red Hat * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org REFERENCES [1] https://events.linuxfoundation.org/events/linuxcon -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Keyrings] [RFC][PATCH 00/16] Crypto keys and module signing [ver #2]
On Mon, 5 Dec 2011, David Howells wrote: However, we don't have to include the DSA stuff in the kernel; I can always discard that patch from the upstream-aimed patchset. I'd encourage dropping DSA, as there appears to be no legacy justification for its inclusion. - James -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2.2 1/7] crypto: GnuPG based MPI lib - source files (part 1)
On Mon, 21 Nov 2011, Kasatkin, Dmitry wrote: It can be easily split into 2 commits and one of them would not comply with mailing list limits. James, should I do anything about it? No, it's in my public tree now. - James -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2.1 4/7] crypto: GnuPG based MPI lib - additional sources (part 4)
On Mon, 17 Oct 2011, Kasatkin, Dmitry wrote: It is there for completeness and it will not be even compiled at all without CONFIG_MPILIB_EXTRA Still remove? Yes, please. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2.1 4/7] crypto: GnuPG based MPI lib - additional sources (part 4)
On Fri, 14 Oct 2011, Dmitry Kasatkin wrote: +#if 0/* not yet ported to MPI */ + +mpi_limb_t +mpihelp_udiv_w_sdiv(mpi_limp_t *rp, + mpi_limp_t *a1, mpi_limp_t *a0, mpi_limp_t *d) Drop this if it's not working. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC v2.1 0/6] evm: digital signature verification extension
On Thu, 29 Sep 2011, Herbert Xu wrote: Well if James is OK with adding the user for this then I'm fine with adding the necessary infrastructure. Are you happy with the API? -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC v2.1 0/6] evm: digital signature verification extension
On Mon, 26 Sep 2011, Kasatkin, Dmitry wrote: It seems nobody wants to share their thoughts about it? Does this silence mean acceptance? Should I prepare final patches for merge? Not yet. I'd like to hear what the crypto folk think about the crypto. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC v1.1 1/5] crypto: GnuPG based MPI lib
On Thu, 11 Aug 2011, Dmitry Kasatkin wrote: From: Dmitry Kasatkin dmitry.kasat...@nokia.com Adds the multi-precision-integer maths library which was originally taken from GnuPG and ported to the kernel by (among others) David Howells. This version is taken from Fedora kernel 2.6.32-71.14.1.el6. First thing -- this code needs to be formatted using kernel coding style. - James -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC v1.1 2/5] crypto: ksign - digital signature verification support
On Thu, 11 Aug 2011, Dmitry Kasatkin wrote: +static int ksign_verify_rsa(struct key *key, + const char *sig, int siglen, +const char *h, int hlen) +{ + int err = -ENOMEM; + unsigned long len; + unsigned long mlen, mblen; + unsigned nret, l; + int valid, head, i; + unsigned char *out1 = NULL, *out2 = NULL; + MPI in = NULL, res = NULL, pkey[2]; + uint8_t *p, *datap, *endp; + struct user_key_payload *ukp; + struct pubkey_hdr *pkh; + + down_read(key-sem); + ukp = key-payload.data; + pkh = (struct pubkey_hdr *)ukp-data; + + if (pkh-version != 1) + return -EINVAL; + + if (pkh-algo != PUBKEY_ALGO_RSA) + return -EINVAL; Are you supposed to be still holding key-sem here? -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC v1.1 3/5] evm: digital signature support
On Thu, 11 Aug 2011, Dmitry Kasatkin wrote: From: Dmitry Kasatkin dmitry.kasat...@nokia.com When building an image, which has to be flashed to different devices, an HMAC cannot be used to sign file metadata, as the HMAC key is different on every device. File metadata can be protected using digital signature. This patch enables RSA signature based integrity verification. This description (also the kconfig text) is not very clear. Perhaps start with what the feature does rather than what the lack of it doesn't. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ANN] Linux Security Summit 2011 - Announcement and CFP
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT 2011 - SANTA ROSA == DESCRIPTION The Linux Security Summit is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Selected brief presentations * Lightning talks * QA panel sessions WEB SITE https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2011 DATES / LOCATION The Linux Security Summit for 2011 will be held on the 8th of September in Santa Rosa, CA, USA. It will be co-located with Linux Plumbers Conference (LPC) [1]. Note that Linux Security Summit attendees and speakers must be registered to attend LPC. See the LPC site for details on registration, travel, and accommodation: http://www.linuxplumbersconf.org/2011/ The Linux Security Summit CFP is now open, and will close on 27th of May. Accepted speakers will be notified by 1st of June. WHO SHOULD ATTEND The event is open to all registered LPC attendees. You do not have to be a security person to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. There will be several panel sessions in addition to brief, selected presentations, with a strong focus on discussion. CALL FOR PARTICIPATION The program committee currently seeks proposals for: Presentations: Brief technical talks in 30 minute slots, including at least 10 minutes of discussion (i.e. the maximum length of the presentation alone is 20 minutes). Papers are encouraged, and slides should be minimal. Presentation abstracts should be approximately 150 words in length. Panel discussion topics: If you'd like to see an issue discussed in a QA style panel, send it in. Note that this may result in you volunteering to participate in a panel. Topic areas include, but are not limited to: * System hardening * Access control * Cryptography * Integrity control * Hardware security * Networking * Storage * Virtualization * Desktop * Tools * Management * Case studies * Emerging technologies, threats techniques Proposals should be submitted in plain text via email to the program committee at: lss-pc (_at_) ext.namei.org MAILING LIST Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Updates and announcements about the event will also be sent to the list. PROGRAM COMMITTEE The Linux Security Summit for 2011 is organized by: * James Morris, Red Hat * Serge Hallyn, Canonical * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org REFERENCES [1] Linux Plumbers Conference http://www.linuxplumbersconf.org/2011/ -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v1.5 0/5] keys: trusted and encrypted keys
On Tue, 23 Nov 2010, Mimi Zohar wrote: Mimi Zohar (5): lib: hex2bin converts ascii hexadecimal string to binary tpm: add module_put wrapper key: add tpm_send command keys: add new trusted key-type keys: add new key-type encrypted Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2] keys: added cleanup code for trusted and encrypted key types
On Thu, 7 Oct 2010, Mimi Zohar wrote: Thanks for catching this! This patch applies cleanly to the trusted/encrypted patch set posted today. thanks, Acked-by: Mimi Zohar zo...@us.ibm.com It's probably best if you incorporate these fixes into your patches, so we don't commit known-broken code into the tree. -- James Morris jmor...@namei.org -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[ANNOUNCE] Linux Security Summit 2010 - Schedule Published
== LINUX SECURITY SUMMIT 2010 (BOSTON) PROGRAM SCHEDULE == SUMMARY This is to announce the program schedule for the upcoming Linux Security Summit [1], to be held on Monday 9th August in Boston in conjunction with LinuxCon [2]. Following a round of voting by the Program Committee, the following proposals were selected as main talks: * Recent Advances in the SELinux Sandbox Dan Walsh, Red Hat * in ur webserver, writin ur logs Joshua Brindle, Tresys * Integrating Security into Vyatta Stephen Hemminger, Vyatta * MSF Security Framework Overview Elena Reshetova, Nokia * Access Control in the MSF Security Framework Janne Karhunen, Nokia * Linux Security in 10 Years Brad Spengler, grsecurity * Using EVM to protect security extended attributes Mimi Zohar, IBM * Secstate: Integrating SCAP and Puppet for System Lockdown Karl MacMillan, Tresys * Widely Used But Out-Of-Tree Kees Cook, Canonical * Linux Security Usability Z. Cliffe Schreuders, Murdoch University * System Security Services Daemon (SSSD) Stephen Gallagher, Red Hat We will also hold a panel session, kicking off with a discussion on The Viability of a Standard Linux Security API, followed by open QA and lightning talks. Full details of the program, including abstracts, may be found at: https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010/Schedule EVENT DESCRIPTION The Linux Security Summit is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The format of the summit will be: * Selected brief presentations * Lightning talks * QA panel sessions DATES / LOCATION The Linux Security Summit for 2010 will be held on the 9th of August in Boston, USA. It will be co-located with LinuxCon [2], at the Renaissance Boston Waterfront. Note that Linux Security Summit attendees must be registered to attend LinuxCon. See the LinuxCon site for details on registration, travel, and accommodation. http://events.linuxfoundation.org/events/linuxcon WHO SHOULD ATTEND The event is open to all registered LinuxCon attendees. You do not have to be a security person to attend -- we're seeking a diverse range of attendees, and welcome the participation of general developers, researchers, operations, and end-users. There will be panel and lightning talks sessions in addition to brief, selected presentations, with a strong focus on discussion. Lightning talks and discussion panel agendas will be coordinated closer to the event on the event mailing list, and on-site. MAILING LIST Everyone planning to attend should join the event mailing list: https://ext.namei.org/mailman/listinfo/linux-security-summit Coordination of panel discussions and lightning talks will occur on the list. Updates and announcements about the event will also be sent to the list. WEB SITE Please also note the Linux Security Summit web site: https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 which will be kept updated with all available information on the event. PROGRAM COMMITTEE The Linux Security Summit for 2010 is organized by: * James Morris, Red Hat * Serge Hallyn, IBM * Paul Moore, HP * Stephen Smalley, NSA * Joshua Brindle, Tresys * Tetsuo Handa, NTT Data * Herbert Xu, Red Hat * John Johansen, Canonical * Kees Cook, Canonical * Casey Schaufler, Smack Project The program committee may be contacted as a group via email: lss-pc (_at_) ext.namei.org REFERENCES [1] LSS 2010: https://security.wiki.kernel.org/index.php/LinuxSecuritySummit2010 [2] LinuxCon: http://events.linuxfoundation.org/events/linuxcon == -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html