Re: [GIT PULL] linux-integrity changes for 4.5
On Mon, 21 Dec 2015, Mimi Zohar wrote: > Hi James, > > Lots of changes this time. This pull request adds support, by Dmitry > Kasatkin, for: making the EVM keyring a trusted keyring, such that only > keys signed by a key on the system keyring can be loaded onto the EVM > keyring, loading the EVM keys onto the EVM trusted keyring by the > kernel, enabling EVM when either the x509 or symmetric keys are > available and loading the EVM symmetric key from hardware. > > As described by Mark Baushke and Petko Manalov at LSS 2015 in their talk > "IMA/EVM: Real Applications for Embedded Networking Systems", this pull > request includes support for two new IMA trusted keyrings named .ima_mok > and .ima_blacklist. Keys being loaded on either the EVM or IMA trusted > keyrings can be validated against either the system trusted keyring or > the intermediary .ima_mok keyring and prevented from being loaded if on > the .ima_blacklist keyring. > > Lastly, support for extending and displaying the IMA policy. > Applied. -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[GIT PULL] linux-integrity changes for 4.5
Hi James, Lots of changes this time. This pull request adds support, by Dmitry Kasatkin, for: making the EVM keyring a trusted keyring, such that only keys signed by a key on the system keyring can be loaded onto the EVM keyring, loading the EVM keys onto the EVM trusted keyring by the kernel, enabling EVM when either the x509 or symmetric keys are available and loading the EVM symmetric key from hardware. As described by Mark Baushke and Petko Manalov at LSS 2015 in their talk "IMA/EVM: Real Applications for Embedded Networking Systems", this pull request includes support for two new IMA trusted keyrings named .ima_mok and .ima_blacklist. Keys being loaded on either the EVM or IMA trusted keyrings can be validated against either the system trusted keyring or the intermediary .ima_mok keyring and prevented from being loaded if on the .ima_blacklist keyring. Lastly, support for extending and displaying the IMA policy. Thanks! Mimi The following changes since commit ebd68df3f24b318d391d15c458d6f43f340ba36a: Sync to Linus v4.4-rc2 for LSM developers. (2015-11-23 22:46:28 +1100) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next for you to fetch changes up to 92cc916638a48f285736cd5541536e2e1b73ecf8: security/integrity: make ima/ima_mok.c explicitly non-modular (2015-12-15 10:01:43 -0500) Arnd Bergmann (1): evm: EVM_LOAD_X509 depends on EVM Dmitry Kasatkin (5): integrity: define '.evm' as a builtin 'trusted' keyring evm: load an x509 certificate from the kernel evm: enable EVM when X509 certificate is loaded evm: provide a function to set the EVM key from the kernel evm: reset EVM status when file attributes change Mimi Zohar (3): KEYS: prevent keys from being removed from specified keyrings IMA: prevent keys on the .ima_blacklist from being removed ima: update appraise flags after policy update completes Paul Gortmaker (1): security/integrity: make ima/ima_mok.c explicitly non-modular Petko Manolov (3): IMA: policy can now be updated multiple times IMA: create machine owner and blacklist keyrings IMA: allow reading back the current IMA policy crypto/asymmetric_keys/x509_public_key.c | 2 + include/keys/system_keyring.h| 24 +++ include/linux/evm.h | 7 + include/linux/key.h | 1 + security/integrity/Kconfig | 11 ++ security/integrity/digsig.c | 14 +- security/integrity/digsig_asymmetric.c | 14 ++ security/integrity/evm/Kconfig | 17 ++ security/integrity/evm/evm.h | 3 + security/integrity/evm/evm_crypto.c | 54 +- security/integrity/evm/evm_main.c| 32 +++- security/integrity/evm/evm_secfs.c | 12 +- security/integrity/iint.c| 1 + security/integrity/ima/Kconfig | 44 - security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 23 ++- security/integrity/ima/ima_fs.c | 42 - security/integrity/ima/ima_init.c| 2 +- security/integrity/ima/ima_mok.c | 55 ++ security/integrity/ima/ima_policy.c | 293 +++ security/integrity/integrity.h | 13 +- security/keys/key.c | 6 +- security/keys/keyctl.c | 56 -- 23 files changed, 643 insertions(+), 84 deletions(-) create mode 100644 security/integrity/ima/ima_mok.c -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html