Re: [Linux-ima-devel] [PATCH 1/7] ima: on soft reboot, restore the measurement list

On 16-08-10 14:40:13, David Laight wrote: > From: Linuxppc-dev > [mailto:linuxppc-dev-bounces+david.laight=aculab@lists.ozlabs.org] On > Behalf Of > > > > So given what you have above, you'd use something like: > > > > > > > > struct ima_kexec_hdr { > > > > u16 version; > > > >

Re: [Linux-ima-devel] [PATCH 1/7] ima: on soft reboot, restore the measurement list

On 16-08-10 08:54:36, Mimi Zohar wrote: > On Wed, 2016-08-10 at 19:52 +1000, Michael Ellerman wrote: > > Thiago Jung Bauermann writes: > > > > > Am Mittwoch, 10 August 2016, 13:41:08 schrieb Michael Ellerman: > > >> Thiago Jung Bauermann

Re: [PATCH 1/7] ima: on soft reboot, restore the measurement list

On 16-08-05 09:34:38, Mimi Zohar wrote: > Hi Petko, > > Thank you for review! > > On Fri, 2016-08-05 at 11:44 +0300, Petko Manolov wrote: > > On 16-08-04 08:24:29, Mimi Zohar wrote: > > > The TPM PCRs are only reset on a hard reboot. In order to validate a > &g

Re: [PATCH 1/7] ima: on soft reboot, restore the measurement list

On 16-08-04 08:24:29, Mimi Zohar wrote: > The TPM PCRs are only reset on a hard reboot. In order to validate a > TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list > of the running kernel must be saved and restored on boot. This patch > restores the measurement list. > >

Re: [PATCH v3 20/22] ima: load policy using path

On 16-02-08 09:58:16, Dmitry Kasatkin wrote: > > > From: Petko Manolov [pet...@mip-labs.com] > Sent: Sunday, February 07, 2016 9:59 PM > To: Mimi Zohar > Cc: linux-security-mod...@vger.kernel.org; Luis R. Rodriguez; > kexec@lists.infr

Re: [PATCH v3 20/22] ima: load policy using path

On 16-02-08 16:12:16, Mimi Zohar wrote: > On Mon, 2016-02-08 at 10:45 +, Dmitry Kasatkin wrote: > > > > > @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, > > > > const char __user *buf, > > > > result = mutex_lock_interruptible(_write_mutex); > > > > if

Re: [PATCH v3 22/22] ima: require signed IMA policy

On 16-02-03 14:06:30, Mimi Zohar wrote: > Require the IMA policy to be signed when additional rules can be added. > > v1: > - initialize the policy flag > - include IMA_APPRAISE_POLICY in the policy flag > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> A

Re: [PATCH v3 21/22] ima: measure and appraise the IMA policy itself

On 16-02-03 14:06:29, Mimi Zohar wrote: > Add support for measuring and appraising the IMA policy itself. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Petko Manolov <pet...@mip-labs.com> > --- > security/integrity/ima/ima.h| 2 +

Re: [PATCH v3 20/22] ima: load policy using path

On 16-02-03 14:06:28, Mimi Zohar wrote: > From: Dmitry Kasatkin > > We currently cannot do appraisal or signature vetting of IMA policies > since we currently can only load IMA policies by writing the contents > of the policy directly in, as follows: > > cat policy-file

Re: [PATCH v3 19/22] ima: support for kexec image and initramfs

gt; }; > > Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id, > perhaps changing the enumeration name. > > For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in ima_hooks. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Option 3 seems

Re: [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules

On 16-02-03 14:06:10, Mimi Zohar wrote: > Define and call a function to display the "ima_hooks" rules. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Petko Manolov <pet...@mip-labs.com> > --- > sec

Re: [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument

On 16-02-03 14:06:11, Mimi Zohar wrote: > Cleanup the function arguments by using "ima_hooks" enumerator as needed. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Petko Manolov <pet...@mip-labs.com> > --- > secur

Re: [PATCH v3 17/22] ima: remove firmware and module specific cached status info

cache status with a generic one named read_file. > > This change simplifies adding support for other files read by the kernel. > > Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Acked-by: Petko Manolov <pet...@mip-labs.com> > --- > security/integrity/iint.c

Re: [Linux-ima-devel] [PATCH v2 4/7] ima: measure and appraise kexec image and initramfs

On 15-12-28 09:42:22, Mimi Zohar wrote: > On Mon, 2015-12-28 at 16:29 +0200, Petko Manolov wrote: > > > > I kind of wonder isn't it possible to optimize the file read? If the file > > is relatively small (a few megabytes, for example) it will fit into any > > modern

Re: [Linux-ima-devel] [PATCH v2 4/7] ima: measure and appraise kexec image and initramfs

On 15-12-28 07:51:15, Mimi Zohar wrote: > On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote: > > On 12/25/15 at 09:45am, Mimi Zohar wrote: > > > IMA calculates the file hash, in this case, based on the buffer > > > contents. The hash is calculated once and used for both measurement > > > and