Hi Mimi,
On 10/11/2019 09:19 AM, Mimi Zohar wrote:
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
Asymmetric private keys are used to sign multiple files. The kernel
currently support checking against the blacklisted keys. However, if the
public key is blacklisted, any file signed by
Hi Michael,
On 10/15/2019 07:29 AM, Michael Ellerman wrote:
Nayna Jain writes:
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 45
state
is used to conditionally enable additional measurement rules in the IMA
arch-specific policies.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel/secure_boot.c | 24
2 files changed, 30 insertions(+)
diff
retrieve the policy
defined pcr and template based on the func.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 ++
security/integrity/ima/ima_main.c | 51 ---
2 files changed, 36 insertions(+), 18 deletions(-)
diff --git a/security/integrity/ima/ima.h b
This patch defines a function to detect the secure boot state of a
PowerNV system.
The PPC_SECURE_BOOT config represents the base enablement of secure boot
for powerpc.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 10 +
arch/powerpc/include/asm/secure_boot.h
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 34 +-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/ima_arch.c
powerpc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc/ima: add support to initia
define IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel
This patch updates the arch-specific policies for PowerNV system to make
sure that the binary hash is not blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
misleading when called for checking against blacklisted hash of a
binary.
This patch adds a wrapper function is_binary_blacklisted() to return
-EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi
policy option
"appraise_flag=check_blacklist".
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 8 +++
security/integrity/ima/ima_appraise.c | 31 +++
security/integrity/ima/ima_main.
On 10/15/2019 07:29 AM, Michael Ellerman wrote:
Nayna Jain writes:
PowerNV systems uses kernel based bootloader, thus its secure boot
implementation uses kernel IMA security subsystem to verify the kernel
before kexec. Since the verification policy might differ based on the
secure boot mode
On 10/02/2019 05:49 PM, Mimi Zohar wrote:
On Tue, 2019-10-01 at 12:07 -0400, Nayna wrote:
On 09/30/2019 09:04 PM, Thiago Jung Bauermann wrote:
Hello,
Hi,
diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
new file mode 100644
index ..39401b67f19e
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 45 +++---
1 file changed, 42 insertions(+), 3 deletions(-)
diff --git a/arch
PowerNV systems enables the IMA measurement rules only if the
trusted boot is enabled on the system.
This patch adds the function to detect if the system has trusted
boot enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 +
arch/powerpc/kernel/secure_boot.c
KEXEC_CMDLINE.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 +++
security/integrity/ima/ima_main.c | 29 ++---
2 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index
implements the arch-specific support to define the IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile
ned-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 9 +++
security/integrity/ima/ima_appraise.c | 39 +++
security/integrity/ima/ima_main.c | 12 ++---
security/integrity/ima/ima_policy.c | 10 +--
The existing is_hash_blacklisted() function returns -EKEYREJECTED
error code for both the blacklisted keys and binaries.
This patch adds a wrapper function is_binary_blacklisted() to check
against binary hashes and returns -EPERM.
Signed-off-by: Nayna Jain
---
certs/blacklist.c | 9
This patch updates the arch specific policies for PowernV systems
to add check against blacklisted binary hashes before doing the
verification.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc
h obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
*** BLURB HERE ***
Nayna Jain (8):
powerpc: detect the secure boot mode of the system
powerpc: add support to initialize ima policy rules
powerpc: detect the trusted boot state of the system
powerpc/ima: add measurement rules to ima arch spe
Secure boot on PowerNV defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
trusted by firmware.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
security/integrity/Kconfig| 8 ++
security/integrity/Makefile | 3 +
.../integrity/platform_certs/load_powerpc.c | 86 +++
3 files changed, 97 insertions(+)
create
umentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: Add OPAL API interface to
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 8 ++
arch/powerpc/include/asm/powernv.h | 2 +
arch/powerpc/include/asm/secvar.h| 35
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
Reviewed-by: Greg Kroah-Hartman
---
Documentation/ABI/testing/sysfs-secvar | 37 +
arch/powerpc/Kconfig | 10 ++
arch/powerpc/kernel/Makefile
This patch fixes the size and write parameter for the macro
__BIN_ATTR_WO().
Fixes: 7f905761e15a8 ("sysfs: add BIN_ATTR_WO() macro")
Signed-off-by: Nayna Jain
---
include/linux/sysfs.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/sysfs.h b/inc
On 10/01/2019 02:16 PM, Greg Kroah-Hartman wrote:
On Tue, Oct 01, 2019 at 02:08:53PM -0400, Nayna wrote:
Hi Greg,
On 08/26/2019 11:01 AM, Greg Kroah-Hartman wrote:
This variant was missing from sysfs.h, I guess no one noticed it before.
Turns out the powerpc secure variable code can use
.
Reported-by: Nayna Jain
Signed-off-by: Greg Kroah-Hartman
---
I'll queue this up to my tree for 5.4-rc1, but if you want to take this
in your tree earlier, feel free to do so.
include/linux/sysfs.h | 9 +
1 file changed, 9 insertions(+)
diff --git a/include/linux/sysfs.h b/include/
On 10/01/2019 09:33 AM, Rob Herring wrote:
On Fri, Sep 27, 2019 at 10:25:52AM -0400, Nayna Jain wrote:
PowerNV represents both the firmware and Host OS secureboot state of the
system via device tree. This patch adds the documentation to give
the definition of the nodes and the properties
-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2019 IBM Corporation
+ * Author: Nayna Jain
+ */
+
+#include
+#include
+
+bool arch_ima_get_secureboot(void)
+{
+ return is_powerpc_os_secureboot_enabled();
+}
+
+/* Defines IMA appraise rules for secureboot */
+static const char *const arch_rules
This patch deprecates the existing permit_directio flag, instead adds
it as possible value to appraise_flag parameter.
For eg.
appraise_flag=permit_directio
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 4 ++--
security/integrity/ima/ima_policy.c | 2 ++
2 files changed
This patch updates the arch specific policies for PowernV systems
to add check against blacklisted hashes before doing the verification.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kernel
handle more than just the KEXEC_CMDLINE.
Signed-off-by: Nayna Jain
---
security/integrity/ima/ima.h | 3 +++
security/integrity/ima/ima_main.c | 29 ++---
2 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security
ned-off-by: Nayna Jain
---
Documentation/ABI/testing/ima_policy | 1 +
security/integrity/ima/ima.h | 12 +
security/integrity/ima/ima_appraise.c | 35 +++
security/integrity/ima/ima_main.c | 8 --
security/integrity/ima/ima_policy.c | 10 ++--
PowerNV systems enables the IMA measurement rules only if the
trusted boot is enabled on the system.
This patch adds the function to detect if the system has trusted
boot enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secure_boot.h | 6 ++
arch/powerpc/kernel
This patch adds the measurement rules to the arch specific policies for the
systems with trusted boot.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 44 +++---
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel
Secure boot on PowerNV defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
The PPC_SECURE_BOOT config represents the base enablement of secureboot
on POWER.
Signed-off-by: Nayna Jain
---
arch
implements the arch-specific support to define the IMA policy
rules based on the runtime secure boot mode of the system.
This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 2 ++
arch/powerpc/kernel/Makefile
h obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Nayna Jain (9):
dt-bindings: ibm,secureboot: secure boot specific properties for
PowerNV
powerpc: detect the secure boot mode of the system
powerpc: add support to initialize ima policy rules
powerpc: detect the trusted boot state o
PowerNV represents both the firmware and Host OS secureboot state of the
system via device tree. This patch adds the documentation to give
the definition of the nodes and the properties.
Signed-off-by: Nayna Jain
---
.../bindings/powerpc/ibm,secureboot.rst | 76
On 08/26/2019 10:56 AM, Greg Kroah-Hartman wrote:
On Mon, Aug 26, 2019 at 09:23:36AM -0400, Nayna Jain wrote:
+static struct kobj_attribute size_attr = __ATTR_RO(size);
Wait, why not just normal ATTR_RO()?
Oh!! Sorry. I am not seeing this macro in sysfs.h. am I missing something
On 08/26/2019 10:01 AM, Greg Kroah-Hartman wrote:
On Mon, Aug 26, 2019 at 09:23:36AM -0400, Nayna Jain wrote:
+static struct bin_attribute update_attr = {
+ .attr = {.name = "update", .mode = 0200},
+ .size = VARIABLE_MAX_SIZE,
+ .write = update_write,
+};
Ah, do
trusted by firmware.
Signed-off-by: Nayna Jain
---
security/integrity/Kconfig| 8 ++
security/integrity/Makefile | 3 +
.../integrity/platform_certs/load_powerpc.c | 88 +++
3 files changed, 99 insertions(+)
create mode 100644 security
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/sysfs-secvar | 37 +
arch/powerpc/Kconfig | 10 ++
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 7 +-
arch/powerpc/include/asm/powernv.h | 2 +
arch/powerpc/include/asm/secvar.h| 35
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain
platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: Add OPAL API interface to access secure variable
powerpc: expose secure variables to userspace via sysfs
x86/efi: move common keyring handler func
firmware.
Signed-off-by: Nayna Jain
---
security/integrity/Kconfig| 9 ++
security/integrity/Makefile | 3 +
.../integrity/platform_certs/load_powerpc.c | 94 +++
3 files changed, 106 insertions(+)
create mode 100644 security/integrity
This patch moves the common code to keyring_handler.c
Signed-off-by: Nayna Jain
---
security/integrity/Makefile | 3 +-
.../platform_certs/keyring_handler.c | 80 +++
.../platform_certs/keyring_handler.h | 35
security/integrity
CONFIG_OPAL_SECVAR.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 5 +-
arch/powerpc/include/asm/opal.h | 6 ++
arch/powerpc/include/asm/secvar.h| 55 ++
arch/powerpc/kernel/Makefile
x27;s feedbacks:
* adds sysfs documentation
* moves sysfs code to arch/powerpc
* other code related feedbacks.
* adds two new patches to load keys to .platform and .blacklist keyring.
These patches are added to this series as they are also dependent on
OPAL APIs.
Nayna Jain (4):
powerpc/powernv: Ad
. The users shall use this interface for manipulating
the keys stored in the secure variables.
Signed-off-by: Nayna Jain
---
Documentation/ABI/testing/sysfs-secvar | 27
arch/powerpc/Kconfig | 9 ++
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel
On 07/05/2019 02:05 AM, Michael Ellerman wrote:
Hi Nayna,
Hi Michael, Oliver,
Nayna Jain writes:
As part of PowerNV secure boot support, OS verification keys are stored
and controlled by OPAL as secure variables. These need to be exposed to
the userspace so that sysadmins can perform
On 06/12/2019 07:04 PM, Daniel Axtens wrote:
Hi Nayna,
Since OPAL can support different types of backend which can vary in the
variable interpretation, a new OPAL API call named OPAL_SECVAR_BACKEND, is
added to retrieve the supported backend version. This helps the consumer
to know how to
On 06/14/2019 02:34 AM, Greg Kroah-Hartman wrote:
On Thu, Jun 13, 2019 at 04:50:27PM -0400, Nayna Jain wrote:
As part of PowerNV secure boot support, OS verification keys are stored
and controlled by OPAL as secure variables. These need to be exposed to
the userspace so that sysadmins can
the the existing efi defined hooks and backend in
order to maintain the compatibility with the userspace tools.
Though it reuses a great deal of efi, POWER platforms do not use EFI.
A new config, POWER_SECVAR_SYSFS, is defined to enable this new sysfs
interface.
Signed-off-by: Nayna Jain
. Variable updates cannot be be processed right
away because the variable storage is write locked at runtime.
OPAL_SECVAR_GET_SIZE:
Returns size information about the variable.
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/opal-api.h | 3 +
arch
specific patches[2].
[1]https://patchwork.kernel.org/cover/10882149/
[2]https://lkml.org/lkml/2019/6/11/868
[3]https://patchwork.ozlabs.org/project/skiboot/list/?series=112868
Claudio Carvalho (1):
powerpc/powernv: add OPAL APIs for secure variables
Nayna Jain (1):
powerpc: expose secure
On 06/11/2019 01:19 AM, Satheesh Rajendran wrote:
On Mon, Jun 10, 2019 at 04:33:57PM -0400, Nayna Jain wrote:
PowerNV secure boot relies on the kernel IMA security subsystem to
perform the OS kernel image signature verification. Since each secure
boot mode has different IMA policy
d OPAL API interface to get secureboot state
Nayna Jain (2):
powerpc/powernv: detect the secure boot mode of the system
powerpc: Add support to initialize ima policy rules
arch/powerpc/Kconfig | 14
arch/powerpc/include/asm/opal-api.h | 4 +-
arch/powerpc/i
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 14 +
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/ima_arch.c | 54 ++
include/linux/ima.h| 3 +-
4 files
to interpret the variable.
This support can be enabled using CONFIG_OPAL_SECVAR
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
This patch depends on a new OPAL call that is being added to skiboot.
The patch set that implements the new call has been posted to
https
PowerNV secure boot defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secboot.h | 21
arch/powerpc/platforms/powernv
pc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Claudio Carvalho (1):
powerpc/powernv: Add OPAL API interface to get secureboot state
Nayna Jain (2):
to interpret the variable.
This support can be enabled using CONFIG_OPAL_SECVAR
Signed-off-by: Claudio Carvalho
Signed-off-by: Nayna Jain
---
This patch depends on a new OPAL call that is being added to skiboot.
The patch set that implements the new call has been posted to
https
PowerNV secure boot defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secboot.h | 21
arch/powerpc/platforms/powernv
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 14 +
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/ima_arch.c | 54 ++
include/linux/ima.h| 3 +-
4 files
From: Claudio Carvalho
The X.509 certificates trusted by the platform and other information
required to secure boot the OS kernel are wrapped in secure variables,
which are controlled by OPAL.
This patch adds support to read OPAL secure variables through
OPAL_SECVAR_GET call. It returns the data
PowerNV secure boot defines different IMA policies based on the secure
boot state of the system.
This patch defines a function to detect the secure boot state of the
system.
Signed-off-by: Nayna Jain
---
arch/powerpc/include/asm/secboot.h | 21 +
arch/powerpc/platforms/powernv
-specific IMA policies if PPC_SECURE_BOOT
config is enabled.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 14 +
arch/powerpc/kernel/Makefile | 1 +
arch/powerpc/kernel/ima_arch.c | 54 ++
include/linux/ima.h| 3 +-
4 files
in get_powerpc_sb_mode() function.
* Added dependency for PPC_SECURE_BOOT on configs PPC64 and OPAL_SECVAR
* Replaced obj-$(CONFIG_IMA) with obj-$(CONFIG_PPC_SECURE_BOOT) in
arch/powerpc/kernel/Makefile
Claudio Carvalho (1):
powerpc/powernv: Add support for OPAL_SECVAR_GET
Nayna Jain (2
Boyer
Signed-off-by: David Howells
Signed-off-by: Nayna Jain
Acked-by: Serge Hallyn
Signed-off-by: Mimi Zohar
---
Changelog:
v2a:
- refactored uefi_blacklist_x509_tbs() and uefi_blacklist_binary()
v2:
- Fixed the checkpatch.pl warnings
v0:
- This patch replaces the loading of certificate
On 12/12/2018 12:17 AM, James Morris wrote:
On Sun, 9 Dec 2018, Nayna Jain wrote:
+/*
+ * Blacklist an X509 TBS hash.
+ */
+static __init void uefi_blacklist_x509_tbs(const char *source,
+ const void *data, size_t len)
+{
+ char *hash, *p
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
v2:
- Fixed the checkpatch.pl warnings
security/integrity/platform_certs/load_uefi.c | 45 +--
1 file changed, 35 insertions(+), 10 deletions(-)
diff --git a/security/integrity
Howells
Signed-off-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- removed the CONFIG EFI_SIGNATURE_LIST_PARSER
- moved efi_parser.c from certs to security/integrity/platform_certs
directory
v2:
- Fixed the checkpatch.pl warnings
include/linux/efi.h
-appraisal access to those original keys, now
loaded on the platform keyring, needed for verifying the kernel image
and initramfs signatures.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
- replace 'rc' with 'xattr_len' when calling integrity_
x'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-by: Josh Bo
From: Dave Howells
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells
Acked-by: Nayna Jain
Acked-by: Serge Hallyn
---
Changelog:
v0:
- No changes
include/linux
ob parser
Josh Boyer (2):
efi: Import certificates from UEFI Secure Boot
efi: Allow the "db" UEFI variable to be suppressed
Nayna Jain (3):
integrity: Define a trusted platform keyring
integrity: Load certs to the platform keyring
ima: Support platform
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge H
The patch refactors integrity_load_x509(), making it a wrapper for a new
function named integrity_add_key(). This patch also defines a new
function named integrity_load_cert() for loading the platform keys.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
Acked-by: Serge Hallyn
---
security
-appraisal access to those original keys, now
loaded on the platform keyring, needed for verifying the kernel image
and initramfs signatures.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
security/integrity/ima/ima_appraise.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion
x'
variable. We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.
This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
Signed-off-b
Dave Howells (2):
efi: Add EFI signature data types
efi: Add an EFI signature blob parser
Josh Boyer (2):
efi: Import certificates from UEFI Secure Boot
efi: Allow the "db" UEFI variable to be suppressed
Nayna Jain (3):
integrity: define a trusted platform keyring
integ
: David Howells
Acked-by: Nayna Jain
---
Changelog:
v0:
- No changes
security/integrity/platform_certs/load_uefi.c | 44 +--
1 file changed, 34 insertions(+), 10 deletions(-)
diff --git a/security/integrity/platform_certs/load_uefi.c
b/security/integrity/platform_certs
Howells
Signed-off-by: Nayna Jain
---
Changelog:
v0:
- removed the CONFIG EFI_SIGNATURE_LIST_PARSER
- moved efi_parser.c from certs to security/integrity/platform_certs
directory
include/linux/efi.h| 9 ++
security/integrity/Makefile| 3
The patch refactors integrity_load_x509(), making it a wrapper for a new
function named integrity_add_key(). This patch also defines a new
function named integrity_load_cert() for loading the platform keys.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
security/integrity/digsig.c
From: Dave Howells
Add the data types that are used for containing hashes, keys and
certificates for cryptographic verification along with their corresponding
type GUIDs.
Signed-off-by: David Howells
Acked-by: Nayna Jain
---
Changelog:
v0:
- No changes
include/linux/efi.h | 25
e used to
facilitate signature verification during kexec. Since the scope of this
keyring is only the platform/firmware keys, it cannot be updated from
userspace.
This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
securi
From: Nayna Jain
This patch removes the code duplication in ima_init_policy() by defining
a new function named add_rules(). The new function adds the rules to the
initial IMA policy, the custom policy or both based on the policy mask
(IMA_DEFAULT_POLICY, IMA_CUSTOM_POLICY).
Signed-off-by: Nayna
From: Nayna Jain
Builtin IMA policies can be enabled on the boot command line, and replaced
with a custom policy, normally during early boot in the initramfs. Build
time IMA policy rules were recently added. These rules are automatically
enabled on boot and persist after loading a custom policy
oved the policy KEXEC_ORIG_KERNEL_CHECK which was defined to
disable the kexec_load syscall.
- arch_get_ima_policy() uses arch_ima_get_secureboot() to get secureboot
state
Signed-off-by: Nayna Jain
Cc: David Howells
Cc: Eric Biederman
Cc: Peter Jones
Cc: Vivek Goyal
Cc: Dave Young
---
arch/x86/ke
From: Nayna Jain
The architecture specific policy, introduced in this patch set, permits
different architectures to define IMA policy rules based on kernel
configuration and system runtime information.
For example, on x86, there are two methods of verifying the kexec'ed kernel
image sign
From: Nayna Jain
Distros are concerned about totally disabling the kexec_load syscall.
As a compromise, the kexec_load syscall will only be disabled when
CONFIG_KEXEC_VERIFY_SIG is configured and the system is booted with
secureboot enabled.
This patch defines the new arch specific function
From: Nayna Jain
When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
requires the kexec'd kernel image to be signed. Distros are concerned
about totally disabling the kexec_load syscall. As a compromise, the
kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIF
On 09/27/2018 06:50 PM, Mimi Zohar wrote:
Hi Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
The "ima_appraise" mode defaults to enforcing, unless configured to allow
the boot command line "ima_appraise" option. This patch explicitly sets the
"ima_ap
From: Nayna Jain
Builtin IMA policies can be enabled on the boot command line, and replaced
with a custom policy, normally during early boot in the initramfs. Build
time IMA policy rules were recently added. These rules are automatically
enabled on boot and persist after loading a custom policy
1 - 100 of 128 matches
Mail list logo
