Hi Michael,
On Sun, 2018-11-11 at 19:50 +0100, Michael Niewöhner wrote:
> Well, there are at least two implementations I know of:
> For my Lenovo X260 I can choose between Infineon TPM 1.2 or Intel PTT TPM 2.0
> This here is my ThinkStation P320 which can choose between PTT 1.2, PTT 2.0,
>
he
> kernel image.
The "platform" keyring was upstreamed in order to verify the kernel
image being loaded by the kexec_file_load syscall. The intentions of
this patch description needs to be clearer.
>
> Suggested-by: Mimi Zohar
> Signed-off-by: Kairui Song
> ---
> cert
On Wed, 2019-01-09 at 09:33 +0800, Dave Young wrote:
> CC kexec list
> On 01/08/19 at 10:18am, Mimi Zohar wrote:
> > [Cc'ing the LSM and integrity mailing lists]
> >
> > Repeating my comment on PATCH 0/1 here with the expanded set of
> > mailing lists.
> >
&g
On Tue, 2019-01-08 at 08:45 +1100, James Morris wrote:
> > Included in this open window are a number of LSM changes, which were
> > not posted on the LSM mailing list and are not being upstreamed via
> > the LSMs.
>
> If you see changes doing this, please call them out. Any changes to LSM
>
[Cc'ing the LSM and integrity mailing lists]
Repeating my comment on PATCH 0/1 here with the expanded set of
mailing lists.
The builtin and secondary keyrings have a signature change of trust
rooted in the signed kernel image. Adding the pre-boot keys to the
secondary keyring breaks that
On Tue, 2019-01-08 at 16:12 +0800, Kairui Song wrote:
> Hi, as the subject, this is a patch that links the new introduced
> .platform keyring into .secondary_trusted_keys keyring. This is
> mainly for the kexec_file_load, make kexec_file_load be able to verify
> the kernel image agains keys
On Tue, 2019-01-01 at 17:15 +0100, Michael Niewöhner wrote:
> On Mon, 2018-12-31 at 16:17 -0500, Mimi Zohar wrote:
> > On Sun, 2018-12-30 at 14:22 +0100, Michael Niewöhner wrote:
> >
> > > > difference is that on a cold boot, the TPM takes longer to initialize.
&
On Sun, 2018-12-30 at 14:22 +0100, Michael Niewöhner wrote:
> > difference is that on a cold boot, the TPM takes longer to initialize.
>
> Well, as I said. Waiting for 10, 20 or even 60 seconds in the boot manager
> does
> not solve the problem. So the problem is NOT that the TPM takes longer
On Tue, 2018-12-25 at 14:55 +0100, Michael Niewöhner wrote:
> On Sun, 2018-12-23 at 12:55 +0100, Michael Niewöhner wrote:
> > Hi Mimi,
> >
> > On Sat, 2018-12-22 at 17:53 -0500, Mimi Zohar wrote:
> > > On Sat, 2018-12-22 at 14:47 +0100, Michael Niewöhner wrote
On Sat, 2018-12-29 at 10:34 -0800, Casey Schaufler wrote:
> On 12/28/2018 8:15 PM, Linus Torvalds wrote:
> > On Fri, Dec 28, 2018 at 8:09 PM James Morris wrote:
> >> Yep, I understand what you mean. I can't find the discussion from several
> >> years ago, but developers asked to be able to work
On Sat, 2018-12-22 at 14:47 +0100, Michael Niewöhner wrote:
> When I remove the timeout and boot directly to the linux kernel, I get that
> "2314 TPM-self test error" since it has not finished, yet. The TPM is detected
> by IMA and works fine then.
>
> Some more tests showed that any delay
If tmpfiles can be made persistent, then newly created tmpfiles need to
be treated like any other new files in policy.
This patch indicates which newly created tmpfiles are in policy, causing
the file hash to be calculated on __fput().
Reported-by: Ignaz Forster
Signed-off-by: Mimi Zohar
On Tue, 2018-12-18 at 04:06 +, Al Viro wrote:
> On Mon, Dec 17, 2018 at 10:00:07PM -0500, Mimi Zohar wrote:
>
> > Could you expand on commit 5b2ea6199614 ("selinux: switch away from
> > match_token()") patch description. All that it says is "It's
On Tue, 2018-12-18 at 01:33 +, Al Viro wrote:
> On Mon, Dec 17, 2018 at 04:36:54PM -0800, Linus Torvalds wrote:
> > On Mon, Dec 17, 2018 at 4:14 PM Mimi Zohar wrote:
> > >
> > > Start the policy_tokens and the associated enumeration from zero,
> > >
Start the policy_tokens and the associated enumeration from zero,
simplifying the pt macro.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_policy.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity
If tmpfiles can be made persistent, then newly created tmpfiles need to
be treated like any other new files in policy.
This patch indicates which newly created tmpfiles are in policy, causing
the file hash to be calculated on __fput().
Reported-by: Ignaz Forster
Signed-off-by: Mimi Zohar
On Mon, 2018-12-17 at 12:02 -0800, Linus Torvalds wrote:
> Talking about the conflicting ones: Opt_hash checks that
> Opt_policydigest isn't set. But Opt_policydigest doesn't check that
> Opt_hash isn't set, so you can mix the two if you just do it in the
> right order.
>
> But that's a separate
On Mon, 2018-12-17 at 11:06 -0800, Linus Torvalds wrote:
> On Mon, Dec 17, 2018 at 10:49 AM Linus Torvalds
> wrote:
> >
> > So the *simplest* fix would seem to be to literally remove all those
> > "= -1" for the Opt_err initialization. Making the code smaller,
> > simpler, and fixing the bug in
Signed-off-by: Thiago Jung Bauermann
>
> Mimi, can I add your acked-by?
Acked-by: Mimi Zohar
>
>
> > ---
> > security/integrity/digsig.c| 1 -
> > security/integrity/integrity.h | 5 ++---
> > 2 files changed, 2 insertions(+), 4 deletions(-)
> >
>
[Cc'ing Paul Gortmaker]
On Fri, 2018-12-14 at 08:25 -0800, Randy Dunlap wrote:
> On 12/13/18 11:18 PM, Stephen Rothwell wrote:
> > Hi all,
> >
> > Changes since 20181213:
> >
>
> on i386:
>
> CC security/integrity/ima/ima_main.o
> ../security/integrity/ima/ima_main.c: In function
[Cc'ing linux-integrity]
On Thu, 2018-12-13 at 12:26 +0100, Florian Weimer wrote:
> * Mimi Zohar:
>
> > The indication needs to be set during file open, before the open
> > returns to the caller. This is the point where ima_file_check()
> > verifies the file's signat
On Wed, 2018-12-12 at 19:02 -0800, Matthew Wilcox wrote:
> On Wed, Dec 12, 2018 at 09:17:07AM +0100, Mickaël Salaün wrote:
> > The goal of this patch series is to control script interpretation. A
> > new O_MAYEXEC flag used by sys_open() is added to enable userland script
> > interpreter to
On Wed, 2018-12-12 at 16:14 -0200, Thiago Jung Bauermann wrote:
[snip]
> Subject: [PATCH] ima: Only use the platform keyring if it's enabled
>
> Signed-off-by: Thiago Jung Bauermann
Good catch! Thanks.
Mimi
> ---
> security/integrity/ima/ima_appraise.c | 3 ++-
> 1 file changed, 2
On Wed, 2018-12-12 at 15:43 +0100, Jan Kara wrote:
> > diff --git a/fs/open.c b/fs/open.c
> > index 0285ce7dbd51..75479b79a58f 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -974,6 +974,10 @@ static inline int build_open_flags(int flags, umode_t
> > mode, struct open_flags *o
> > if
On Fri, 2018-12-07 at 15:51 +0100, Roberto Sassu wrote:
> On 12/6/2018 8:49 PM, Mimi Zohar wrote:
> > PCRs for sha1 and sha256 algorithms are being updated and the
> > measurement list verifies against the SHA1 PCR-10.
> >
> > Roberto, have you added support i
Hi Nayna,
On Sun, 2018-12-09 at 01:56 +0530, Nayna Jain wrote:
> On secure boot enabled systems, a verified kernel may need to kexec
> additional kernels. For example, it may be used as a bootloader needing
> to kexec a target kernel or it may need to kexec a crashdump kernel.
> In such cases, it
On Wed, 2018-12-05 at 15:31 -0500, Mimi Zohar wrote:
> On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote:
> > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote:
> > > Currently the TPM driver allows other kernel subsystems to read only the
> > >
On Wed, 2018-12-05 at 15:31 -0500, Mimi Zohar wrote:
> On Tue, 2018-12-04 at 15:40 -0800, Jarkko Sakkinen wrote:
> > On Tue, Dec 04, 2018 at 09:21:35AM +0100, Roberto Sassu wrote:
> > > Currently the TPM driver allows other kernel subsystems to read only the
> > >
e always not NULL.
> >
> > Due to the API change, IMA functions have been modified.
> >
> > Signed-off-by: Roberto Sassu
> > Acked-by: Mimi Zohar
>
> Reviewed-by: Jarkko Sakkinen
>
> Mimi, Nayna, can you help with testing this (because of the IMA c
e always not NULL.
> >
> > Due to the API change, IMA functions have been modified.
> >
> > Signed-off-by: Roberto Sassu
> > Acked-by: Mimi Zohar
>
> Reviewed-by: Jarkko Sakkinen
>
> Mimi, Nayna, can you help with testing this (because of the IMA c
On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > O
On Fri, 2018-11-30 at 15:46 -0800, Jarkko Sakkinen wrote:
> On Fri, Nov 30, 2018 at 03:45:07PM -0800, Jarkko Sakkinen wrote:
> > On Tue, Nov 06, 2018 at 01:17:34PM -0500, Mimi Zohar wrote:
> > > On Tue, 2018-11-06 at 09:46 -0700, Jerry Snitselaar wrote:
> > > > O
On Fri, 2018-11-23 at 18:07 -0800, Casey Schaufler wrote:
> On 11/23/2018 11:30 AM, Mimi Zohar wrote:
> > On Fri, 2018-11-23 at 11:03 -0800, Casey Schaufler wrote:
> >> On 11/22/2018 7:49 AM, Roberto Sassu wrote:
> >>> Although rootfs (tmpfs) support
On Fri, 2018-11-23 at 18:07 -0800, Casey Schaufler wrote:
> On 11/23/2018 11:30 AM, Mimi Zohar wrote:
> > On Fri, 2018-11-23 at 11:03 -0800, Casey Schaufler wrote:
> >> On 11/22/2018 7:49 AM, Roberto Sassu wrote:
> >>> Although rootfs (tmpfs) support
On Fri, 2018-11-23 at 11:03 -0800, Casey Schaufler wrote:
> On 11/22/2018 7:49 AM, Roberto Sassu wrote:
> > Although rootfs (tmpfs) supports xattrs, they are not set due to the
> > limitation of the cpio format. A new format called 'newcx' was proposed to
> > overcome this limitation.
> >
> >
On Fri, 2018-11-23 at 11:03 -0800, Casey Schaufler wrote:
> On 11/22/2018 7:49 AM, Roberto Sassu wrote:
> > Although rootfs (tmpfs) supports xattrs, they are not set due to the
> > limitation of the cpio format. A new format called 'newcx' was proposed to
> > overcome this limitation.
> >
> >
On Mon, 2018-11-19 at 09:16 +0100, Roberto Sassu wrote:
> On 11/19/2018 5:57 AM, Mimi Zohar wrote:
> > On Sun, 2018-11-18 at 09:27 +0200, Jarkko Sakkinen wrote:
> >> On Fri, Nov 16, 2018 at 04:55:36PM +0100, Roberto Sassu wrote:
> >>> On 11/16/2018 4:03 PM, Jarkko
On Mon, 2018-11-19 at 09:16 +0100, Roberto Sassu wrote:
> On 11/19/2018 5:57 AM, Mimi Zohar wrote:
> > On Sun, 2018-11-18 at 09:27 +0200, Jarkko Sakkinen wrote:
> >> On Fri, Nov 16, 2018 at 04:55:36PM +0100, Roberto Sassu wrote:
> >>> On 11/16/2018 4:03 PM, Jarkko
On Sun, 2018-11-18 at 09:27 +0200, Jarkko Sakkinen wrote:
> On Fri, Nov 16, 2018 at 04:55:36PM +0100, Roberto Sassu wrote:
> > On 11/16/2018 4:03 PM, Jarkko Sakkinen wrote:
> > > On Wed, Nov 14, 2018 at 04:31:08PM +0100, Roberto Sassu wrote:
> > > > Currently, tpm_pcr_extend() accepts as an input
On Sun, 2018-11-18 at 09:27 +0200, Jarkko Sakkinen wrote:
> On Fri, Nov 16, 2018 at 04:55:36PM +0100, Roberto Sassu wrote:
> > On 11/16/2018 4:03 PM, Jarkko Sakkinen wrote:
> > > On Wed, Nov 14, 2018 at 04:31:08PM +0100, Roberto Sassu wrote:
> > > > Currently, tpm_pcr_extend() accepts as an input
> Very strange... When I pull the power cord, then replug and boot, I get these
> dmesg messages:
> [0.00] efi: ACPI
> 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS
> 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018
> TPMEventLog=0x
> 98d0c018
> [
> Very strange... When I pull the power cord, then replug and boot, I get these
> dmesg messages:
> [0.00] efi: ACPI
> 2.0=0x9ea78000 ACPI=0x9ea78000 SMBIOS=0x9f5e5000 SMBIOS
> 3.0=0x9f5e4000 MPS=0xfca00 ESRT=0x9c06e918 MEMATTR=0x99cb9018
> TPMEventLog=0x
> 98d0c018
> [
On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> Hi all,
>
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> Kernel version is 4.19.1
>
> Kernel config:
>
> $ cat .config | egrep
On Sun, 2018-11-11 at 18:55 +0100, Michael Niewöhner wrote:
> Hi all,
>
> Nuvoton NCPT650 does not work in TPM 2.0 mode with tpm_tis / tpm_i2c_nuvoton
> while it works in TPM 1.2 mode (I can reflash it via UEFI setup).
> Kernel version is 4.19.1
>
> Kernel config:
>
> $ cat .config | egrep
On Thu, 2018-11-08 at 17:21 +0200, Jarkko Sakkinen wrote:
> On Thu, Nov 08, 2018 at 07:20:51PM +0530, Nayna Jain wrote:
> > Based on a discussion with Ken, the count in the TPML_PCR_SELECTION returns
> > the number of possible algorithms supported. In the example below, two
> > possible algorithms
On Thu, 2018-11-08 at 17:21 +0200, Jarkko Sakkinen wrote:
> On Thu, Nov 08, 2018 at 07:20:51PM +0530, Nayna Jain wrote:
> > Based on a discussion with Ken, the count in the TPML_PCR_SELECTION returns
> > the number of possible algorithms supported. In the example below, two
> > possible algorithms
On Wed, 2018-11-07 at 11:44 +0530, Nayna Jain wrote:
> On 11/06/2018 08:31 PM, Roberto Sassu wrote:
> > @@ -878,11 +877,14 @@ static ssize_t tpm2_get_pcr_allocation(struct
> > tpm_chip *chip)
> > if (rc)
> > goto out;
> >
> > - count = be32_to_cpup(
> > +
On Wed, 2018-11-07 at 11:44 +0530, Nayna Jain wrote:
> On 11/06/2018 08:31 PM, Roberto Sassu wrote:
> > @@ -878,11 +877,14 @@ static ssize_t tpm2_get_pcr_allocation(struct
> > tpm_chip *chip)
> > if (rc)
> > goto out;
> >
> > - count = be32_to_cpup(
> > +
Stefan Berger
> >Reviewed-by: Mimi Zohar
>
> Acked-by: Jerry Snitselaar
Thanks! This patch is now staged in the #next-integrity-queued
branch.
Mimi
Stefan Berger
> >Reviewed-by: Mimi Zohar
>
> Acked-by: Jerry Snitselaar
Thanks! This patch is now staged in the #next-integrity-queued
branch.
Mimi
On Mon, 2018-11-05 at 14:09 +0100, Roberto Sassu wrote:
> On 11/5/2018 1:01 PM, Jarkko Sakkinen wrote:
> Ok, then I can remove patch 1/5 if nr_active_banks is included in the
> tpm_chip structure.
Right, 1/5 would be replaced with the nr_active_banks usage.
Mimi
On Mon, 2018-11-05 at 14:09 +0100, Roberto Sassu wrote:
> On 11/5/2018 1:01 PM, Jarkko Sakkinen wrote:
> Ok, then I can remove patch 1/5 if nr_active_banks is included in the
> tpm_chip structure.
Right, 1/5 would be replaced with the nr_active_banks usage.
Mimi
> >>> diff --git a/drivers/char/tpm/tpm-interface.c
> >>> b/drivers/char/tpm/tpm-interface.c
> >>> index 1a803b0cf980..f7fc4b5ee239 100644
> >>> --- a/drivers/char/tpm/tpm-interface.c
> >>> +++ b/drivers/char/tpm/tpm-interface.c
> >>> @@ -1051,7 +1051,7 @@ int tpm_pcr_extend(struct tpm_chip
> >>> diff --git a/drivers/char/tpm/tpm-interface.c
> >>> b/drivers/char/tpm/tpm-interface.c
> >>> index 1a803b0cf980..f7fc4b5ee239 100644
> >>> --- a/drivers/char/tpm/tpm-interface.c
> >>> +++ b/drivers/char/tpm/tpm-interface.c
> >>> @@ -1051,7 +1051,7 @@ int tpm_pcr_extend(struct tpm_chip
On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> This patch ensures that the digest size returned by the TPM during a PCR
> read matches the size of the algorithm passed as argument to
> tpm2_pcr_read(). The check is performed after information about the PCR
> banks has been retrieved.
>
On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> This patch ensures that the digest size returned by the TPM during a PCR
> read matches the size of the algorithm passed as argument to
> tpm2_pcr_read(). The check is performed after information about the PCR
> banks has been retrieved.
>
On Thu, 2018-11-01 at 12:02 -0400, Mimi Zohar wrote:
> On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> > +static int tpm2_init_bank_info(struct tpm_chip *chip,
> > + struct tpm_bank_info *bank)
> > +{
> > + struct tpm_digest diges
On Thu, 2018-11-01 at 12:02 -0400, Mimi Zohar wrote:
> On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> > +static int tpm2_init_bank_info(struct tpm_chip *chip,
> > + struct tpm_bank_info *bank)
> > +{
> > + struct tpm_digest diges
> Signed-off-by: Roberto Sassu
> Reviewed-by: Jarkko Sakkinen
> Acked-by: Mimi Zohar
> ---
> drivers/char/tpm/tpm-interface.c | 10 ---
> drivers/char/tpm/tpm.h | 4 +--
> drivers/char/tpm/tpm2-cmd.c | 45
> include/lin
> Signed-off-by: Roberto Sassu
> Reviewed-by: Jarkko Sakkinen
> Acked-by: Mimi Zohar
> ---
> drivers/char/tpm/tpm-interface.c | 10 ---
> drivers/char/tpm/tpm.h | 4 +--
> drivers/char/tpm/tpm2-cmd.c | 45
> include/lin
On Wed, 2018-10-31 at 10:43 -0400, Mimi Zohar wrote:
> On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> > This patch changes the end marker of the active_banks array from
> > TPM2_ALG_ERROR to zero.
>
> The patch description is a bit off.
>
> TPM2_ALG_ERROR
On Wed, 2018-10-31 at 10:43 -0400, Mimi Zohar wrote:
> On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> > This patch changes the end marker of the active_banks array from
> > TPM2_ALG_ERROR to zero.
>
> The patch description is a bit off.
>
> TPM2_ALG_ERROR
On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> This patch changes the end marker of the active_banks array from
> TPM2_ALG_ERROR to zero.
The patch description is a bit off.
TPM2_ALG_ERROR is defined as zero. Since tpm_chip_alloc() calls
kzalloc to allocate the structure, there is no
On Tue, 2018-10-30 at 16:47 +0100, Roberto Sassu wrote:
> This patch changes the end marker of the active_banks array from
> TPM2_ALG_ERROR to zero.
The patch description is a bit off.
TPM2_ALG_ERROR is defined as zero. Since tpm_chip_alloc() calls
kzalloc to allocate the structure, there is no
On Mon, 2018-09-17 at 23:44 +0300, Jarkko Sakkinen wrote:
> On Sun, Sep 16, 2018 at 10:40:22PM -0700, James Bottomley wrote:
> > On Sun, 2018-09-16 at 22:19 +0300, Jarkko Sakkinen wrote:
> > > On Thu, Sep 13, 2018 at 05:45:54PM +0100, David Howells wrote:
> > > > Jarkko Sakkinen wrote:
> > > >
>
On Mon, 2018-09-17 at 23:44 +0300, Jarkko Sakkinen wrote:
> On Sun, Sep 16, 2018 at 10:40:22PM -0700, James Bottomley wrote:
> > On Sun, 2018-09-16 at 22:19 +0300, Jarkko Sakkinen wrote:
> > > On Thu, Sep 13, 2018 at 05:45:54PM +0100, David Howells wrote:
> > > > Jarkko Sakkinen wrote:
> > > >
>
Hi Stephen,
On Sat, 2018-10-06 at 11:58 +1000, Stephen Rothwell wrote:
> Hi all,
>
> Commit
>
> 3dcee2d9c069 ("ima: fix showing large 'violations' or
> 'runtime_measurements_count'")
>
> is missing a Signed-off-by from its committer.
Added comment and Signed-off-by.
Mimi
Hi Stephen,
On Sat, 2018-10-06 at 11:58 +1000, Stephen Rothwell wrote:
> Hi all,
>
> Commit
>
> 3dcee2d9c069 ("ima: fix showing large 'violations' or
> 'runtime_measurements_count'")
>
> is missing a Signed-off-by from its committer.
Added comment and Signed-off-by.
Mimi
On Tue, 2018-10-02 at 21:36 +0200, Jann Horn wrote:
> +Andy for opinions on things in write handlers
> +Mimi Zohar as EVM maintainer
>
> On Tue, Oct 2, 2018 at 9:55 AM joeyli wrote:
> > On Thu, Sep 13, 2018 at 04:31:18PM +0200, Jann Horn wrote:
> > > On Thu, Sep 13, 2
On Tue, 2018-10-02 at 21:36 +0200, Jann Horn wrote:
> +Andy for opinions on things in write handlers
> +Mimi Zohar as EVM maintainer
>
> On Tue, Oct 2, 2018 at 9:55 AM joeyli wrote:
> > On Thu, Sep 13, 2018 at 04:31:18PM +0200, Jann Horn wrote:
> > > On Thu, Sep 13, 2
Hi Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> +static void add_rules(struct ima_rule_entry *entries, int count,
> + enum policy_rule_list file)
Using "file" to refer to the policy_rule_list enumeration is unusual.
Please change the variable name to
Hi Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> +static void add_rules(struct ima_rule_entry *entries, int count,
> + enum policy_rule_list file)
Using "file" to refer to the policy_rule_list enumeration is unusual.
Please change the variable name to
On Thu, 2018-09-27 at 08:50 +0200, Roberto Sassu wrote:
> On 9/26/2018 8:03 PM, Mimi Zohar wrote:
> > Roberto, a similar change needs to be made for tpm_pcr_extend. Are
> > you planning on posting those changes as well?
>
> Yes, I was planning to send the patch after this
On Thu, 2018-09-27 at 08:50 +0200, Roberto Sassu wrote:
> On 9/26/2018 8:03 PM, Mimi Zohar wrote:
> > Roberto, a similar change needs to be made for tpm_pcr_extend. Are
> > you planning on posting those changes as well?
>
> Yes, I was planning to send the patch after this
Hi Eric, Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> From: Eric Richter
> This patch implements an example arch-specific IMA policy for x86 to
> enable measurement and appraisal of any kernel image loaded for kexec,
> when CONFIG_KEXEC_VERIFY_SIG is not enabled.
>
> For
Hi Eric, Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> From: Eric Richter
> This patch implements an example arch-specific IMA policy for x86 to
> enable measurement and appraisal of any kernel image loaded for kexec,
> when CONFIG_KEXEC_VERIFY_SIG is not enabled.
>
> For
ry_rules. The memory can then be freed after loading a custom
> policy.
> - Rename ima_get_arch_policy to arch_get_ima_policy.
> Signed-off-by: Mimi Zohar
> - Modified ima_init_arch_policy() and ima_init_policy() to use add_rules()
> from previous patch.
> Signed-off-by
ry_rules. The memory can then be freed after loading a custom
> policy.
> - Rename ima_get_arch_policy to arch_get_ima_policy.
> Signed-off-by: Mimi Zohar
> - Modified ima_init_arch_policy() and ima_init_policy() to use add_rules()
> from previous patch.
> Signed-off-by
Hi Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> The "ima_appraise" mode defaults to enforcing, unless configured to allow
> the boot command line "ima_appraise" option. This patch explicitly sets the
> "ima_appraise" mode for the arch specific policy setting.
Eventually this
Hi Nayna,
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> The "ima_appraise" mode defaults to enforcing, unless configured to allow
> the boot command line "ima_appraise" option. This patch explicitly sets the
> "ima_appraise" mode for the arch specific policy setting.
Eventually this
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> This patch removes the code duplication in ima_init_policy() by defining
> a new function named add_rules().
Thanks! The patch looks good, but let's expand on this just a bit.
Rules can be added to the initial IMA policy, the custom policy
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> This patch removes the code duplication in ima_init_policy() by defining
> a new function named add_rules().
Thanks! The patch looks good, but let's expand on this just a bit.
Rules can be added to the initial IMA policy, the custom policy
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
> requires the kexec'd kernel image to be signed. Distros are concerned
> about totally disabling the kexec_load syscall. As a
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
> requires the kexec'd kernel image to be signed. Distros are concerned
> about totally disabling the kexec_load syscall. As a
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> Distros are concerned about totally disabling the kexec_load syscall.
> As a compromise, the kexec_load syscall will only be disabled when
> CONFIG_KEXEC_VERIFY_SIG is configured and the system is
[Cc'ing the kexec mailing list, and Seth]
On Wed, 2018-09-26 at 17:52 +0530, Nayna Jain wrote:
> Distros are concerned about totally disabling the kexec_load syscall.
> As a compromise, the kexec_load syscall will only be disabled when
> CONFIG_KEXEC_VERIFY_SIG is configured and the system is
On Wed, 2018-09-26 at 10:40 -0400, Mimi Zohar wrote:
> On Mon, 2018-09-17 at 11:38 +0200, Roberto Sassu wrote:
> > Resending to maintainer with correct mailing lists in CC.
> >
> > The TPM driver currently relies on the crypto subsystem to determine the
> > digest size
On Wed, 2018-09-26 at 10:40 -0400, Mimi Zohar wrote:
> On Mon, 2018-09-17 at 11:38 +0200, Roberto Sassu wrote:
> > Resending to maintainer with correct mailing lists in CC.
> >
> > The TPM driver currently relies on the crypto subsystem to determine the
> > digest size
hes look good. Please add my Ack on all 3 patches.
(New address) Acked-by: Mimi Zohar
Thanks!
Mimi
hes look good. Please add my Ack on all 3 patches.
(New address) Acked-by: Mimi Zohar
Thanks!
Mimi
On Fri, 2018-09-21 at 12:24 +0200, Roberto Sassu wrote:
> On 9/17/2018 11:38 AM, Roberto Sassu wrote:
> > Currently the TPM driver allows other kernel subsystems to read only the
> > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and
> > tpm2_pcr_read() to pass an array of
On Fri, 2018-09-21 at 12:24 +0200, Roberto Sassu wrote:
> On 9/17/2018 11:38 AM, Roberto Sassu wrote:
> > Currently the TPM driver allows other kernel subsystems to read only the
> > SHA1 PCR bank. This patch modifies the parameters of tpm_pcr_read() and
> > tpm2_pcr_read() to pass an array of
On Fri, 2018-08-03 at 08:48 -0700, James Bottomley wrote:
> On Fri, 2018-08-03 at 10:45 -0400, Mimi Zohar wrote:
> > On Fri, 2018-08-03 at 07:23 -0700, James Bottomley wrote:
> > > On Fri, 2018-08-03 at 07:58 -0400, Mimi Zohar wrote:
> > > > On Thu, 2018-08-02 at 17
On Fri, 2018-08-03 at 08:48 -0700, James Bottomley wrote:
> On Fri, 2018-08-03 at 10:45 -0400, Mimi Zohar wrote:
> > On Fri, 2018-08-03 at 07:23 -0700, James Bottomley wrote:
> > > On Fri, 2018-08-03 at 07:58 -0400, Mimi Zohar wrote:
> > > > On Thu, 2018-08-02 at 17
On Fri, 2018-08-03 at 15:55 +0100, David Howells wrote:
> Mimi Zohar wrote:
>
> > "trusted" keys are currently being used to decrypt other keys (eg.
> > encrypted, ecryptfs, ...).
>
> Can it decrypt both symmetric and asymmetric keys?
Yes, the "
On Fri, 2018-08-03 at 15:55 +0100, David Howells wrote:
> Mimi Zohar wrote:
>
> > "trusted" keys are currently being used to decrypt other keys (eg.
> > encrypted, ecryptfs, ...).
>
> Can it decrypt both symmetric and asymmetric keys?
Yes, the "
On Fri, 2018-08-03 at 07:23 -0700, James Bottomley wrote:
> On Fri, 2018-08-03 at 07:58 -0400, Mimi Zohar wrote:
> > On Thu, 2018-08-02 at 17:14 +0100, David Howells wrote:
> > > Udit Agarwal wrote:
> > >
> > > > +==
> > > > +Secure Ke
On Fri, 2018-08-03 at 07:23 -0700, James Bottomley wrote:
> On Fri, 2018-08-03 at 07:58 -0400, Mimi Zohar wrote:
> > On Thu, 2018-08-02 at 17:14 +0100, David Howells wrote:
> > > Udit Agarwal wrote:
> > >
> > > > +==
> > > > +Secure Ke
On Thu, 2018-08-02 at 17:14 +0100, David Howells wrote:
> Udit Agarwal wrote:
>
> > +==
> > +Secure Key
> > +==
> > +
> > +Secure key is the new type added to kernel key ring service.
> > +Secure key is a symmetric type key of minimum length 32 bytes
> > +and with maximum
On Thu, 2018-08-02 at 17:14 +0100, David Howells wrote:
> Udit Agarwal wrote:
>
> > +==
> > +Secure Key
> > +==
> > +
> > +Secure key is the new type added to kernel key ring service.
> > +Secure key is a symmetric type key of minimum length 32 bytes
> > +and with maximum
601 - 700 of 2982 matches
Mail list logo
