On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> This patch actually implements the appraise_type=imasig|modsig option,
> allowing IMA to read and verify modsig signatures.
>
> In case both are present in the same file, IMA will first check whether the
> key used by the xattr
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> This patch actually implements the appraise_type=imasig|modsig option,
> allowing IMA to read and verify modsig signatures.
>
> In case both are present in the same file, IMA will first check whether the
> key used by the xattr
sage should be independent of other
changes.
Mimi
>
> Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
> ---
> Documentation/security/IMA-templates.rst | 5
> security/integrity/ima/ima_template
sage should be independent of other
changes.
Mimi
>
> Suggested-by: Mimi Zohar
> Signed-off-by: Thiago Jung Bauermann
> ---
> Documentation/security/IMA-templates.rst | 5
> security/integrity/ima/ima_template.c | 4 ++-
> security/integrity/ima/ima_template_l
gt;digest is always initialized to zero.
>
> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
> Cc: David Howells <dhowe...@redhat.com>
> Cc: Herbert Xu <herb...@gondor.apana.org.au>
> Cc: "David S. Miller" <da...@davemloft.net&
gt;digest is always initialized to zero.
>
> Signed-off-by: Thiago Jung Bauermann
> Cc: David Howells
> Cc: Herbert Xu
> Cc: "David S. Miller"
Reviewed-by: Mimi Zohar
> ---
> crypto/asymmetric_keys/pkcs7_verify.c | 25 +
> include
to
be refactored. In this case, verify_pkcs7_signature() verifies the
signature using keys on the builtin and secondary keyrings. IMA-
appraisal needs to verify the signature using keys on its keyring.
The patch itself looks good!
Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> Sig
to
be refactored. In this case, verify_pkcs7_signature() verifies the
signature using keys on the builtin and secondary keyrings. IMA-
appraisal needs to verify the signature using keys on its keyring.
The patch itself looks good!
Reviewed-by: Mimi Zohar
> Signed-off-by: Thiago Jung Bauermann
> Cc:
complains that
> CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
>
> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> ---
> security/integrity/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
&
complains that
> CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
>
> Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
> ---
> security/integrity/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/Kconfig b/security/integ
n the xattr sig is factored out from
> asymmetric_verify() so that it can be used by the new function.
>
> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> ---
> s
n the xattr sig is factored out from
> asymmetric_verify() so that it can be used by the new function.
>
> Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
> ---
> security/integrity/digsig_asymmetric.c | 44
> +-
> securit
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> IMA will need to obtain the keyring used to verify file signatures so that
> it can verify the module-style signature appended to files.
>
> Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
S
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote:
> IMA will need to obtain the keyring used to verify file signatures so that
> it can verify the module-style signature appended to files.
>
> Signed-off-by: Thiago Jung Bauermann
Signed-off-by: Mimi Zohar
>
On Thu, 2018-03-15 at 15:35 -0500, Eric W. Biederman wrote:
> Stefan Berger writes:
> > On 03/15/2018 03:20 PM, Eric W. Biederman wrote:
[..]
> >> From previous conversations I remember that there is a legitimate
> >> bootstrap problem for IMA. That needs to be
On Thu, 2018-03-15 at 15:35 -0500, Eric W. Biederman wrote:
> Stefan Berger writes:
> > On 03/15/2018 03:20 PM, Eric W. Biederman wrote:
[..]
> >> From previous conversations I remember that there is a legitimate
> >> bootstrap problem for IMA. That needs to be looked at, and I am not
> >>
On Sun, 2018-03-11 at 11:20 +0800, joeyli wrote:
> On Wed, Mar 07, 2018 at 07:28:37AM -0800, James Bottomley wrote:
> > On Wed, 2018-03-07 at 08:18 -0500, Mimi Zohar wrote:
> > > On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote:
> > > > what's the status of this p
On Sun, 2018-03-11 at 11:20 +0800, joeyli wrote:
> On Wed, Mar 07, 2018 at 07:28:37AM -0800, James Bottomley wrote:
> > On Wed, 2018-03-07 at 08:18 -0500, Mimi Zohar wrote:
> > > On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote:
> > > > what's the status of this p
On Thu, 2018-03-15 at 10:29 -0700, James Bottomley wrote:
> On Thu, 2018-03-15 at 13:14 -0400, Mimi Zohar wrote:
> > On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote:
> > >
> > > On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote:
> >
> > >
&g
On Thu, 2018-03-15 at 10:29 -0700, James Bottomley wrote:
> On Thu, 2018-03-15 at 13:14 -0400, Mimi Zohar wrote:
> > On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote:
> > >
> > > On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote:
> >
> > >
&g
On Fri, 2018-03-16 at 14:21 +0200, Jarkko Sakkinen wrote:
> On Mon, Mar 05, 2018 at 05:52:24PM -0500, Mimi Zohar wrote:
> > Hi Jarrko,
> >
> > On Mon, 2018-03-05 at 18:56 +0200, Jarkko Sakkinen wrote:
> > > In order to make struct tpm_buf the first class obje
On Fri, 2018-03-16 at 14:21 +0200, Jarkko Sakkinen wrote:
> On Mon, Mar 05, 2018 at 05:52:24PM -0500, Mimi Zohar wrote:
> > Hi Jarrko,
> >
> > On Mon, 2018-03-05 at 18:56 +0200, Jarkko Sakkinen wrote:
> > > In order to make struct tpm_buf the first class obje
d. The last one, we'll see
about.
Mimi
>
> These are the changes made to them since v5 of the modsig series:
>
> - Patch "integrity: Remove unused macro IMA_ACTION_RULE_FLAGS"
> - New patch.
>
> - Patch "ima: Improvements in ima_appraise_measurement()"
> - Mo
d. The last one, we'll see
about.
Mimi
>
> These are the changes made to them since v5 of the modsig series:
>
> - Patch "integrity: Remove unused macro IMA_ACTION_RULE_FLAGS"
> - New patch.
>
> - Patch "ima: Improvements in ima_appraise_measurement()"
> - Mo
On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> Hello Serge,
>
> Thanks for quickly reviewing these patches!
>
> Serge E. Hallyn <se...@hallyn.com> writes:
>
> > Quoting Thiago Jung Bauermann (bauer...@linux.vnet.ibm.com):
> >> Fro
On Wed, 2018-03-14 at 21:03 -0300, Thiago Jung Bauermann wrote:
> Hello Serge,
>
> Thanks for quickly reviewing these patches!
>
> Serge E. Hallyn writes:
>
> > Quoting Thiago Jung Bauermann (bauer...@linux.vnet.ibm.com):
> >> From: Mimi Zoha
On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote:
> On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote:
> > If EFI is extending the TPM, will the events be added to the TPM
> > event log or to the IMA measurement list?
>
> I'm not proposing any changes to t
On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote:
> On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote:
> > If EFI is extending the TPM, will the events be added to the TPM
> > event log or to the IMA measurement list?
>
> I'm not proposing any changes to t
On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote:
> On Wed, 2018-03-14 at 13:08 -0400, Mimi Zohar wrote:
[..]
> > Adding additional support for post IMA-initialization for TPM's built
> > as kernel modules is clearly not optimal for all of the reasons
>
On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote:
> On Wed, 2018-03-14 at 13:08 -0400, Mimi Zohar wrote:
[..]
> > Adding additional support for post IMA-initialization for TPM's built
> > as kernel modules is clearly not optimal for all of the reasons
>
; > > ]
> > > Sent: Monday, March 12, 2018 8:07 PM
> > > To: Mimi Zohar <zo...@linux.vnet.ibm.com>; Jiandi An
> [...]
> > > > > The key question is not whether the component could
> > > > > theoretically
> > > > > acces
; > > ]
> > > Sent: Monday, March 12, 2018 8:07 PM
> > > To: Mimi Zohar ; Jiandi An
> [...]
> > > > > The key question is not whether the component could
> > > > > theoretically
> > > > > access the files but whether it actually
On Wed, 2018-03-14 at 01:42 +0800, kbuild test robot wrote:
> Fixes: c49fc264be98 ("evm: Move evm_hmac and evm_hash from evm_main.c to
> evm_crypto.c")
> Signed-off-by: Fengguang Wu
Thanks!
> ---
> evm_crypto.c |4 ++--
> 1 file changed, 2 insertions(+), 2
On Wed, 2018-03-14 at 01:42 +0800, kbuild test robot wrote:
> Fixes: c49fc264be98 ("evm: Move evm_hmac and evm_hash from evm_main.c to
> evm_crypto.c")
> Signed-off-by: Fengguang Wu
Thanks!
> ---
> evm_crypto.c |4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git
On Mon, 2018-03-12 at 15:30 -0700, James Bottomley wrote:
> On Mon, 2018-03-12 at 17:53 -0400, Mimi Zohar wrote:
[...]
> > - This use case, when the TPM is not builtin and unavailable before
> > IMA is initialized.
> >
> > I would classify this use case as an IMA testin
On Mon, 2018-03-12 at 15:30 -0700, James Bottomley wrote:
> On Mon, 2018-03-12 at 17:53 -0400, Mimi Zohar wrote:
[...]
> > - This use case, when the TPM is not builtin and unavailable before
> > IMA is initialized.
> >
> > I would classify this use case as an IMA testin
On Mon, 2018-03-12 at 17:05 -0600, Jason Gunthorpe wrote:
> On Mon, Mar 12, 2018 at 06:58:45PM -0400, Mimi Zohar wrote:
> > On Mon, 2018-03-12 at 15:59 -0600, Jason Gunthorpe wrote:
> > > On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:
> > >
> > &
On Mon, 2018-03-12 at 17:05 -0600, Jason Gunthorpe wrote:
> On Mon, Mar 12, 2018 at 06:58:45PM -0400, Mimi Zohar wrote:
> > On Mon, 2018-03-12 at 15:59 -0600, Jason Gunthorpe wrote:
> > > On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:
> > >
> > &
On Mon, 2018-03-12 at 15:59 -0600, Jason Gunthorpe wrote:
> On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:
>
> > Using Kconfig to force the TPM to be builtin is not required, but
> > helpful. Users interested in IMA-measurement could configure the TPM
> &g
On Mon, 2018-03-12 at 15:59 -0600, Jason Gunthorpe wrote:
> On Mon, Mar 12, 2018 at 05:53:18PM -0400, Mimi Zohar wrote:
>
> > Using Kconfig to force the TPM to be builtin is not required, but
> > helpful. Users interested in IMA-measurement could configure the TPM
> &g
On Fri, 2018-03-09 at 09:11 -0800, James Bottomley wrote:
> On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:
> [...]
> > I'm no expert on IMA and its driver. James, will you be kind enough
> > to look into overhauling the IMA driver to not measure until after
> > initrd phase if that's the
On Fri, 2018-03-09 at 09:11 -0800, James Bottomley wrote:
> On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:
> [...]
> > I'm no expert on IMA and its driver. James, will you be kind enough
> > to look into overhauling the IMA driver to not measure until after
> > initrd phase if that's the
On Tue, 2018-03-06 at 23:26 -0600, Jiandi An wrote:
> TPM_CRB driver is the TPM support for ARM64. If it
> is built as module, TPM chip is registered after IMA
> init. tpm_pcr_read() in IMA driver would fail and
> display the following message even though eventually
> there is TPM chip on the
On Tue, 2018-03-06 at 23:26 -0600, Jiandi An wrote:
> TPM_CRB driver is the TPM support for ARM64. If it
> is built as module, TPM chip is registered after IMA
> init. tpm_pcr_read() in IMA driver would fail and
> display the following message even though eventually
> there is TPM chip on the
On Thu, 2018-03-08 at 16:08 -0700, Tycho Andersen wrote:
> In keeping with the directive to get rid of VLAs [1], let's drop the VLA
> from ima_audit_measurement(). We need to adjust the return type of
> ima_audit_measurement, because now this function can fail if an allocation
> fails.
>
> [1]:
On Tue, 2018-02-27 at 19:16 -0300, Hernán Gonzalez wrote:
> Note: This is compile only tested.
> This variable was not used where it was defined, there was no point in
> declaring it there as extern, thus it got moved and constified saving up 2
> bytes.
>
> Function
On Thu, 2018-03-08 at 16:08 -0700, Tycho Andersen wrote:
> In keeping with the directive to get rid of VLAs [1], let's drop the VLA
> from ima_audit_measurement(). We need to adjust the return type of
> ima_audit_measurement, because now this function can fail if an allocation
> fails.
>
> [1]:
On Tue, 2018-02-27 at 19:16 -0300, Hernán Gonzalez wrote:
> Note: This is compile only tested.
> This variable was not used where it was defined, there was no point in
> declaring it there as extern, thus it got moved and constified saving up 2
> bytes.
>
> Function
On Fri, 2018-03-09 at 11:54 -0800, Kees Cook wrote:
> On Fri, Mar 9, 2018 at 11:47 AM, Linus Torvalds
> wrote:
> > On Fri, Mar 9, 2018 at 11:30 AM, Kees Cook wrote:
> >> The LSM check should happen after the file has been confirmed to be
> >>
On Fri, 2018-03-09 at 11:54 -0800, Kees Cook wrote:
> On Fri, Mar 9, 2018 at 11:47 AM, Linus Torvalds
> wrote:
> > On Fri, Mar 9, 2018 at 11:30 AM, Kees Cook wrote:
> >> The LSM check should happen after the file has been confirmed to be
> >> unchanging. Without this, we could have a race
_PLATFORM_KEYRING. The
> platform certificate can be provided using CONFIG_PLATFORM_TRUSTED_KEYS.
>
> Signed-off-by: Nayna Jain <na...@linux.vnet.ibm.com>
Please add my Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com> on
this and 2/3.
Mimi
> ---
> Changelog:
>
> v2:
>
>
_PLATFORM_KEYRING. The
> platform certificate can be provided using CONFIG_PLATFORM_TRUSTED_KEYS.
>
> Signed-off-by: Nayna Jain
Please add my Reviewed-by: Mimi Zohar on
this and 2/3.
Mimi
> ---
> Changelog:
>
> v2:
>
> * Include David Howell's feedback:
> * Fix the i
> This patch enables IMA-appraisal to access the platform keyring, based on a
> new Kconfig option "IMA_USE_PLATFORM_KEYRING".
>
> Signed-off-by: Nayna Jain <na...@linux.vnet.ibm.com>
Thanks, Nayna!
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
> ---
> C
> This patch enables IMA-appraisal to access the platform keyring, based on a
> new Kconfig option "IMA_USE_PLATFORM_KEYRING".
>
> Signed-off-by: Nayna Jain
Thanks, Nayna!
Signed-off-by: Mimi Zohar
> ---
> Changelog:
>
> v2:
> * Rename integrity_load_keyrin
On Thu, 2018-03-08 at 15:15 -0700, Tycho Andersen wrote:
> Hi Mimi,
>
> On Thu, Mar 08, 2018 at 05:05:40PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 14:45 -0700, Tycho Andersen wrote:
> > > Hi Mimi,
> > >
> > > On Thu, Mar 08, 2018 at 03:36:14
On Thu, 2018-03-08 at 15:15 -0700, Tycho Andersen wrote:
> Hi Mimi,
>
> On Thu, Mar 08, 2018 at 05:05:40PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 14:45 -0700, Tycho Andersen wrote:
> > > Hi Mimi,
> > >
> > > On Thu, Mar 08, 2018 at 03:36:14
On Thu, 2018-03-08 at 14:45 -0700, Tycho Andersen wrote:
> Hi Mimi,
>
> On Thu, Mar 08, 2018 at 03:36:14PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 13:23 -0700, Tycho Andersen wrote:
> >
> > > /*
> > > diff --git a/security/integrity/ima/ima
On Thu, 2018-03-08 at 14:45 -0700, Tycho Andersen wrote:
> Hi Mimi,
>
> On Thu, Mar 08, 2018 at 03:36:14PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 13:23 -0700, Tycho Andersen wrote:
> >
> > > /*
> > > diff --git a/security/integrity/ima/ima
On Thu, 2018-03-08 at 13:23 -0700, Tycho Andersen wrote:
> /*
> diff --git a/security/integrity/ima/ima_main.c
> b/security/integrity/ima/ima_main.c
> index 2cfb0c714967..356faae6f09c 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -288,8 +288,11
On Thu, 2018-03-08 at 13:23 -0700, Tycho Andersen wrote:
> /*
> diff --git a/security/integrity/ima/ima_main.c
> b/security/integrity/ima/ima_main.c
> index 2cfb0c714967..356faae6f09c 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -288,8 +288,11
On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:
> So from the discussion, I hear James suggests to overhaul the current
> IMA driver to not do measurement (calling tpm_pcr_read(), etc) until
> after initrd phase so TPM drivers can be built as modules.
>
> I hear Mimi insists TPM drivers
On Thu, 2018-03-08 at 12:42 -0600, Jiandi An wrote:
> So from the discussion, I hear James suggests to overhaul the current
> IMA driver to not do measurement (calling tpm_pcr_read(), etc) until
> after initrd phase so TPM drivers can be built as modules.
>
> I hear Mimi insists TPM drivers
On Thu, 2018-03-08 at 12:47 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 02:20:17PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 12:04 -0700, Tycho Andersen wrote:
> > > On Thu, Mar 08, 2018 at 01:50:30PM -0500, Mimi Zohar wrote:
> > > > On Thu, 20
On Thu, 2018-03-08 at 12:47 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 02:20:17PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 12:04 -0700, Tycho Andersen wrote:
> > > On Thu, Mar 08, 2018 at 01:50:30PM -0500, Mimi Zohar wrote:
> > > > On Thu, 20
On Thu, 2018-03-08 at 12:04 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 01:50:30PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 11:37 -0700, Tycho Andersen wrote:
> > > On Thu, Mar 08, 2018 at 07:47:37PM +0200, Andy Shevchenko wrote:
> > > > On Thu,
On Thu, 2018-03-08 at 12:04 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 01:50:30PM -0500, Mimi Zohar wrote:
> > On Thu, 2018-03-08 at 11:37 -0700, Tycho Andersen wrote:
> > > On Thu, Mar 08, 2018 at 07:47:37PM +0200, Andy Shevchenko wrote:
> > > > On Thu,
On Thu, 2018-03-08 at 11:37 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 07:47:37PM +0200, Andy Shevchenko wrote:
> > On Thu, Mar 8, 2018 at 7:14 PM, Tycho Andersen wrote:
> > > In keeping with the directive to get rid of VLAs [1], let's drop the VLA
> > > from
On Thu, 2018-03-08 at 11:37 -0700, Tycho Andersen wrote:
> On Thu, Mar 08, 2018 at 07:47:37PM +0200, Andy Shevchenko wrote:
> > On Thu, Mar 8, 2018 at 7:14 PM, Tycho Andersen wrote:
> > > In keeping with the directive to get rid of VLAs [1], let's drop the VLA
> > > from ima_audit_measurement().
On Thu, 2018-03-08 at 06:21 -0500, Richard Guy Briggs wrote:
> On 2018-03-05 09:24, Mimi Zohar wrote:
> > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> > > On 2018-03-05 08:43, Mimi Zohar wrote:
> > > > Hi Richard,
> > > >
> > &
On Thu, 2018-03-08 at 06:21 -0500, Richard Guy Briggs wrote:
> On 2018-03-05 09:24, Mimi Zohar wrote:
> > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> > > On 2018-03-05 08:43, Mimi Zohar wrote:
> > > > Hi Richard,
> > > >
> > &
On Wed, 2018-03-07 at 11:41 -0800, James Bottomley wrote:
> On Wed, 2018-03-07 at 14:21 -0500, Mimi Zohar wrote:
> > On Wed, 2018-03-07 at 11:08 -0800, James Bottomley wrote:
> > >
> > > On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote:
> > > >
> >
On Wed, 2018-03-07 at 11:41 -0800, James Bottomley wrote:
> On Wed, 2018-03-07 at 14:21 -0500, Mimi Zohar wrote:
> > On Wed, 2018-03-07 at 11:08 -0800, James Bottomley wrote:
> > >
> > > On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote:
> > > >
> >
On Wed, 2018-03-07 at 11:08 -0800, James Bottomley wrote:
> On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote:
> > On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote:
> > >
> > > On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote:
> > > >
&g
On Wed, 2018-03-07 at 11:08 -0800, James Bottomley wrote:
> On Wed, 2018-03-07 at 13:55 -0500, Mimi Zohar wrote:
> > On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote:
> > >
> > > On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote:
> > > >
&g
On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote:
> On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote:
> > TPM_CRB driver is the TPM support for ARM64. If it
> > is built as module, TPM chip is registered after IMA
> > init. tpm_pcr_read() in IMA driver would fail and
> > display
On Wed, 2018-03-07 at 11:51 -0700, Jason Gunthorpe wrote:
> On Tue, Mar 06, 2018 at 11:26:26PM -0600, Jiandi An wrote:
> > TPM_CRB driver is the TPM support for ARM64. If it
> > is built as module, TPM chip is registered after IMA
> > init. tpm_pcr_read() in IMA driver would fail and
> > display
On Wed, 2018-03-07 at 08:54 -0700, Jonathan Corbet wrote:
> On Tue, 06 Mar 2018 13:36:36 -0500
> Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
>
> > I've heard that some maintainers are moving away from cover letters,
> > since they are not include in the git repo
On Wed, 2018-03-07 at 08:54 -0700, Jonathan Corbet wrote:
> On Tue, 06 Mar 2018 13:36:36 -0500
> Mimi Zohar wrote:
>
> > I've heard that some maintainers are moving away from cover letters,
> > since they are not include in the git repo and are lost.
>
> If I get
On Tue, 2018-03-06 at 14:59 -0700, Jason Gunthorpe wrote:
> On Tue, Mar 06, 2018 at 01:36:36PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-03-06 at 08:32 -0800, James Bottomley wrote:
> > > On Tue, 2018-03-06 at 08:06 +, Winkler, Tomas wrote:
> > > > >
> >
On Tue, 2018-03-06 at 14:59 -0700, Jason Gunthorpe wrote:
> On Tue, Mar 06, 2018 at 01:36:36PM -0500, Mimi Zohar wrote:
> > On Tue, 2018-03-06 at 08:32 -0800, James Bottomley wrote:
> > > On Tue, 2018-03-06 at 08:06 +, Winkler, Tomas wrote:
> > > > >
> >
On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote:
> On 11/16/2016, 07:10 PM, David Howells wrote:
> > Here are two sets of patches. Firstly, the first three patches provide a
> > blacklist, making the following changes:
> ...
> > Secondly, the remaining patches allow the UEFI database to be
On Tue, 2018-03-06 at 15:05 +0100, Jiri Slaby wrote:
> On 11/16/2016, 07:10 PM, David Howells wrote:
> > Here are two sets of patches. Firstly, the first three patches provide a
> > blacklist, making the following changes:
> ...
> > Secondly, the remaining patches allow the UEFI database to be
On Tue, 2018-03-06 at 08:32 -0800, James Bottomley wrote:
> On Tue, 2018-03-06 at 08:06 +, Winkler, Tomas wrote:
> > >
> > >
> > > On Mon, Mar 05, 2018 at 01:09:09PM +, Winkler, Tomas wrote:
> > > >
> > > > Why you need cover letter? What are u missing in the patch
> > > > description
On Tue, 2018-03-06 at 08:32 -0800, James Bottomley wrote:
> On Tue, 2018-03-06 at 08:06 +, Winkler, Tomas wrote:
> > >
> > >
> > > On Mon, Mar 05, 2018 at 01:09:09PM +, Winkler, Tomas wrote:
> > > >
> > > > Why you need cover letter? What are u missing in the patch
> > > > description
Hi Jarrko,
On Mon, 2018-03-05 at 18:56 +0200, Jarkko Sakkinen wrote:
> In order to make struct tpm_buf the first class object for constructing TPM
> commands, migrate tpm2_probe() to use it.
>
> Signed-off-by: Jarkko Sakkinen
With this patch, the Pi doesn't
Hi Jarrko,
On Mon, 2018-03-05 at 18:56 +0200, Jarkko Sakkinen wrote:
> In order to make struct tpm_buf the first class object for constructing TPM
> commands, migrate tpm2_probe() to use it.
>
> Signed-off-by: Jarkko Sakkinen
With this patch, the Pi doesn't find the TPM. I'm seeing the
On Mon, 2018-03-05 at 20:01 +0200, Jarkko Sakkinen wrote:
> On Mon, Mar 05, 2018 at 12:56:33PM +0200, Jarkko Sakkinen wrote:
> > On Fri, Mar 02, 2018 at 12:26:35AM +0530, Nayna Jain wrote:
> > >
> > >
> > > On 03/01/2018 02:52 PM, Jarkko Sakkinen wrote:
> > > > On Wed, Feb 28, 2018 at 02:18:27PM
On Mon, 2018-03-05 at 20:01 +0200, Jarkko Sakkinen wrote:
> On Mon, Mar 05, 2018 at 12:56:33PM +0200, Jarkko Sakkinen wrote:
> > On Fri, Mar 02, 2018 at 12:26:35AM +0530, Nayna Jain wrote:
> > >
> > >
> > > On 03/01/2018 02:52 PM, Jarkko Sakkinen wrote:
> > > > On Wed, Feb 28, 2018 at 02:18:27PM
On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> On 2018-03-05 08:43, Mimi Zohar wrote:
> > Hi Richard,
> >
> > This patch has been compiled, but not runtime tested.
>
> Ok, great, thank you. I assume you are offering this patch to be
> included in
On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> On 2018-03-05 08:43, Mimi Zohar wrote:
> > Hi Richard,
> >
> > This patch has been compiled, but not runtime tested.
>
> Ok, great, thank you. I assume you are offering this patch to be
> included in
Hi Richard,
This patch has been compiled, but not runtime tested.
---
If the containerid is defined, include it in the IMA-audit record.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/se
Hi Richard,
This patch has been compiled, but not runtime tested.
---
If the containerid is defined, include it in the IMA-audit record.
Signed-off-by: Mimi Zohar
---
security/integrity/ima/ima_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/integrity/ima/ima_api.c b
On Sun, 2018-03-04 at 22:31 -0500, Richard Guy Briggs wrote:
> On 2018-03-04 16:55, Mimi Zohar wrote:
> > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> > > Implement audit kernel container ID.
> > >
> > > This patchset is a preliminary RF
On Sun, 2018-03-04 at 22:31 -0500, Richard Guy Briggs wrote:
> On 2018-03-04 16:55, Mimi Zohar wrote:
> > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> > > Implement audit kernel container ID.
> > >
> > > This patchset is a preliminary RF
On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> Implement audit kernel container ID.
>
> This patchset is a preliminary RFC based on the proposal document (V3)
> posted:
> https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
>
> The first patch implements
On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> Implement audit kernel container ID.
>
> This patchset is a preliminary RFC based on the proposal document (V3)
> posted:
> https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
>
> The first patch implements
On Sat, 2018-02-17 at 16:26 -0800, h...@zytor.com wrote:
> Do you have a description of the gaps you have identified?
Probably the 2016 Linux Security Summit (LSS) integrity status update
has the best list.
http://events17.linuxfoundation.org/sites/events/files/slides/LSS2016-
On Sat, 2018-02-17 at 16:26 -0800, h...@zytor.com wrote:
> Do you have a description of the gaps you have identified?
Probably the 2016 Linux Security Summit (LSS) integrity status update
has the best list.
http://events17.linuxfoundation.org/sites/events/files/slides/LSS2016-
On Fri, 2018-02-16 at 12:59 -0800, H. Peter Anvin wrote:
> On 02/16/18 12:33, Taras Kondratiuk wrote:
> > Many of the Linux security/integrity features are dependent on file
> > metadata, stored as extended attributes (xattrs), for making decisions.
> > These features need to be initialized during
On Fri, 2018-02-16 at 12:59 -0800, H. Peter Anvin wrote:
> On 02/16/18 12:33, Taras Kondratiuk wrote:
> > Many of the Linux security/integrity features are dependent on file
> > metadata, stored as extended attributes (xattrs), for making decisions.
> > These features need to be initialized during
901 - 1000 of 2982 matches
Mail list logo