[PATCH 0/4] Basic trusted keys support for TPM 2.0

Basic trusted keys support, which means basic sealing with an authentication value by using SHA256. After we get the groundwork in place the functionality will be refined with algorithmic agility and policy based sealing. Jarkko Sakkinen (4): tpm: introduce struct tpm_buf trusted: move struct

[PATCH 2/4] trusted: move struct trusted_key_options to trusted-type.h

Moved struct trusted_key_options to trustes-type.h so that the fields can be accessed from drivers/char/tpm. Signed-off-by: Jarkko Sakkinen --- include/keys/trusted-type.h | 13 + security/keys/trusted.h | 11 --- 2 files changed, 13 insertions(+), 11 deletions(-) diff -

[PATCH 3/4] tpm: seal/unseal for TPM 2.0

Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing trusted keys. This patch implements basic sealing and unsealing functionality for TPM 2.0: * Seal with a parent key using a 20 byte auth value. * Unseal with a parent key using a 20 byte auth value. Signed-off-by: Jarkko Sakkinen

[PATCH 4/4] keys, trusted: seal/unseal with TPM 2.0 chips

Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips. Signed-off-by: Jarkko Sakkinen --- drivers/char/tpm/tpm2-cmd.c | 2 +- include/linux/tpm_command.h | 1 - security/keys/trusted.c | 18 ++ security/keys/trusted.h | 7 +++ 4 files changed, 22 inser

[PATCH] Smack: Minor initialisation improvement

This change has two goals: - delay the setting of 'smack_enabled' until it will be really effective - ensure that smackfs is valid only if 'smack_enabled' is set (it is already the case in smack_netfilter.c) Signed-off-by: José Bollo --- security/smack/smack_lsm.c | 4 ++-- security/smac

[PATCH] Smack: Fix wrong copy size

The function strncpy was copying an extra character when i == len (what is possible via revoke interface). Change-Id: Ic7452da05773e620a1d7bbc55e859c25a86c65f6 Signed-off-by: José Bollo Signed-off-by: Stephane Desneux --- security/smack/smack_access.c | 2 +- 1 file changed, 1 insertion(+), 1 d

[PATCH] KEYS: use kvfree() in add_key

There is no need to make a flag to tell that this memory is allocated by kmalloc or vmalloc. Just use kvfree to free the memory. Signed-off-by: Geliang Tang --- security/keys/keyctl.c | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/security/keys/keyctl.c b/security/key

Re: [PATCH v3 2/2] Adds ima_root_ca keyring;

On Thu, 2015-09-10 at 14:17 +0300, Petko Manolov wrote: > The .system keyring is populated at kernel build time and read-only while the > system is running. There is no way to dynamically add other user's CA so > .ima_root_ca was introduced as read-write keyring that stores these > certificates.

Re: [rfc] [patch] persistent IMA policy file

On Sun, 2015-09-27 at 18:23 +0300, Petko Manolov wrote: > On 15-09-23 23:06:54, Mimi Zohar wrote: > > On Tue, 2015-09-22 at 18:19 +0300, Petko Manolov wrote: > > > > > > Well, this is a sore point. I don't have sufficient knowledge about how > > > audit_rule_xxx callbacks work and the only safe

Re: [PATCH 1/1] integrity: prevent loading untrusted certificates to IMA trusted keyring

On Thu, 2015-09-10 at 22:06 +0300, Dmitry Kasatkin wrote: > If IMA_LOAD_X509 is enabled either directly or indirectly via > IMA_APPRAISE_SIGNED_INIT, it enables certificate loading to the IMA trusted > keyring from the kernel. Due to the overlook, KEY_ALLOC_TRUSTED was used in > the > key_create_o