Basic trusted keys support, which means basic sealing with an
authentication value by using SHA256. After we get the groundwork in
place the functionality will be refined with algorithmic agility and
policy based sealing.
Jarkko Sakkinen (4):
tpm: introduce struct tpm_buf
trusted: move struct
Moved struct trusted_key_options to trustes-type.h so that the fields
can be accessed from drivers/char/tpm.
Signed-off-by: Jarkko Sakkinen
---
include/keys/trusted-type.h | 13 +
security/keys/trusted.h | 11 ---
2 files changed, 13 insertions(+), 11 deletions(-)
diff -
Added tpm_trusted_seal() and tpm_trusted_unseal() API for sealing
trusted keys.
This patch implements basic sealing and unsealing functionality for
TPM 2.0:
* Seal with a parent key using a 20 byte auth value.
* Unseal with a parent key using a 20 byte auth value.
Signed-off-by: Jarkko Sakkinen
Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
Signed-off-by: Jarkko Sakkinen
---
drivers/char/tpm/tpm2-cmd.c | 2 +-
include/linux/tpm_command.h | 1 -
security/keys/trusted.c | 18 ++
security/keys/trusted.h | 7 +++
4 files changed, 22 inser
This change has two goals:
- delay the setting of 'smack_enabled' until
it will be really effective
- ensure that smackfs is valid only if 'smack_enabled'
is set (it is already the case in smack_netfilter.c)
Signed-off-by: José Bollo
---
security/smack/smack_lsm.c | 4 ++--
security/smac
The function strncpy was copying an extra character
when i == len (what is possible via revoke interface).
Change-Id: Ic7452da05773e620a1d7bbc55e859c25a86c65f6
Signed-off-by: José Bollo
Signed-off-by: Stephane Desneux
---
security/smack/smack_access.c | 2 +-
1 file changed, 1 insertion(+), 1 d
There is no need to make a flag to tell that this memory is allocated by
kmalloc or vmalloc. Just use kvfree to free the memory.
Signed-off-by: Geliang Tang
---
security/keys/keyctl.c | 8 +---
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/security/keys/keyctl.c b/security/key
On Thu, 2015-09-10 at 14:17 +0300, Petko Manolov wrote:
> The .system keyring is populated at kernel build time and read-only while the
> system is running. There is no way to dynamically add other user's CA so
> .ima_root_ca was introduced as read-write keyring that stores these
> certificates.
On Sun, 2015-09-27 at 18:23 +0300, Petko Manolov wrote:
> On 15-09-23 23:06:54, Mimi Zohar wrote:
> > On Tue, 2015-09-22 at 18:19 +0300, Petko Manolov wrote:
> > >
> > > Well, this is a sore point. I don't have sufficient knowledge about how
> > > audit_rule_xxx callbacks work and the only safe
On Thu, 2015-09-10 at 22:06 +0300, Dmitry Kasatkin wrote:
> If IMA_LOAD_X509 is enabled either directly or indirectly via
> IMA_APPRAISE_SIGNED_INIT, it enables certificate loading to the IMA trusted
> keyring from the kernel. Due to the overlook, KEY_ALLOC_TRUSTED was used in
> the
> key_create_o
10 matches
Mail list logo