On Fri, Jul 7, 2017 at 10:28 AM, Stewart Smith
wrote:
> Michael Ellerman writes:
>> Stewart Smith writes:
>>> Oliver O'Halloran writes:
diff --git a/arch/powerpc/include/asm/opal-api.h
On Thu, Jul 6, 2017 at 8:20 PM, Michael Ellerman wrote:
> Stewart Smith writes:
>> Oliver O'Halloran writes:
>>> diff --git a/arch/powerpc/include/asm/opal-api.h
>>> b/arch/powerpc/include/asm/opal-api.h
>>> index
Michael Ellerman writes:
> Stewart Smith writes:
>> Oliver O'Halloran writes:
>>> diff --git a/arch/powerpc/include/asm/opal-api.h
>>> b/arch/powerpc/include/asm/opal-api.h
>>> index 0e2e57bcab50..cb9c0e6afb33 100644
>>> ---
This patch introduces the modsig keyword to the IMA policy syntax to
specify that a given hook should expect the file to have the IMA signature
appended to it. Here is how it can be used in a rule:
appraise func=KEXEC_KERNEL_CHECK appraise_type=modsig|imasig
With this rule, IMA will accept
When module-style signatures appended at the end of files are supported for
IMA appraisal, the code will fallback to the xattr signature if the
appended one fails to verify.
The problem is that we don't know whether we need to fallback to the xattr
signature until the appraise step, and by then
This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by
a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann
---
security/integrity/digsig.c| 28 +++-
Add function verify_pkcs7_message_signature which takes a struct
pkcs7_message for verification isntead of the raw bytes that
verify_pkcs7_signature takes.
This will be used by IMA to verify files with module-style appended
signatures.
Signed-off-by: Thiago Jung Bauermann
IMA will use the module_signature format for append signatures, so export
the relevant definitions and factor out the code which verifies that the
appended signature trailer is valid.
Also, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it
and be able to use
Even though struct evm_ima_xattr_data includes a fixed-size array to hold a
SHA1 digest, most of the code ignores the array and uses the struct to mean
"type indicator followed by data of unspecified size" and tracks the real
size of what the struct represents in a separate length variable.
The
Hello,
The main change in this version is that the process of first trying to
verify a modsig and then trying an xattr sig if the former fails is now done
in ima_appraise_measurement instead of process_measurement. As a result, the
changes needed in the latter are small.
This is possible because
Hi Nicholas,
[auto build test ERROR on powerpc/next]
[also build test ERROR on v4.12 next-20170706]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https://github.com/0day-ci/linux/commits/Nicholas-Piggin/machine-check-handling
On Wed, 5 Jul 2017 14:04:19 +1000
Nicholas Piggin wrote:
> Unrecovered MCE and HMI errors are sent through a special restart
> OPAL call to log the platform error. The downside is that they don't
> go through normal crash paths, so they don't give much information
> to the
On Wed, 5 Jul 2017 22:08:16 +0530
"Gautham R. Shenoy" wrote:
> From: "Gautham R. Shenoy"
>
> Currently, we use the opal call opal_slw_set_reg() to inform the that
> the Sleep-Winkle Engine (SLW) to restore the contents of some of the
>
On Wed, 5 Jul 2017 22:08:15 +0530
"Gautham R. Shenoy" wrote:
> From: "Gautham R. Shenoy"
>
> On POWER9 DD1, in order to get around a hardware issue, we store in
> every CPU thread's paca the paca pointers of all its siblings.
>
> Move this
On Wed, 5 Jul 2017 22:08:14 +0530
"Gautham R. Shenoy" wrote:
> From: "Gautham R. Shenoy"
>
> In this patch we define a new function named pnv_power8_idle_init().
>
> We move the following code from pnv_init_idle_states() into this newly
>
On Wed, 5 Jul 2017 22:08:13 +0530
"Gautham R. Shenoy" wrote:
> From: "Gautham R. Shenoy"
>
> In the current idle initialization code, if there are failures in
> pnv_probe_idle_states, then no platform idle state is
> enabled. However, since
On Wed, 5 Jul 2017 22:08:12 +0530
"Gautham R. Shenoy" wrote:
> From: "Gautham R. Shenoy"
>
> The details of the platform idle state are exposed by the firmware to
> the kernel via device tree.
>
> In the current code, we parse the device tree
Hi Maddy/Anju,
Comments inline ...
Anju T Sudhakar writes:
> From: Madhavan Srinivasan
>
> Parse device tree to detect IMC units. Traverse through each IMC unit
> node to find supported events and corresponding unit/scale files (if any).
>
>
Christophe Lombard writes:
> This patches removes this restriction and all page faults, whatever the
> reason, will be handled. In this case, the interruption is always
> acknowledged.
This can also be done with adding call to cxl_ack_ae(ctx) at the end of
There are two cases outside the normal address space management
where a CPU's local TLB is to be flushed:
1. Host boot; in case something has left stale entries in the
TLB (e.g., kexec).
2. Machine check; to clean corrupted TLB entries.
CPU state restore from deep idle states also
Stewart Smith writes:
> Oliver O'Halloran writes:
>> diff --git a/arch/powerpc/include/asm/opal-api.h
>> b/arch/powerpc/include/asm/opal-api.h
>> index 0e2e57bcab50..cb9c0e6afb33 100644
>> --- a/arch/powerpc/include/asm/opal-api.h
>> +++
The workaround for the CELL timebase bug does not correctly mark cr0 as
being clobbered. This can result in GCC making some poor^W completely
broken optimisations.
Signed-off-by: Oliver O'Halloran
---
arch/powerpc/include/asm/reg.h | 2 +-
1 file changed, 1 insertion(+), 1
23 matches
Mail list logo