On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> process_buffer_measurement() is limited to measuring the kexec boot
> command line. This patch makes process_buffer_measurement() more
> generic, allowing it to measure other types of buffer data (e.g.
> blacklisted binary hashes or key hashes)
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> diff --git a/Documentation/ABI/testing/ima_policy
> b/Documentation/ABI/testing/ima_policy
> index 29ebe9afdac4..4c97afcc0f3c 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -25,6 +25,7 @@
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> index ..65d82ee74ea4
> --- /dev/null
> +++ b/arch/powerpc/kernel/ima_arch.c
> @@ -0,0 +1,39 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Copyright (C) 2019 IBM Corporation
> + * Author: Nayna Jain
> + */
> +
> +#include
>
On Sat, 2019-10-19 at 14:06 -0400, Nayna Jain wrote:
> This patch adds the measurement rules to the arch specific policies on
> trusted boot enabled systems.
This version does not add rules to the existing arch specific policy,
but defines an arch specific trusted boot only policy and a combined
s
On Okt 19 2019, Christophe Leroy wrote:
> Hi Nathan,
>
> While trying to switch powerpc VDSO to C version of gettimeofday(), I'm
> getting the following kind of error with vdsotest:
>
> passing NULL to clock_getres (VDSO): terminated by unexpected signal 11
>
> Looking at commit a9446a906f52 ("li
Hi Mimi,
On 10/11/2019 09:19 AM, Mimi Zohar wrote:
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
Asymmetric private keys are used to sign multiple files. The kernel
currently support checking against the blacklisted keys. However, if the
public key is blacklisted, any file signed by the
Hi Michael,
On 10/15/2019 07:29 AM, Michael Ellerman wrote:
Nayna Jain writes:
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 45 ++
PowerNV system use a Linux-based bootloader, which relies on the IMA
subsystem to enforce different secure boot modes. Since the verification
policy may differ based on the secure boot mode of the system, the
policies must be defined at runtime.
This patch implements arch-specific support to defin
This patch updates the arch-specific policies for PowerNV system to make
sure that the binary hash is not blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi Zohar
---
arch/powerpc/kernel/ima_arch.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/ke
Asymmetric private keys are used to sign multiple files. The kernel
currently support checking against blacklisted keys. However, if the
public key is blacklisted, any file signed by the blacklisted key will
automatically fail signature verification. We might not want to blacklist
all the files sig
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
misleading when called for checking against blacklisted hash of a
binary.
This patch adds a wrapper function is_binary_blacklisted() to return
-EPERM error if binary is blacklisted.
Signed-off-by: Nayna Jain
Reviewed-by: Mimi
process_buffer_measurement() is limited to measuring the kexec boot
command line. This patch makes process_buffer_measurement() more
generic, allowing it to measure other types of buffer data (e.g.
blacklisted binary hashes or key hashes).
This patch modifies the function to conditionally retrieve
This patch adds the measurement rules to the arch specific policies on
trusted boot enabled systems.
Signed-off-by: Nayna Jain
---
arch/powerpc/kernel/ima_arch.c | 34 +-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/ima_arch.c
While secure boot permits only properly verified signed kernels to be
booted, trusted boot takes a measurement of the kernel image prior to
boot that can be subsequently compared against good known values via
attestation services.
This patch reads the trusted boot state of a PowerNV system. The st
This patch defines a function to detect the secure boot state of a
PowerNV system.
The PPC_SECURE_BOOT config represents the base enablement of secure boot
for powerpc.
Signed-off-by: Nayna Jain
---
arch/powerpc/Kconfig | 10 +
arch/powerpc/include/asm/secure_boot.h |
This patchset extends the previous version[1] by adding support for
checking against a blacklist of binary hashes.
The IMA subsystem supports custom, built-in, arch-specific policies to
define the files to be measured and appraised. These policies are honored
based on priority, where arch-specific
Hi Nathan,
While trying to switch powerpc VDSO to C version of gettimeofday(), I'm
getting the following kind of error with vdsotest:
passing NULL to clock_getres (VDSO): terminated by unexpected signal 11
Looking at commit a9446a906f52 ("lib/vdso/32: Remove inconsistent NULL
pointer checks"
17 matches
Mail list logo
