This avoids a dependency cycle in soon-to-be-introduced
CONFIG_IMA_APPRAISE_MODSIG: it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann <ba
function.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/digsig_asymmetric.c | 44 +-
security/integrity/integrity.h | 8 +++
2 files changed, 41 inser
ost places the array doesn't hold a
digest.
A separate struct evm_xattr is introduced, with the original definition of
evm_ima_xattr_data to be used in the places that actually expect that
definition.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
---
security/integrity/
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
security/integrity/digs
. Verifying that
sinfo->sig->digest isn't NULL is sufficient because both places which
allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info())
use kzalloc() so sig->digest is always initialized to zero.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Revie
message, so add pkcs7_get_message_sig().
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: David Woodhouse <dw...@infradead.org>
Cc: Herbert Xu <herb...@gondor
() without having to depend on
CONFIG_MODULE_SIG.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Jessica Yu <j...@kernel.org>
---
include/linux/module.h | 3 --
include/linux/modul
t;ima: Write modsig to the measurement list"
- Since now we determine whether we'll use an xattr sig or a modsig
at the time they are read, there's no need to store a measurement
again in the modsig case. Thus, this patch doesn't need to change
ima_store_measurement() nor proces
gt; /*
I think I'm slow today. It took me a while to figure out why this is
buggy. It will leave the VMA with the execute-only pkey if prot = 0.
Other bit combinations work fine IIUC.
Reviewed-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
--
Thiago Jung Bauermann
IBM Linux Technology Center
Ram Pai <linux...@us.ibm.com> writes:
> On Wed, Apr 04, 2018 at 06:41:01PM -0300, Thiago Jung Bauermann wrote:
>>
>> Hello Ram,
>>
>> Ram Pai <linux...@us.ibm.com> writes:
>>
>> > Applications need the ability to associate an address-ran
pkey_iamr_mask &= ~(0x1ul << pkeyshift(i));
> @@ -145,7 +147,9 @@ void pkey_mm_init(struct mm_struct *mm)
> {
> if (static_branch_likely(_disabled))
> return;
> - mm_pkey_allocation_map(mm) = initial_allocation_mask;
> +
> + /* allocate key-0
not supported
Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()")
Reported-by: Dave Young <dyo...@redhat.com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
arch/powerpc/kernel/machine_kexec_file_64.c | 2 +-
1 file changed, 1 in
Dave Hansen <dave.han...@intel.com> writes:
> On 03/28/2018 01:47 PM, Thiago Jung Bauermann wrote:
>>>>if (flags)
>>>> - assert(rdpkey_reg() > orig_pkey_reg);
>>>> + assert(rdpkey_reg() < orig_pkey_reg);
>>>>
t; +assert(rdpkey_reg() < orig_pkey_reg);
>> }
>>
>> void pkey_write_allow(int pkey)
>
> This seems so horribly wrong that I wonder how it worked in the first
> place. Any idea?
The code simply wasn't used. pkey_disable_clear() is called by
pkey_write_allow() and pkey_access_allow(), but before this patch series
nothing called either of these functions.
--
Thiago Jung Bauermann
IBM Linux Technology Center
Ram Pai <linux...@us.ibm.com> writes:
> On Fri, Feb 23, 2018 at 03:33:43PM -0300, Thiago Jung Bauermann wrote:
>> This test exercises read and write access to the AMR, IAMR and UAMOR.
>>
>
> Tested-by: Ram Pai <linux...@us.ibm.com>
> Acked-by: Ram
dprintf4("read_pkey_reg(line=%d) pkey_reg: %016lx shadow: %016lx\n",
+ dprintf4("read_pkey_reg(line=%d) pkey_reg: "PKEY_REG_FMT
+ " shadow: "PKEY_REG_FMT"\n",
line, pkey_reg, shadow_pkey_reg);
assert(pkey_reg == shadow_pkey_reg);
--
Thiago Jung Bauermann
IBM Linux Technology Center
Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> writes:
> Now the modsig is only ignored if it references a signature that is not
> present in IMA's keyring (or if there's a parsing error, obviously). If the
The above should read "Now the modsig is only ignored if it
that verify_pkcs7_signature()
takes.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: David Woodhouse <dw...@infradead.org>
Cc: Herbert Xu <herb...@gondor.apana.org.au>
Cc: "David S. Miller" <da...@davem
d-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
Documentation/security/IMA-templates.rst | 5
security/integrity/ima/ima_template.c | 4 ++-
security/integrity/ima/ima_template_lib.c | 47 +++
signature.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h | 11 +++-
security/integrity/ima/ima_appraise.c | 53 +++
security/integrity/ima/ima_main.c | 21 +++---
3 files chang
This is the code needed by IMA-appraise to work with modsig signatures.
It will be used by the next two patches.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/Kconfig | 3 +
security/integrity/ima/ima.h| 41
se
com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
Documentation/ABI/testing/ima_policy | 6 +-
security/integrity/ima/Kconfig | 10 ++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 9 +
security/i
ima_read_modsig() will need it so that it can show an error message.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h| 2 ++
security/integrity/ima/ima_policy.c | 12 ++--
2 files changed, 8 insertions(+), 6 deletions(-)
This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by
a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann
function.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/digsig_asymmetric.c | 44 +-
security/integrity/integrity.h | 8 +++
2 files changed, 41 insertions(+), 11 deletions(-)
diff --git a/security/int
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/digsig.c| 28 +---
security/int
ed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h | 5 +
security/integrity/ima/ima_appraise.c | 7 +++
security/integrity/ima/ima_template_lib.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/security/i
. Verifying that
sinfo->sig->digest isn't NULL is sufficient because both places which
allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info())
use kzalloc() so sig->digest is always initialized to zero.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
() without having to depend on
CONFIG_MODULE_SIG.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Cc: Jessica Yu <j...@kernel.org>
---
include/linux/module.h | 3 --
include/linux/modul
n fails.
- Pass NULL xattr_value to evm_verifyxattr even in the case of xattr
signature in ima_appraise_measurement (suggested by Mimi Zohar).
- Use switch statement provided by Mimi Zohar to check result of
evm_verifyxattr.
- If the modsig verification succeeds, copy the hash calculated during
Joe Perches <j...@perches.com> writes:
> On Thu, 2018-03-15 at 14:57 +0300, Dan Carpenter wrote:
>> On Wed, Mar 14, 2018 at 06:22:07PM -0300, Thiago Jung Bauermann wrote:
>> >
>> > SF Markus Elfring <elfr...@users.sourceforge.net> writes:
>
> This issue was detected by using the Coccinelle software.
>
> Signed-off-by: Markus Elfring <elfr...@users.sourceforge.net>
> ---
> arch/powerpc/kernel/machine_kexec_file_64.c | 28
> 1 file changed, 12 insertions(+), 16 deletions(-)
I liked
This test verifies that the AMR, IAMR and UAMOR are being written to a
process' core file.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
tools/testing/selftests/powerpc/ptrace/Makefile| 5 +-
tools/testing/selftests/powerpc/ptrace/core-pkey.c
This test exercises read and write access to the AMR, IAMR and UAMOR.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
tools/testing/selftests/powerpc/include/reg.h | 1 +
tools/testing/selftests/powerpc/ptrace/Makefile| 5 +-
tools/testing/selftests/p
This test verifies that the AMR, IAMR and UAMOR are being written to a
process' core file.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
tools/testing/selftests/powerpc/ptrace/Makefile| 5 +-
tools/testing/selftests/powerpc/ptrace/core-pkey.c
This test exercises read and write access to the AMR, IAMR and UAMOR.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
tools/testing/selftests/powerpc/include/reg.h | 1 +
tools/testing/selftests/powerpc/ptrace/Makefile| 5 +-
tools/testing/selftests/p
these tests
separately from the one coming from x86 so here they are.
Thiago Jung Bauermann (2):
selftests/powerpc: Add ptrace tests for Protection Key registers
selftests/powerpc: Add core file test for Protection Key registers
tools/testing/selftests/powerpc/include/reg.h | 1 +
tools
gt; - get_paca()->io_sync = 0;\
> - } \
> - } while (0)
> +#define CLEAR_IO_SYNCdo { r14_clear_bits(R14_BIT_IO_SYNC); } while(0)
Is there a reason for the do { } while(0) idiom here? If
r14_clear_bits() is an inline functi
Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
> On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
>> IMA will use the module_signature format for append signatures, so export
>> the relevant definitions and factor out the code which verifies that the
>>
Hello Mimi,
Thanks for your review.
Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
> On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
>
>> diff --git a/security/integrity/ima/ima_main.c
>> b/security/integrity/ima/ima_main.c
>> index 6a2
Add modsig support for templates which require the contents of the file
signature to be included in the measurement list.
Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h
This patch actually implements the appraise_type=modsig option, allowing
IMA to read and verify modsig signatures
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h | 17 +++--
security/integrity/ima/ima_appraise.c
This is the code needed by IMA-appraise to work with modsig signatures.
It will be used by the next patch.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/Kconfig | 3 +
security/integrity/ima/ima.h| 34 +++
security/int
because the actual modsig implementation
will be introduced in a separate patch.
Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
Documentation/ABI/testing/ima_policy | 6 +-
security/integrity/ima/Kconfi
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/digsig.c| 28 +++-
security/int
verify_pkcs7_message_signature which takes a struct
pkcs7_message for verification instead of the raw bytes that
verify_pkcs7_signature takes.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
certs/system_keyring.c| 60 +--
crypto/asymmetri
validate_module_signature without having to depend on
CONFIG_MODULE_SIG.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
include/linux/module.h | 3 --
include/linux/module_signature.h | 47 +
init/Kconfig | 6 +++-
kernel/Ma
ima_read_modsig will need it so that it can show an error message.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima.h| 2 ++
security/integrity/ima/ima_policy.c | 12 ++--
2 files changed, 8 insertions(+), 6 deletions(-)
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 747a4fd9e2de..8e96450e27f5 100644
--
and not actually required, just don't do it.
Suggested-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_appraise.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/i
This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by
a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann
ata, since in most places the array
doesn't hold a digest.
A separate struct evm_xattr is introduced, with the original definition of
evm_ima_xattr_data to be used in the places that actually expect that
definition.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
securi
Replace nested ifs in the EVM xattr verification logic with a switch
statement, making the code easier to understand.
Also, add comments to the if statements in the out section.
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vne
The "goto out" statement doesn't have any purpose since there's no cleanup
to be done when returning early, so remove it. This also makes the rc
variable unnecessary so remove it as well.
Also, the xattr_len and fmt variables are redundant so remove them as well.
Signed-off-by: T
the object files from
before and after the patch. They are identical.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/evm/evm_posix_acl.c | 8
security/integrity/ima/ima_fs.c| 6 +++---
security/integrity/ima/ima_queue.c | 6 +++
that it can be easily
dropped if the churn and conflict potential is deemed not worth it.
Confirmed that the patch is correct by comparing the object files from
before and after the patch. They are identical.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
se
.
Confirmed that the patch is correct by comparing the object files from
before and after the patch. They are identical.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_appraise.c | 11 +--
security/integrity/ima/ima_template_lib.
is correct by comparing the object file from
before and after the patch. They are identical.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/ima_appraise.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integri
yxattr even in the case of xattr
signature in ima_appraise_measurement (suggested by Mimi Zohar).
- Use switch statement provided by Mimi Zohar to check result of
evm_verifyxattr.
- If the modsig verification succeeds, copy the hash calculated during
the verification to the iint cac
{
> - pr_err("could not allocate event data\n");
> ret = -ENOMEM;
> goto e_free;
> }
Reviewed-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
--
Thiago Jung Bauermann
IBM Linux Technology Center
Hello Thomas,
Thanks for your comments.
Thomas Gleixner <t...@linutronix.de> writes:
> On Wed, 4 Oct 2017, Thiago Jung Bauermann wrote:
>
>> It turns out that not all paths calling arch_update_cpu_topology hold
>> cpu_hotplug_lock, but that's ok because those paths
2.864172] ---[ end trace 240e34251693e732 ]---
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
Fixes: 3e401f7a2e51 ("powerpc: Only obtain cpu_hotplug_lock if called by rtasd")
Link: https://lists.ozlabs.org/pipermail/linuxppc-dev/2017-September/163244.html
Link:
Ram Pai <linux...@us.ibm.com> writes:
> On Fri, Aug 11, 2017 at 02:34:43PM -0300, Thiago Jung Bauermann wrote:
>> Expose useful information for programs using memory protection keys.
>> Provide implementation for powerpc and x86.
>>
>> On a powerpc system
Michael Ellerman <m...@ellerman.id.au> writes:
> Ram Pai <linux...@us.ibm.com> writes:
>> On Thu, Aug 17, 2017 at 05:30:27PM -0300, Thiago Jung Bauermann wrote:
>>> Ram Pai <linux...@us.ibm.com> writes:
>>> > On Thu, Aug 10, 2017 at 06:27:34PM -0
Ram Pai <linux...@us.ibm.com> writes:
> On Thu, Aug 10, 2017 at 05:25:39PM -0300, Thiago Jung Bauermann wrote:
>>
>> Ram Pai <linux...@us.ibm.com> writes:
>> > static inline void pkey_initialize(void)
>> > {
>> > + int os_reserved, i;
>
Ram Pai <linux...@us.ibm.com> writes:
> On Thu, Aug 10, 2017 at 06:27:34PM -0300, Thiago Jung Bauermann wrote:
>>
>> Ram Pai <linux...@us.ibm.com> writes:
>> > --- a/arch/powerpc/include/asm/cputable.h
>> > +++ b/arch/powerpc/include/asm/cputable.h
/protection_keys/total_keys <==
1
==> /sys/kernel/mm/protection_keys/usable_keys <==
0
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
Ram asked me to add a sysfs interface for the memory protection keys
feature. Here it is.
If you have suggestions on what sho
pkey_inited = !radix_enabled();
> +
> + if (!pkey_inited)
> + return;
>
> - /* Lets assume 32 keys */
> - pkeys_total = 32;
> + /* Lets assume 32 keys if we are not told
> + * the number of pkeys.
> + */
> + if (!pkeys_total)
> + pkeys_total = 32;
>
> #ifdef CONFIG_PPC_4K_PAGES
> /*
This patch should remove the comment "disable the pkey system till
everything is in place. A patch further down the line will enable it.".
--
Thiago Jung Bauermann
IBM Linux Technology Center
ONFIG_PPC64_MEMORY_PROTECTION_KEYS
> + err |= __put_user(get_paca()->paca_amr, >gp_regs[PT_AMR]);
> +#endif /* CONFIG_PPC64_MEMORY_PROTECTION_KEYS */
> +
> return err;
> }
Isn't a corresponding change needed in restore_sigcontext? And in the
corresponding TM versions setup_tm_sigcontexts and restore_tm_sigcontexts?
Ditto for the equivalent functions in signal_32.c.
--
Thiago Jung Bauermann
IBM Linux Technology Center
f /* CONFIG_PPC_TRANSACTIONAL_MEM */
> +#ifdef CONFIG_PPC64_MEMORY_PROTECTION_KEYS
> + if (arch_pkeys_enabled()) {
> + current->thread.amr = 0x0ul;
> + current->thread.iamr = 0x0ul;
> + current->thread.uamor = 0x0ul;
> + }
> +#endif /* CONFIG_PPC64_MEMORY_PROTECTION_KEYS */
> }
> EXPORT_SYMBOL(start_thread);
--
Thiago Jung Bauermann
IBM Linux Technology Center
H */
In v6, key 31 was also reserved, but it's not in this version. Is this
intentional?
Isn't it better for this function to be in pkeys.c? Ideally, functions
should be in .c files not in headers unless they're very small or
performance sensitive IMHO.
--
Thiago Jung Bauermann
IBM Linux Technology Center
.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/Kconfig| 13 +++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 70 +++-
security/integrity/ima/ima_appraise.c
, and by then the measure step was already
completed and would need to be done again in case the template includes the
signature.
To avoid this problem, do the appraisal first so that the correct signature
is stored by the template in the measure step.
Signed-off-by: Thiago Jung Bauermann <ba
This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by
a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/digsig.c| 28 +++-
security/int
verify_pkcs7_message_signature which takes a struct
pkcs7_message for verification instead of the raw bytes that
verify_pkcs7_signature takes.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
certs/system_keyring.c| 60 +--
crypto/asymmetri
validate_module_signature without having to depend on
CONFIG_MODULE_SIG.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
include/linux/module.h | 3 --
include/linux/module_signature.h | 47 +
init/Kconfig | 6 +++-
kernel/Ma
ata, since in most places the array
doesn't hold a digest.
A separate struct evm_xattr is introduced, with the original definition of
evm_ima_xattr_data to be used in the places that actually expect that
definition.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
securi
d new xattr "subtype" IMA_MODSIG. (suggested by Mimi)
- Check whether a hook supports modsig when the policy is being parsed.
(suggested by Mimi)
- If the modsig verification fails, look for an xattr signature.
(suggested by Mimi)
- Add integrity_keyring_from_id function.
- Pu
Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
> On Wed, 2017-08-02 at 18:52 -0400, Mimi Zohar wrote:
>> On Wed, 2017-08-02 at 14:42 -0300, Thiago Jung Bauermann wrote:
>> > Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
>
>> > >> @@ -229,8 +251,2
Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
> On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote:
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -200,18 +200,40 @@ int ima_read_xattr(struct dent
Hello Mimi,
Thanks for your review!
The patch at the end of the email implements your suggestions, what do
you think?
Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
> On Thu, 2017-07-06 at 19:17 -0300, Thiago Jung Bauermann wrote:
>> A separate struct evm_hmac_xatt
Michael Ellerman <m...@ellerman.id.au> writes:
> Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> writes:
>> Ram Pai <linux...@us.ibm.com> writes:
> ...
>>> +
>>> + /* We got one, store it and use it from here on out */
>
userspace so it needs to be an errno as well (-EINVAL?).
> +
> + if (!mm_pkey_is_allocated(mm, pkey))
> + return -EINVAL;
> +
> + mm_set_pkey_free(mm, pkey);
> +
> + return 0;
> }
--
Thiago Jung Bauermann
IBM Linux Technology Center
Ram Pai <linux...@us.ibm.com> writes:
> On Fri, Jul 28, 2017 at 07:17:13PM -0300, Thiago Jung Bauermann wrote:
>>
>> Ram Pai <linux...@us.ibm.com> writes:
>> > --- a/arch/powerpc/mm/pkeys.c
>> > +++ b/arch/powerpc/mm/pkeys.c
>> > @@
to read them once in __execute_only_pkey and pass
down their values to the callees, and then write them once at the end of
the function?
This function is used both by the mmap syscall and the mprotect syscall
(but not by pkey_mprotect) if the requested protection is execute-only.
--
Thiago Jung Bauermann
IBM Linux Technology Center
> + return true;
> + }
> +
> + amr = read_amr(); /* delay reading amr uptil absolutely needed */
Actually, this is causing amr to be read twice in case control enters
the "if (!write)" block above but doesn't enter the other if block nested
in it.
read_amr should be called only once, right before "if (!write)".
--
Thiago Jung Bauermann
IBM Linux Technology Center
inline void init_iamr(int pkey, u8 init_bits)
> +{
> + u64 new_iamr_bits = (((u64)init_bits & 0x3UL) << pkeyshift(pkey));
> + u64 old_iamr = read_iamr() & ~((u64)(0x3ul) << pkeyshift(pkey));
> +
> + write_amr(old_iamr | new_iamr_bits);
> +}
init_iamr should call write_iamr, not write_amr.
--
Thiago Jung Bauermann
IBM Linux Technology Center
}
Shouldn't the saving and restoring of the SPRs be guarded by a check for
whether memory protection keys are enabled? What happens when trying to
access these registers on a CPU which doesn't have them?
--
Thiago Jung Bauermann
IBM Linux Technology Center
Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com> writes:
> diff --git a/arch/powerpc/include/asm/pkeys.h
> b/arch/powerpc/include/asm/pkeys.h
> index e31f5ee8e81f..67e6a3a343ae 100644
> --- a/arch/powerpc/include/asm/pkeys.h
> +++ b/arch/powerpc/include/asm/pk
ms to be from an earlier version which has the logic
inverted, and there is no PKEY_ENABLE_EXECUTE. Should the comment be
updated to the following?
By default execute is enabled.
To disable execute, PKEY_DISABLE_EXECUTE needs to be specified.
--
Thiago Jung Bauermann
IBM Linux Technology Center
hat the
early return is inlined into the caller? Ditto for execute_only_pkey
and __arch_override_mprotect_pkey.
--
Thiago Jung Bauermann
IBM Linux Technology Center
+ * key 0 is used by default. It give read/write/execute permission.
> + * key 31 is reserved by the hypervisor.
> + * key 1 is recommended to be not used.
> + * PowerISA(3.0) page 1015, programming note.
> + */
> +#define PKEY_INITIAL_ALLOCAION 0xc001
There's a typo in the
.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/ima/Kconfig| 13 +++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 60 ++--
security/integrity/ima/ima_appraise.c
, and by then the measure step was already
completed and would need to be done again in case the template includes the
signature.
To avoid this problem, do the appraisal first so that the correct signature
is stored by the template in the measure step.
Signed-off-by: Thiago Jung Bauermann <ba
This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by
a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
security/integrity/digsig.c| 28 +++-
security/int
Add function verify_pkcs7_message_signature which takes a struct
pkcs7_message for verification isntead of the raw bytes that
verify_pkcs7_signature takes.
This will be used by IMA to verify files with module-style appended
signatures.
Signed-off-by: Thiago Jung Bauermann <ba
validate_module_signature without having to depend on
CONFIG_MODULE_SIG.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
include/linux/module.h | 3 --
include/linux/module_signature.h | 47 +
init/Kconfig | 6 +++-
kernel/Ma
ata, since in most places the array
doesn't hold a digest.
A separate struct evm_hmac_xattr is introduced, with the original
definition of evm_ima_xattr_data to be used in the places that actually
expect that definition.
Signed-off-by: Thiago Jung Bauermann <bauer...@linux.vnet.ibm.com>
---
se
401 - 500 of 816 matches
Mail list logo