| Message ID | 1550153052.4078.5.camel@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [GIT,PULL] linux-integrity patches for Linux 5.1 | expand |
On Thu, 14 Feb 2019, Mimi Zohar wrote: > Hi James, > > Linux 5.0 introduced the platform keyring to allow verifying the IMA > kexec kernel image signature using the pre-boot keys. This pull > request similarly makes keys on the platform keyring accessible for > verifying the PE kernel image signature.* > > Also included in this pull request is a new IMA hook that tags tmp > files, in policy, indicating the file hash needs to be calculated. > The remaining patches are cleanup. > > *Upstream commit "993a110319a4 (x86/kexec: Fix a kexec_file_load() > failure)" is required for testing. > Thanks! Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-integrity and next-testing.
Hi James, Linux 5.0 introduced the platform keyring to allow verifying the IMA kexec kernel image signature using the pre-boot keys. This pull request similarly makes keys on the platform keyring accessible for verifying the PE kernel image signature.* Also included in this pull request is a new IMA hook that tags tmp files, in policy, indicating the file hash needs to be calculated. The remaining patches are cleanup. *Upstream commit "993a110319a4 (x86/kexec: Fix a kexec_file_load() failure)" is required for testing. Mimi The following changes since commit 2181e084b26bddca22bc3f23364c15809cfed28b: LSM: SafeSetID: remove unused include (2019-01-30 12:29:53 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity for you to fetch changes up to e7fde070f39bc058c356cf366cb17ac2d643abb0: evm: Use defined constant for UUID representation (2019-02-04 17:36:01 -0500) ---------------------------------------------------------------- Andy Shevchenko (1): evm: Use defined constant for UUID representation Kairui Song (2): integrity, KEYS: add a reference to platform keyring kexec, KEYS: Make use of platform keyring for signature verify Mimi Zohar (2): encrypted-keys: fix Opt_err/Opt_error = -1 ima: define ima_post_create_tmpfile() hook and add missing call YueHaibing (1): evm: remove set but not used variable 'xattr' arch/x86/kernel/kexec-bzimage64.c | 14 ++++++++++--- certs/system_keyring.c | 23 ++++++++++++++++++++- fs/namei.c | 1 + include/keys/system_keyring.h | 8 ++++++++ include/linux/ima.h | 5 +++++ include/linux/verification.h | 1 + security/integrity/digsig.c | 3 +++ security/integrity/evm/evm_crypto.c | 3 +-- security/integrity/evm/evm_main.c | 6 +----- security/integrity/ima/ima_main.c | 35 ++++++++++++++++++++++++++++++-- security/keys/encrypted-keys/encrypted.c | 4 ++-- 11 files changed, 88 insertions(+), 15 deletions(-)