lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 12 Nov 2008 22:47:10 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	linux-kernel@...r.kernel.org
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	James Morris <jmorris@...ei.org>,
	Christoph Hellwig <hch@...radead.org>,
	Al Viro <viro@...IV.linux.org.uk>,
	David Safford <safford@...son.ibm.com>,
	Serge Hallyn <serue@...ux.vnet.ibm.com>
Subject: [PATCH 0/4] integrity

The Linux Integrity Module (LIM) Framework provides hooks
for modules to perform collection, appraisal, and storage
of system integrity measurements. One such module, IMA,
collects measurements of file data, maintains this list
in the kernel, and if available, stores (extends) the
measurements into a hardware TPM. These measurements are
collected, appraised, and stored before any access
(read or execute) to the data, so that malicious code or
data cannot remove or cover up its own measurement, to avoid
detection. If the measurements are anchored in a TPM, the
TPM can sign the measurements, for proof of integrity
to a third party, such as in enterprise client management.

Integrity measurement is complementary to LSM mandatory
access control, which can be used to protect the integrity
of system files. Integrity measurement policies can take
advantage of LSM labels in deciding what to measure and
to detect when the protection fails, with hardware strength.

This patch set addresses a couple of concerns raised on
the mailing list:

- Uses a radix tree to store integrity information
  associated with an inode, instead of extending the
  inode structure.
- Moves hooks out of vfs_permission and file_permission,
  which are deprecated.
- Fixes the template list locking.
- Updates and clarifies the integrity_audit kernel
  command line option.

Dave Safford
Mimi Zohar (4):
  integrity: TPM internel kernel interface
  integrity: Linux Integrity Module(LIM)
  integrity: IMA as an integrity service provider
  integrity: IMA radix tree
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ