| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Jun 2014 10:40:46 -0400 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: David Howells <dhowells@...hat.com> Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>, keyrings <keyrings@...ux-nfs.org>, linux-security-module <linux-security-module@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org>, Josh Boyer <jwboyer@...hat.com>, Matthew Garrett <mjg59@...f.ucam.org>, Dmitry Kasatkin <dmitry.kasatkin@...il.com> Subject: [PATCH v6 0/6] ima: extending secure boot certificate chain of trust The original patches extended the secure boot signature chain of trust to IMA-appraisal, by allowing only certificates signed by a 'trusted' key on the system_trusted_keyring to be added to the IMA keyring. Instead of allowing public keys, with certificates signed by any key on the system trusted keyring, to be added to a trusted keyring, this patch set further restricts the certificates to those signed by a particular key, or the builtin keys, on the system keyring. Other than the "KEYS: validate certificate trust only with builtin keys" patch, which is included in this patch set for completeness, but can be deferred until the UEFI key patches are upstreamed, these patches are ready to be upstreamed. David, how do you want to go forward with this patchset. Did you want to take them? thanks, Mimi Dmitry Kasatkin (3): KEYS: make partial key id matching as a dedicated function KEYS: validate certificate trust only with selected owner key KEYS: validate certificate trust only with builtin keys Mimi Zohar (3): KEYS: special dot prefixed keyring name bug fix KEYS: verify a certificate is signed by a 'trusted' key ima: define '.ima' as a builtin 'trusted' keyring Documentation/kernel-parameters.txt | 5 ++ crypto/asymmetric_keys/asymmetric_keys.h | 2 + crypto/asymmetric_keys/asymmetric_type.c | 51 +++++++++------ crypto/asymmetric_keys/x509_public_key.c | 109 ++++++++++++++++++++++++++++++- include/keys/system_keyring.h | 10 ++- include/linux/key.h | 1 + kernel/system_keyring.c | 1 + security/integrity/digsig.c | 28 ++++++++ security/integrity/ima/Kconfig | 10 +++ security/integrity/ima/ima.h | 12 ++++ security/integrity/ima/ima_main.c | 10 ++- security/integrity/integrity.h | 5 ++ security/keys/keyctl.c | 6 +- 13 files changed, 225 insertions(+), 25 deletions(-) -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists