lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1403620852-16476-1-git-send-email-zohar@linux.vnet.ibm.com>
Date:	Tue, 24 Jun 2014 10:40:46 -0400
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Howells <dhowells@...hat.com>
Cc:	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	keyrings <keyrings@...ux-nfs.org>,
	linux-security-module <linux-security-module@...r.kernel.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Josh Boyer <jwboyer@...hat.com>,
	Matthew Garrett <mjg59@...f.ucam.org>,
	Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Subject: [PATCH v6 0/6] ima: extending secure boot certificate chain of trust

The original patches extended the secure boot signature chain of trust
to IMA-appraisal, by allowing only certificates signed by a 'trusted'
key on the system_trusted_keyring to be added to the IMA keyring.

Instead of allowing public keys, with certificates signed by any key
on the system trusted keyring, to be added to a trusted keyring, this
patch set further restricts the certificates to those signed by a
particular key, or the builtin keys, on the system keyring.

Other than the "KEYS: validate certificate trust only with builtin keys"
patch, which is included in this patch set for completeness, but can be
deferred until the UEFI key patches are upstreamed, these patches are
ready to be upstreamed.  David, how do you want to go forward with
this patchset.  Did you want to take them?

thanks,

Mimi

Dmitry Kasatkin (3):
  KEYS: make partial key id matching as a dedicated function
  KEYS: validate certificate trust only with selected owner key
  KEYS: validate certificate trust only with builtin keys

Mimi Zohar (3):
  KEYS: special dot prefixed keyring name bug fix
  KEYS: verify a certificate is signed by a 'trusted' key
  ima: define '.ima' as a builtin 'trusted' keyring

 Documentation/kernel-parameters.txt      |   5 ++
 crypto/asymmetric_keys/asymmetric_keys.h |   2 +
 crypto/asymmetric_keys/asymmetric_type.c |  51 +++++++++------
 crypto/asymmetric_keys/x509_public_key.c | 109 ++++++++++++++++++++++++++++++-
 include/keys/system_keyring.h            |  10 ++-
 include/linux/key.h                      |   1 +
 kernel/system_keyring.c                  |   1 +
 security/integrity/digsig.c              |  28 ++++++++
 security/integrity/ima/Kconfig           |  10 +++
 security/integrity/ima/ima.h             |  12 ++++
 security/integrity/ima/ima_main.c        |  10 ++-
 security/integrity/integrity.h           |   5 ++
 security/keys/keyctl.c                   |   6 +-
 13 files changed, 225 insertions(+), 25 deletions(-)

-- 
1.8.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ