| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210130004519.25106-1-tusharsu@linux.microsoft.com>
Date: Fri, 29 Jan 2021 16:45:16 -0800
From: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
To: zohar@...ux.ibm.com, stephen.smalley.work@...il.com,
casey@...aufler-ca.com, agk@...hat.com, snitzer@...hat.com,
gmazyland@...il.com, paul@...l-moore.com
Cc: tyhicks@...ux.microsoft.com, sashal@...nel.org, jmorris@...ei.org,
nramas@...ux.microsoft.com, linux-integrity@...r.kernel.org,
selinux@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, dm-devel@...hat.com
Subject: [PATCH 0/3] support for duplicate measurement of integrity critical data
IMA does not measure duplicate buffer data since TPM extend is a very
expensive operation. However, in some cases for integrity critical
data, the measurement of duplicate data is necessary to accurately
determine the current state of the system. Eg, SELinux state changing
from 'audit', to 'enforcing', and back to 'audit' again. In this
example, currently, IMA will not measure the last state change to
'audit'. This limits the ability of attestation services to accurately
determine the current state of the integrity critical data on the
system.
This series addresses this gap by providing the ability to measure
duplicate entries for integrity critical data, driven by policy.
This series is based on the following repo/branch/commit:
repo: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
branch: next-integrity-testing
commit b3f82afc1041 ("IMA: Measure kernel version in early boot")
Tushar Sugandhi (3):
IMA: add policy condition to measure duplicate critical data
IMA: update functions to read allow_dup policy condition
IMA: add support to measure duplicate buffer for critical data hook
Documentation/ABI/testing/ima_policy | 4 +++-
security/integrity/ima/ima.h | 8 +++----
security/integrity/ima/ima_api.c | 15 +++++++------
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_init.c | 2 +-
security/integrity/ima/ima_main.c | 9 ++++----
security/integrity/ima/ima_policy.c | 31 ++++++++++++++++++++++++---
security/integrity/ima/ima_queue.c | 5 +++--
8 files changed, 54 insertions(+), 22 deletions(-)
--
2.17.1
Powered by blists - more mailing lists