lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <73739875882e9f7416f0958f8589a09089e53d9e.camel@linux.ibm.com>
Date:   Mon, 31 May 2021 11:58:20 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>, mjg59@...f.ucam.org
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 0/7] ima: Add template fields to verify EVM portable
 signatures

On Fri, 2021-05-28 at 09:38 +0200, Roberto Sassu wrote:
> The recent patch set 'evm: Improve usability of portable signatures' added
> the possibility to include EVM portable signatures in the IMA measurement
> list.
> 
> However, the information necessary to verify the signature were not
> included in the IMA measurement list. This patch set introduces new
> template fields to accomplish this goal:
> 
> - 'iuid': the inode UID;
> - 'igid': the inode GID;
> - 'imode': the inode mode;
> - 'xattrnames': a list of xattr names (separated by |), only if the xattr is
>   present;
> - 'xattrlengths': a list of xattr lengths (u32), only if the xattr is present;
> - 'xattrvalues': a list of xattr values;
> 
> Patch 1 adds an helper function to show integers in the measurement list.
> Patches 2, 3 and 5 introduce new template fields. Patch 4 make it possible
> to verify EVM portable signatures which protect xattrs belonging to LSMs
> not enabled in the target platform. Patch 6 introduces the new IMA template
> evm-sig. Patch 7 fixes a small issue in evm_write_xattrs() when audit is
> not enabled.

Thanks, Roberto. 

Applied to: git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
next-integrity-testing branch.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ