lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 10 Jan 2022 17:02:02 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-integrity <linux-integrity@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.17

Hi Linus,

The few changes are all kexec related:

- The MOK keys are loaded onto the .platform keyring in order to verify
the kexec kernel image signature.  However, the MOK keys should only be
trusted when secure boot is enable.  Before loading the MOK keys onto
the .platform keyring, make sure the system is booted in secure boot
mode.

- When carrying the IMA measurement list across kexec, limit dumping
the measurement list to when dynamic debug or CONFIG_DEBUG is enabled.

- kselftest: add kexec_file_load selftest support for PowerNV and other
cleanup.

thanks,

Mimi


The following changes since commit 136057256686de39cc3a07c2e39ef6bc43003ff6:

  Linux 5.16-rc2 (2021-11-21 13:47:39 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.17

for you to fetch changes up to 65e38e32a959dbbb0bf5cf1ae699789f81759be6:

  selftests/kexec: Enable secureboot tests for PowerPC (2022-01-05 11:44:57 -0500)

----------------------------------------------------------------
integrity-v5.17

----------------------------------------------------------------
Bruno Meneguele (1):
      ima: silence measurement list hexdump during kexec

Lee, Chun-Yi (1):
      integrity: Do not load MOK and MOKx when secure boot be disabled

Mimi Zohar (2):
      selftest/kexec: fix "ignored null byte in input" warning
      selftests/kexec: update searching for the Kconfig

Nageswara R Sastry (1):
      selftests/kexec: Enable secureboot tests for PowerPC

Takashi Iwai (1):
      ima: Fix undefined arch_ima_get_secureboot() and co

 include/linux/ima.h                                | 30 ++++++-------
 security/integrity/ima/ima_kexec.c                 |  6 +--
 security/integrity/platform_certs/load_uefi.c      |  5 +++
 tools/testing/selftests/kexec/Makefile             |  2 +-
 tools/testing/selftests/kexec/kexec_common_lib.sh  | 51 +++++++++++++++++-----
 .../selftests/kexec/test_kexec_file_load.sh        | 13 ++++--
 6 files changed, 74 insertions(+), 33 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ