| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 May 2022 16:46:10 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-integrity <linux-integrity@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v5.19
Hi Linus,
New is IMA support for including fs-verity file digests and signatures
in the IMA
measurement list as well as verifying the fs-verity file digest based
signatures, both based on policy.
In addition, are two bug fixes:
- avoid reading UEFI variables, which cause a page fault, on Apple Macs
with T2 chips.
- remove the original "ima" template Kconfig option to address a boot
command line ordering issue.
The rest is a mixture of code/documentation cleanup.
thanks,
Mimi
The following changes since commit 3123109284176b1532874591f7c81f3837bbdc17:
Linux 5.18-rc1 (2022-04-03 14:08:21 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v5.19
for you to fetch changes up to 048ae41bb0806cde340f4e5d5030398037ab0be8:
integrity: Fix sparse warnings in keyring_handler (2022-05-16 17:06:16 -0400)
----------------------------------------------------------------
integrity-v5.19
----------------------------------------------------------------
Aditya Garg (1):
efi: Do not import certificates from UEFI Secure Boot for T2 Macs
Colin Ian King (1):
ima: remove redundant initialization of pointer 'file'.
GUO Zihua (1):
ima: remove the IMA_TEMPLATE Kconfig option
Mimi Zohar (8):
ima: fix 'd-ng' comments and documentation
ima: use IMA default hash algorithm for integrity violations
fs-verity: define a function to return the integrity protected file digest
ima: define a new template field named 'd-ngv2' and templates
ima: permit fsverity's file digests in the IMA measurement list
ima: support fs-verity file digest based version 3 signatures
fsverity: update the documentation
Merge branch 'next-integrity.fsverity-v9' into next-integrity
Stefan Berger (3):
evm: Return INTEGRITY_PASS for enum integrity_status value '0'
evm: Clean up some variables
integrity: Fix sparse warnings in keyring_handler
Documentation/ABI/testing/ima_policy | 45 +++++++-
Documentation/admin-guide/kernel-parameters.txt | 3 +-
Documentation/filesystems/fsverity.rst | 35 ++++---
Documentation/security/IMA-templates.rst | 11 +-
fs/verity/Kconfig | 1 +
fs/verity/fsverity_private.h | 7 --
fs/verity/measure.c | 43 ++++++++
include/linux/fsverity.h | 18 ++++
security/integrity/digsig.c | 3 +-
security/integrity/evm/evm.h | 3 -
security/integrity/evm/evm_crypto.c | 2 +-
security/integrity/evm/evm_main.c | 2 +-
security/integrity/ima/Kconfig | 14 ++-
security/integrity/ima/ima_api.c | 47 ++++++++-
security/integrity/ima/ima_appraise.c | 114 ++++++++++++++++++++-
security/integrity/ima/ima_main.c | 4 +-
security/integrity/ima/ima_policy.c | 82 +++++++++++++--
security/integrity/ima/ima_template.c | 4 +
security/integrity/ima/ima_template_lib.c | 94 ++++++++++++++---
security/integrity/ima/ima_template_lib.h | 4 +
security/integrity/integrity.h | 27 ++++-
.../integrity/platform_certs/keyring_handler.c | 6 +-
.../integrity/platform_certs/keyring_handler.h | 8 ++
security/integrity/platform_certs/load_uefi.c | 33 ++++++
24 files changed, 531 insertions(+), 79 deletions(-)
Powered by blists - more mailing lists