lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <04e413ed5db93479848f1127a1a664a03df3bd2b.camel@linux.ibm.com>
Date:   Tue, 02 Aug 2022 17:55:14 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-integrity <linux-integrity@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity subsystem updates for v6.0

Hi Linus,

Aside from the one EVM cleanup patch, all the other changes are kexec
related.

On different architectures different keyrings are used to verify the
kexec'ed kernel image signature.  Here are a number of preparatory
cleanup patches and the patches themselves for making the keyrings -
builtin_trusted_keyring, .machine, .secondary_trusted_keyring, and
.platform - consistent across the different architectures.

The root of trust for the different keyrings was described in the cover
letter and is retained in the merge message.

Note: Stephen is carrying a merge conflict patch with
commit 68b8e9713c8e ("x86/setup: Use rng seeds from setup_data").

thanks,

Mimi

The following changes since commit 067d2521874135267e681c19d42761c601d503d6:

  ima: Fix potential memory leak in ima_init_crypto() (2022-07-13 10:13:58 -0400)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.0

for you to fetch changes up to 88b61b130334212f8f05175e291c04adeb2bf30b:

  Merge remote-tracking branch 'linux-integrity/kexec-keyrings' into next-integrity (2022-07-26 15:58:49 -0400)

----------------------------------------------------------------
integrity-v6.0

----------------------------------------------------------------
Coiby Xu (3):
      kexec: clean up arch_kexec_kernel_verify_sig
      kexec, KEYS: make the code in bzImage64_verify_sig generic
      arm64: kexec_file: use more system keyrings to verify kernel image signature

Michal Suchanek (1):
      kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification

Mimi Zohar (1):
      Merge remote-tracking branch 'linux-integrity/kexec-keyrings' into next-integrity

Naveen N. Rao (2):
      kexec_file: drop weak attribute from functions
      kexec: drop weak attribute from functions

Xiu Jianfeng (1):
      evm: Use IS_ENABLED to initialize .enabled

 arch/arm64/include/asm/kexec.h        | 18 +++++++-
 arch/arm64/kernel/kexec_image.c       | 11 +----
 arch/powerpc/include/asm/kexec.h      | 14 ++++++
 arch/s390/include/asm/kexec.h         | 14 ++++++
 arch/s390/kernel/machine_kexec_file.c | 18 +++++---
 arch/x86/include/asm/kexec.h          | 12 +++++
 arch/x86/kernel/kexec-bzimage64.c     | 20 +--------
 include/linux/kexec.h                 | 82 +++++++++++++++++++++++++++++-----
 kernel/kexec_core.c                   | 27 ------------
 kernel/kexec_file.c                   | 83 +++++++++++++----------------------
 security/integrity/evm/evm_main.c     | 52 ++++++++++------------
 11 files changed, 195 insertions(+), 156 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ