[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50878e7747c6dc70493c54f35e9e71031c8ebb10.camel@linux.ibm.com>
Date: Tue, 29 Aug 2023 16:06:53 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-integrity <linux-integrity@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity: susbystem updates for v6.6
Hi Linus,
Two IMA changes, a code cleanup, and a kernel-doc update:
- With commit 099f26f22f58 ("integrity: machine keyring CA
configuration")
certificates may be loaded onto the IMA keyring, directly or indirectly
signed by keys on either the "builtin" or the "machine" keyrings. With
the
ability for the system/machine owner to sign the IMA policy itself
without
needing to recompile the kernel, update the IMA architecture specific
policy rules to require the IMA policy itself be signed.
[As commit 099f26f22f58 was upstreamed in linux-6.4, updating the IMA
architecture specific policy to require signed IMA policies may break
userspace expectations.]
- IMA only checked the file data hash was not on the system blacklist
keyring for files with an appended signature (e.g. kernel modules,
Power
kernel image). Check all file data hashes regardless of how it was
signed.
thanks,
Mimi
The following changes since commit
5d0c230f1de8c7515b6567d9afba1f196fb4e2f4:
Linux 6.5-rc4 (2023-07-30 13:23:47 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
integrity.git tags/integrity-v6.6
for you to fetch changes up to
55e2b69649be38f1788b38755070875b96111d2f:
kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments
(2023-08-07 09:55:42 -0400)
----------------------------------------------------------------
integrity-v6.6
----------------------------------------------------------------
Coiby Xu (1):
ima: require signed IMA policy when UEFI secure boot is enabled
Eric Snowberg (1):
integrity: Always reference the blacklist keyring with appraisal
Nayna Jain (1):
ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
Wenyu Liu (1):
kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments
Documentation/ABI/testing/ima_policy | 6 +++---
arch/powerpc/kernel/ima_arch.c | 8 ++++----
kernel/kexec_file.c | 2 +-
security/integrity/ima/Kconfig | 12 ------------
security/integrity/ima/ima_appraise.c | 12 +++++++-----
security/integrity/ima/ima_efi.c | 3 +++
security/integrity/ima/ima_kexec.c | 2 +-
security/integrity/ima/ima_policy.c | 17 +++++------------
8 files changed, 24 insertions(+), 38 deletions(-)
Powered by blists - more mailing lists