lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50878e7747c6dc70493c54f35e9e71031c8ebb10.camel@linux.ibm.com>
Date:   Tue, 29 Aug 2023 16:06:53 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-integrity <linux-integrity@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity: susbystem updates for v6.6

Hi Linus,

Two IMA changes, a code cleanup, and a kernel-doc update:

- With commit 099f26f22f58 ("integrity: machine keyring CA
configuration")
certificates may be loaded onto the IMA keyring, directly or indirectly
signed by keys on either the "builtin" or the "machine" keyrings. With
the
ability for the system/machine owner to sign the IMA policy itself
without
needing to recompile the kernel, update the IMA architecture specific
policy rules to require the IMA policy itself be signed.

[As commit 099f26f22f58 was upstreamed in linux-6.4, updating the IMA
architecture specific policy to require signed IMA policies may break
userspace expectations.]

- IMA only checked the file data hash was not on the system blacklist
keyring for files with an appended signature (e.g. kernel modules,
Power
kernel image). Check all file data hashes regardless of how it was
signed.

thanks,

Mimi

The following changes since commit
5d0c230f1de8c7515b6567d9afba1f196fb4e2f4:

  Linux 6.5-rc4 (2023-07-30 13:23:47 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
integrity.git tags/integrity-v6.6

for you to fetch changes up to
55e2b69649be38f1788b38755070875b96111d2f:

  kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments
(2023-08-07 09:55:42 -0400)

----------------------------------------------------------------
integrity-v6.6

----------------------------------------------------------------
Coiby Xu (1):
      ima: require signed IMA policy when UEFI secure boot is enabled

Eric Snowberg (1):
      integrity: Always reference the blacklist keyring with appraisal

Nayna Jain (1):
      ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig

Wenyu Liu (1):
      kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments

 Documentation/ABI/testing/ima_policy  |  6 +++---
 arch/powerpc/kernel/ima_arch.c        |  8 ++++----
 kernel/kexec_file.c                   |  2 +-
 security/integrity/ima/Kconfig        | 12 ------------
 security/integrity/ima/ima_appraise.c | 12 +++++++-----
 security/integrity/ima/ima_efi.c      |  3 +++
 security/integrity/ima/ima_kexec.c    |  2 +-
 security/integrity/ima/ima_policy.c   | 17 +++++------------
 8 files changed, 24 insertions(+), 38 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ