lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <154c360fb6a21849e89ec003cf2be9ef96599393.camel@linux.ibm.com>
Date:   Tue, 29 Aug 2023 16:17:55 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-integrity <linux-integrity@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: [GIT PULL] integrity: susbystem updates for v6.6 (take 2)

Hi Linus,

Two IMA changes, a code cleanup, and a kernel-doc update.

- With commit 099f26f22f58 ("integrity: machine keyring CA
configuration") certificates may be loaded onto the IMA keyring,
directly or indirectly signed by keys on either the "builtin" or the
"machine" keyrings. With the ability for the system/machine owner to
sign the IMA policy itself without needing to recompile the kernel,
update the IMA architecture specific policy rules to require the IMA
policy itself be signed.

[As commit 099f26f22f58 was upstreamed in linux-6.4, updating the IMA
architecture specific policy now to require signed IMA policies may
break userspace expectations.]

- IMA only checked the file data hash was not on the system blacklist
keyring for files with an appended signature (e.g. kernel modules,
Power kernel image). Check all file data hashes regardless of how it
was signed.

thanks,

Mimi


The following changes since commit 5d0c230f1de8c7515b6567d9afba1f196fb4e2f4:

  Linux 6.5-rc4 (2023-07-30 13:23:47 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.6

for you to fetch changes up to 55e2b69649be38f1788b38755070875b96111d2f:

  kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments (2023-08-07 09:55:42 -0400)

----------------------------------------------------------------
integrity-v6.6

----------------------------------------------------------------
Coiby Xu (1):
      ima: require signed IMA policy when UEFI secure boot is enabled

Eric Snowberg (1):
      integrity: Always reference the blacklist keyring with appraisal

Nayna Jain (1):
      ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig

Wenyu Liu (1):
      kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments

 Documentation/ABI/testing/ima_policy  |  6 +++---
 arch/powerpc/kernel/ima_arch.c        |  8 ++++----
 kernel/kexec_file.c                   |  2 +-
 security/integrity/ima/Kconfig        | 12 ------------
 security/integrity/ima/ima_appraise.c | 12 +++++++-----
 security/integrity/ima/ima_efi.c      |  3 +++
 security/integrity/ima/ima_kexec.c    |  2 +-
 security/integrity/ima/ima_policy.c   | 17 +++++------------
 8 files changed, 24 insertions(+), 38 deletions(-)hh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ