Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp6316955imb; Fri, 8 Mar 2019 14:45:52 -0800 (PST) X-Google-Smtp-Source: APXvYqxZKoiSPNMdJKDfZYr9qIY8sxpllwS+A5hIoBGgfCfHC8Dg7S3fIZYoE+5rXNw+NTZWOjh9 X-Received: by 2002:a62:5e46:: with SMTP id s67mr20846918pfb.126.1552085152293; Fri, 08 Mar 2019 14:45:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1552085152; cv=none; d=google.com; s=arc-20160816; b=nAcgnU+G+9zEGgyOSNv8qCQWT3//t4DpNoPtPr3L2o+SwJUZuGIcIYjkOjfh6Q9ljY UIu/T9PRM89k4lctTXrxsbrncSI7ZkpkApHm3nPAHKM27ZHMVxGWDMc7Cq5k+2wvK2uv DWQ7uftOzFb6AghoPRoasb2PaGjunv8uFmi6ALitV2SP/cv8JSZA8jZq5fwlDe6GbSc2 Wll8AMmBi7xezBczu4/6WX2rwPUTt1dhhFXktQTayZJTcVxBRNKIRXoct0LmzqWj0BwE GVz26DlOVhbt6ZCIP4ak/jYKaVHWtZTPZSobTSI7W1snvc6VPjtHkpc132b6rWP9g2DP 5Vbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date; bh=XXP2bcD5iQxsenghSCMru2HCLw6t+m4LQnCZ69tRC+E=; b=Zhs5gXrIegtGQ3Xok+m+tdct0Xm3dSigGgNnVIv1a3L+Nr1AOWypz4XsyNRRjhLNNa B0ac5Qu4mms9ESfdpGosk0mKqm4WSjGUwK+w5h7QxT18bh9/iRB4gEiyY6js9jWs3C2K gmll7efDE4N9nbdLts9+HWUWTPuB01WZK3GV5tKxH7lMylKNNor7xkaMuzfOxjEEhgCp saUTCKiqIRISo4trVitNQvmnRGqxqeUVNOhkWhxBwV3KbWXVpQApc5lEOpKYusXe5ddt d1ObsSMkUpTQU5A0hcwizqWX+fbZbWvZ9rhOF/FjJi0Nd+oHfPEnt/TMWbrQpHH1injL KtRQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x19si7855387pfa.130.2019.03.08.14.45.37; Fri, 08 Mar 2019 14:45:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726687AbfCHWom (ORCPT + 99 others); Fri, 8 Mar 2019 17:44:42 -0500 Received: from namei.org ([65.99.196.166]:56176 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726286AbfCHWom (ORCPT ); Fri, 8 Mar 2019 17:44:42 -0500 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x28MifXS012154; Fri, 8 Mar 2019 22:44:41 GMT Date: Sat, 9 Mar 2019 09:44:41 +1100 (AEDT) From: James Morris To: Linus Torvalds cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [GIT PULL] security: integrity subsystem updates for v5.1 Message-ID: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="1665246916-297363024-1552085081=:12052" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1665246916-297363024-1552085081=:12052 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT Please pull these changes from Mimi Zohar: "Linux 5.0 introduced the platform keyring to allow verifying the IMA kexec kernel image signature using the pre-boot keys. ?This pull request similarly makes keys on the platform keyring accessible for verifying the PE kernel image signature.* Also included in this pull request is a new IMA hook that tags tmp files, in policy, indicating the file hash needs to be calculated. The remaining patches are cleanup." --- The following changes since commit 8bd8ea195f6d135a8d85201116314eb5237ad7e7: Merge tag 'v4.20-rc7' into next-general (2018-12-17 11:24:28 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-integrity for you to fetch changes up to c7f7e58fcbf33589f11bfde0506e076a00627e59: integrity: Remove references to module keyring (2018-12-17 14:09:39 -0800) ---------------------------------------------------------------- Dave Howells (2): efi: Add EFI signature data types efi: Add an EFI signature blob parser Eric Richter (1): x86/ima: define arch_get_ima_policy() for x86 James Morris (1): Merge branch 'next-integrity' of git://git.kernel.org/.../zohar/linux-integrity into next-integrity Josh Boyer (2): efi: Import certificates from UEFI Secure Boot efi: Allow the "db" UEFI variable to be suppressed Mimi Zohar (4): integrity: support new struct public_key_signature encoding field x86/ima: retry detecting secure boot mode ima: don't measure/appraise files on efivarfs selftests/ima: kexec_load syscall test Nayna Jain (7): x86/ima: define arch_ima_get_secureboot ima: prevent kexec_load syscall based on runtime secureboot flag ima: refactor ima_init_policy() ima: add support for arch specific policies integrity: Define a trusted platform keyring integrity: Load certs to the platform keyring ima: Support platform keyring for kernel appraisal Nikolay Borisov (1): ima: Use inode_is_open_for_write Stefan Berger (1): docs: Extend trusted keys documentation for TPM 2.0 Thiago Jung Bauermann (1): integrity: Remove references to module keyring Documentation/security/keys/trusted-encrypted.rst | 31 +++- arch/x86/kernel/Makefile | 4 + arch/x86/kernel/ima_arch.c | 75 ++++++++ include/linux/efi.h | 34 ++++ include/linux/ima.h | 15 ++ security/integrity/Kconfig | 11 ++ security/integrity/Makefile | 5 + security/integrity/digsig.c | 111 ++++++++---- security/integrity/ima/Kconfig | 10 +- security/integrity/ima/ima_appraise.c | 14 +- security/integrity/ima/ima_main.c | 21 ++- security/integrity/ima/ima_policy.c | 171 +++++++++++++----- security/integrity/integrity.h | 22 ++- security/integrity/platform_certs/efi_parser.c | 108 ++++++++++++ security/integrity/platform_certs/load_uefi.c | 194 +++++++++++++++++++++ .../integrity/platform_certs/platform_keyring.c | 58 ++++++ tools/testing/selftests/Makefile | 1 + tools/testing/selftests/ima/Makefile | 11 ++ tools/testing/selftests/ima/config | 4 + tools/testing/selftests/ima/test_kexec_load.sh | 54 ++++++ 20 files changed, 861 insertions(+), 93 deletions(-) create mode 100644 arch/x86/kernel/ima_arch.c create mode 100644 security/integrity/platform_certs/efi_parser.c create mode 100644 security/integrity/platform_certs/load_uefi.c create mode 100644 security/integrity/platform_certs/platform_keyring.c create mode 100644 tools/testing/selftests/ima/Makefile create mode 100644 tools/testing/selftests/ima/config create mode 100755 tools/testing/selftests/ima/test_kexec_load.sh --1665246916-297363024-1552085081=:12052--