linux.git/Documentation/security, branch master Linux kernel source tree Merge tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2026-06-19T18:32:05+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-19T18:32:05+00:00 0798268aa4c26ece25020b3ddeeef9a5941209c0 Pull IMA updates from Mimi Zohar: - Introduce IMA and EVM post-quantum ML-DSA signature support ML-DSA signature support for IMA and EVM is limited to sigv3 signatures, which calculates and verifies a hash of a compact structure containing the file data/metadata hash, hash type, and hash algorithm. IMA and EVM still calculate the file data/metadata hashes respectively. - Introduce support for removing IMA measurement list records stored in kernel memory The IMA measurement list can grow large depending on policy, but removing records breaks remote attestation, unless they are safely preserved and made available for attestation requests. Until environments are prepared to preserve the measurement records, a new CONFIG_IMA_STAGING Kconfig option is introduced to guard against deletion. Several approaches for removing measurement list records were evaluated but rejected due to filesystem constraints, the introduction of a new critical data record, and locking concerns. Two methods are being upstreamed: staged deletion with confirmation, and staged deletion of N records without confirmation. Both methods minimize the period during which new measurements are blocked from being appended to the measurement list by staging the measurement list. A comparison of the two methods is included in the documentation. - Some code cleanup, and a couple of bug fixes * tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: doc: security: Add documentation of exporting and deleting IMA measurements ima: Support staging and deleting N measurements records ima: Add support for flushing the hash table when staging measurements ima: Add support for staging measurements with prompt ima: Introduce ima_dump_measurement() ima: Use snprintf() in create_securityfs_measurement_lists ima: Mediate open/release method of the measurements list ima: Introduce _ima_measurements_start() and _ima_measurements_next() ima: Introduce per binary measurements list type binary_runtime_size value ima: Introduce per binary measurements list type ima_num_records counter ima: Replace static htable queue with dynamically allocated array ima: Remove ima_h_table structure evm: terminate and bound the evm_xattrs read buffer integrity: Add support for sigv3 verification using ML-DSA keys integrity: Refactor asymmetric_verify for reusability integrity: Check that algo parameter is within valid range integrity: Check for NULL returned by asymmetric_key_public_key ima: return error early if file xattr cannot be changed ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG 
Pull IMA updates from Mimi Zohar:

 - Introduce IMA and EVM post-quantum ML-DSA signature support

   ML-DSA signature support for IMA and EVM is limited to sigv3
   signatures, which calculates and verifies a hash of a compact
   structure containing the file data/metadata hash, hash type, and hash
   algorithm. IMA and EVM still calculate the file data/metadata hashes
   respectively.

 - Introduce support for removing IMA measurement list records stored in
   kernel memory

   The IMA measurement list can grow large depending on policy, but
   removing records breaks remote attestation, unless they are safely
   preserved and made available for attestation requests. Until
   environments are prepared to preserve the measurement records, a new
   CONFIG_IMA_STAGING Kconfig option is introduced to guard against
   deletion.

   Several approaches for removing measurement list records were
   evaluated but rejected due to filesystem constraints, the
   introduction of a new critical data record, and locking concerns. Two
   methods are being upstreamed: staged deletion with confirmation, and
   staged deletion of N records without confirmation. Both methods
   minimize the period during which new measurements are blocked from
   being appended to the measurement list by staging the measurement
   list.

   A comparison of the two methods is included in the documentation.

 - Some code cleanup, and a couple of bug fixes

* tag 'integrity-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  doc: security: Add documentation of exporting and deleting IMA measurements
  ima: Support staging and deleting N measurements records
  ima: Add support for flushing the hash table when staging measurements
  ima: Add support for staging measurements with prompt
  ima: Introduce ima_dump_measurement()
  ima: Use snprintf() in create_securityfs_measurement_lists
  ima: Mediate open/release method of the measurements list
  ima: Introduce _ima_measurements_start() and _ima_measurements_next()
  ima: Introduce per binary measurements list type binary_runtime_size value
  ima: Introduce per binary measurements list type ima_num_records counter
  ima: Replace static htable queue with dynamically allocated array
  ima: Remove ima_h_table structure
  evm: terminate and bound the evm_xattrs read buffer
  integrity: Add support for sigv3 verification using ML-DSA keys
  integrity: Refactor asymmetric_verify for reusability
  integrity: Check that algo parameter is within valid range
  integrity: Check for NULL returned by asymmetric_key_public_key
  ima: return error early if file xattr cannot be changed
  ima: Fix sigv3 signature handling for EVM_IMA_XATTR_DIGSIG
doc: security: Add documentation of exporting and deleting IMA measurements 2026-06-08T15:43:36+00:00 Roberto Sassu roberto.sassu@huawei.com 2026-06-05T17:22:36+00:00 35d6f5e788dae0dcc4c42d1280360f19aef9ab52 Add the documentation of exporting and deleting IMA measurements in Documentation/security/IMA-export-delete.rst. Also add the missing Documentation/security/IMA-templates.rst file in MAINTAINERS. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 
Add the documentation of exporting and deleting IMA measurements in
Documentation/security/IMA-export-delete.rst.

Also add the missing Documentation/security/IMA-templates.rst file in
MAINTAINERS.

Link: https://github.com/linux-integrity/linux/issues/1
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Documentation: fix typo and formattting in security/credentials.rst 2026-05-15T14:09:46+00:00 Mayank Gite drapl0n.kernel@gmail.com 2026-05-06T22:59:24+00:00 8b9bff97df205c2d6dc65c7997b8d5ee63f5f8ea - Fixes a typo in "Keys and keyrings" section. Replaces "keying" with "keyring". - Updates formatting of keyring types. Signed-off-by: Mayank Gite <drapl0n.kernel@gmail.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Tested-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Message-ID: <20260506225925.271163-1-drapl0n.kernel@gmail.com> 
- Fixes a typo in "Keys and keyrings" section. Replaces "keying" with
  "keyring".
- Updates formatting of keyring types.

Signed-off-by: Mayank Gite <drapl0n.kernel@gmail.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260506225925.271163-1-drapl0n.kernel@gmail.com>
Merge tag 'ipe-pr-20260413' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe 2026-04-15T22:19:45+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-15T22:19:45+00:00 8801e23b5b0dcf7d9c2291cc0901628dc1006145 Pull IPE update from Fan Wu: "A single commit from Evan Ducas that fixes several spelling and grammar mistakes in the IPE documentation. There are no functional changes" * tag 'ipe-pr-20260413' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: docs: security: ipe: fix typos and grammar 
Pull IPE update from Fan Wu:
 "A single commit from Evan Ducas that fixes several spelling and
  grammar mistakes in the IPE documentation. There are no functional
  changes"

* tag 'ipe-pr-20260413' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  docs: security: ipe: fix typos and grammar
docs: security: ipe: fix typos and grammar 2026-04-13T22:58:49+00:00 Evan Ducas evan.j.ducas@gmail.com 2026-03-08T18:07:34+00:00 d46515ec0b1d4ae07f8f437515c43cfb6eb61ffa Fix several spelling and grammar mistakes in the IPE documentation. No functional change. Signed-off-by: Evan Ducas <evan.j.ducas@gmail.com> Acked-by: Bagas Sanjaya <bagasdotme@gmail.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Fan Wu <wufan@kernel.org> 
Fix several spelling and grammar mistakes in the IPE
documentation.

No functional change.

Signed-off-by: Evan Ducas <evan.j.ducas@gmail.com>
Acked-by: Bagas Sanjaya <bagasdotme@gmail.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Fan Wu <wufan@kernel.org>
landlock: Control pathname UNIX domain socket resolution by path 2026-04-07T16:51:06+00:00 Günther Noack gnoack3000@gmail.com 2026-03-27T16:48:29+00:00 ae97330d1bd6a97646c2842d117577236cb40913 * Add a new access right LANDLOCK_ACCESS_FS_RESOLVE_UNIX, which controls the lookup operations for named UNIX domain sockets. The resolution happens during connect() and sendmsg() (depending on socket type). * Change access_mask_t from u16 to u32 (see below) * Hook into the path lookup in unix_find_bsd() in af_unix.c, using a LSM hook. Make policy decisions based on the new access rights * Increment the Landlock ABI version. * Minor test adaptations to keep the tests working. * Document the design rationale for scoped access rights, and cross-reference it from the header documentation. With this access right, access is granted if either of the following conditions is met: * The target socket's filesystem path was allow-listed using a LANDLOCK_RULE_PATH_BENEATH rule, *or*: * The target socket was created in the same Landlock domain in which LANDLOCK_ACCESS_FS_RESOLVE_UNIX was restricted. In case of a denial, connect() and sendmsg() return EACCES, which is the same error as it is returned if the user does not have the write bit in the traditional UNIX file system permissions of that file. The access_mask_t type grows from u16 to u32 to make space for the new access right. This also doubles the size of struct layer_access_masks from 32 byte to 64 byte. To avoid memory layout inconsistencies between architectures (especially m68k), pack and align struct access_masks [2]. Document the (possible future) interaction between scoped flags and other access rights in struct landlock_ruleset_attr, and summarize the rationale, as discussed in code review leading up to [3]. This feature was created with substantial discussion and input from Justin Suess, Tingmao Wang and Mickaël Salaün. Cc: Tingmao Wang <m@maowtm.org> Cc: Justin Suess <utilityemal77@gmail.com> Cc: Kuniyuki Iwashima <kuniyu@google.com> Suggested-by: Jann Horn <jannh@google.com> Link[1]: https://github.com/landlock-lsm/linux/issues/36 Link[2]: https://lore.kernel.org/all/20260401.Re1Eesu1Yaij@digikod.net/ Link[3]: https://lore.kernel.org/all/20260205.8531e4005118@gnoack.org/ Signed-off-by: Günther Noack <gnoack3000@gmail.com> Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: https://lore.kernel.org/r/20260327164838.38231-5-gnoack3000@gmail.com [mic: Fix kernel-doc formatting, pack and align access_masks] Signed-off-by: Mickaël Salaün <mic@digikod.net> 
* Add a new access right LANDLOCK_ACCESS_FS_RESOLVE_UNIX, which
  controls the lookup operations for named UNIX domain sockets.  The
  resolution happens during connect() and sendmsg() (depending on
  socket type).
* Change access_mask_t from u16 to u32 (see below)
* Hook into the path lookup in unix_find_bsd() in af_unix.c, using a
  LSM hook.  Make policy decisions based on the new access rights
* Increment the Landlock ABI version.
* Minor test adaptations to keep the tests working.
* Document the design rationale for scoped access rights,
  and cross-reference it from the header documentation.

With this access right, access is granted if either of the following
conditions is met:

* The target socket's filesystem path was allow-listed using a
  LANDLOCK_RULE_PATH_BENEATH rule, *or*:
* The target socket was created in the same Landlock domain in which
  LANDLOCK_ACCESS_FS_RESOLVE_UNIX was restricted.

In case of a denial, connect() and sendmsg() return EACCES, which is
the same error as it is returned if the user does not have the write
bit in the traditional UNIX file system permissions of that file.

The access_mask_t type grows from u16 to u32 to make space for the new
access right.  This also doubles the size of struct layer_access_masks
from 32 byte to 64 byte.  To avoid memory layout inconsistencies between
architectures (especially m68k), pack and align struct access_masks [2].

Document the (possible future) interaction between scoped flags and
other access rights in struct landlock_ruleset_attr, and summarize the
rationale, as discussed in code review leading up to [3].

This feature was created with substantial discussion and input from
Justin Suess, Tingmao Wang and Mickaël Salaün.

Cc: Tingmao Wang <m@maowtm.org>
Cc: Justin Suess <utilityemal77@gmail.com>
Cc: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Jann Horn <jannh@google.com>
Link[1]: https://github.com/landlock-lsm/linux/issues/36
Link[2]: https://lore.kernel.org/all/20260401.Re1Eesu1Yaij@digikod.net/
Link[3]: https://lore.kernel.org/all/20260205.8531e4005118@gnoack.org/
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/20260327164838.38231-5-gnoack3000@gmail.com
[mic: Fix kernel-doc formatting, pack and align access_masks]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
docs: trusted-encryped: add PKWM as a new trust source 2026-01-30T03:57:27+00:00 Nayna Jain nayna@linux.ibm.com 2026-01-27T14:52:28+00:00 1d72a02d65a733ad124bacc2db3fb90fa81a612b Update Documentation/security/keys/trusted-encrypted.rst and Documentation/ admin-guide/kernel-parameters.txt with PowerVM Key Wrapping Module (PKWM) as a new trust source Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> Tested-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/20260127145228.48320-7-ssrish@linux.ibm.com 
Update Documentation/security/keys/trusted-encrypted.rst and Documentation/
admin-guide/kernel-parameters.txt with PowerVM Key Wrapping Module (PKWM)
as a new trust source

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127145228.48320-7-ssrish@linux.ibm.com
Merge tag 'landlock-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux 2025-12-06T17:52:41+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-06T17:52:41+00:00 eee654ca9a55fd1e8632afb119975cba6af7d4ad Pull landlock updates from Mickaël Salaün: "This mainly fixes handling of disconnected directories and adds new tests" * tag 'landlock-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: selftests/landlock: Add disconnected leafs and branch test suites selftests/landlock: Add tests for access through disconnected paths landlock: Improve variable scope landlock: Fix handling of disconnected directories selftests/landlock: Fix makefile header list landlock: Make docs in cred.h and domain.h visible landlock: Minor comments improvements 
Pull landlock updates from Mickaël Salaün:
 "This mainly fixes handling of disconnected directories and adds new
  tests"

* tag 'landlock-6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
  selftests/landlock: Add disconnected leafs and branch test suites
  selftests/landlock: Add tests for access through disconnected paths
  landlock: Improve variable scope
  landlock: Fix handling of disconnected directories
  selftests/landlock: Fix makefile header list
  landlock: Make docs in cred.h and domain.h visible
  landlock: Minor comments improvements
landlock: Make docs in cred.h and domain.h visible 2025-11-26T19:20:23+00:00 Tingmao Wang m@maowtm.org 2025-09-28T23:49:49+00:00 335ef80e4a9eeed6cf52b3de6d0bad6787991e20 Currently even though the structures in these files have documentation, they are not shown in the "Landlock LSM: kernel documentation" page. Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/6050e764c2679cba01715653e5f1f4f17091d8f8.1759103277.git.m@maowtm.org [mic: Synchronize date] Signed-off-by: Mickaël Salaün <mic@digikod.net> 
Currently even though the structures in these files have documentation,
they are not shown in the "Landlock LSM: kernel documentation" page.

Signed-off-by: Tingmao Wang <m@maowtm.org>
Link: https://lore.kernel.org/r/6050e764c2679cba01715653e5f1f4f17091d8f8.1759103277.git.m@maowtm.org
[mic: Synchronize date]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
docs: trusted-encrypted: fix htmldocs build error 2025-10-21T03:58:29+00:00 Gopi Krishna Menon krishnagopi487@gmail.com 2025-10-17T18:11:15+00:00 77cd9210271556aff955551b3e2ef0ae8a2691bd Running "make htmldocs" generates the following build error and warning in trusted-encrypted.rst: Documentation/security/keys/trusted-encrypted.rst:18: ERROR: Unexpected indentation. Documentation/security/keys/trusted-encrypted.rst:19: WARNING: Block quote ends without a blank line; unexpected unindent. Add a blank line before bullet list and fix the indentation of text to fix the build error and resolve the warning. Fixes: 38f6880759fd ("docs: trusted-encrypted: trusted-keys as protected keys") Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com> Reviewed-by: Randy Dunlap <rdunlap@infradead.org> Tested-by: Randy Dunlap <rdunlap@infradead.org> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Running "make htmldocs" generates the following build error and
warning in trusted-encrypted.rst:

Documentation/security/keys/trusted-encrypted.rst:18: ERROR: Unexpected indentation.
Documentation/security/keys/trusted-encrypted.rst:19: WARNING: Block quote ends without a blank line; unexpected unindent.

Add a blank line before bullet list and fix the indentation of text to
fix the build error and resolve the warning.

Fixes: 38f6880759fd ("docs: trusted-encrypted: trusted-keys as protected keys")
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>