<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/security/integrity/ima/ima.h, branch v4.19</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security</title>
<updated>2018-08-16T05:51:12+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-08-16T05:51:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c715ebeb0303b196f17376f189ae4e168d98b563'/>
<id>c715ebeb0303b196f17376f189ae4e168d98b563</id>
<content type='text'>
Pull TPM updates from James Morris:

 - Migrate away from PM runtime as explicit cmdReady/goIdle transactions
   for every command is a spec requirement. PM runtime adds only a layer
   of complexity on our case.

 - tpm_tis drivers can now specify the hwrng quality.

 - TPM 2.0 code uses now tpm_buf for constructing messages. Jarkko
   thinks Tomas Winkler has done the same for TPM 1.2, and will start
   digging those changes from the patchwork in the near future.

 - Bug fixes and clean ups

* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead
  ima: Use tpm_default_chip() and call TPM functions with a tpm_chip
  tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED
  tpm: Convert tpm_find_get_ops() to use tpm_default_chip()
  tpm: Implement tpm_default_chip() to find a TPM chip
  tpm: rename tpm_chip_find_get() to tpm_find_get_ops()
  tpm: Allow tpm_tis drivers to set hwrng quality.
  tpm: Return the actual size when receiving an unsupported command
  tpm: separate cmd_ready/go_idle from runtime_pm
  tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
  tpm_tis_spi: Pass the SPI IRQ down to the driver
  tpm: migrate tpm2_get_random() to use struct tpm_buf
  tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf
  tpm: migrate tpm2_probe() to use struct tpm_buf
  tpm: migrate tpm2_shutdown() to use struct tpm_buf
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull TPM updates from James Morris:

 - Migrate away from PM runtime as explicit cmdReady/goIdle transactions
   for every command is a spec requirement. PM runtime adds only a layer
   of complexity on our case.

 - tpm_tis drivers can now specify the hwrng quality.

 - TPM 2.0 code uses now tpm_buf for constructing messages. Jarkko
   thinks Tomas Winkler has done the same for TPM 1.2, and will start
   digging those changes from the patchwork in the near future.

 - Bug fixes and clean ups

* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead
  ima: Use tpm_default_chip() and call TPM functions with a tpm_chip
  tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED
  tpm: Convert tpm_find_get_ops() to use tpm_default_chip()
  tpm: Implement tpm_default_chip() to find a TPM chip
  tpm: rename tpm_chip_find_get() to tpm_find_get_ops()
  tpm: Allow tpm_tis drivers to set hwrng quality.
  tpm: Return the actual size when receiving an unsupported command
  tpm: separate cmd_ready/go_idle from runtime_pm
  tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
  tpm_tis_spi: Pass the SPI IRQ down to the driver
  tpm: migrate tpm2_get_random() to use struct tpm_buf
  tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf
  tpm: migrate tpm2_probe() to use struct tpm_buf
  tpm: migrate tpm2_shutdown() to use struct tpm_buf
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security</title>
<updated>2018-08-15T17:25:26+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2018-08-15T17:25:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=92d4a03674b8c399c2f547580fa509db78226170'/>
<id>92d4a03674b8c399c2f547580fa509db78226170</id>
<content type='text'>
Pull security subsystem updates from James Morris:

 - kstrdup() return value fix from Eric Biggers

 - Add new security_load_data hook to differentiate security checking of
   kernel-loaded binaries in the case of there being no associated file
   descriptor, from Mimi Zohar.

 - Add ability to IMA to specify a policy at build-time, rather than
   just via command line params or by loading a custom policy, from
   Mimi.

 - Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if
   using signed firmware), from Mimi.

 - Allow IMA to deny loading of kexec kernel images, as they cannot be
   measured by IMA, from Mimi.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: check for kstrdup() failure in lsm_append()
  security: export security_kernel_load_data function
  ima: based on policy warn about loading firmware (pre-allocated buffer)
  module: replace the existing LSM hook in init_module
  ima: add build time policy
  ima: based on policy require signed firmware (sysfs fallback)
  firmware: add call to LSM hook before firmware sysfs fallback
  ima: based on policy require signed kexec kernel images
  kexec: add call to LSM hook in original kexec_load syscall
  security: define new LSM hook named security_kernel_load_data
  MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull security subsystem updates from James Morris:

 - kstrdup() return value fix from Eric Biggers

 - Add new security_load_data hook to differentiate security checking of
   kernel-loaded binaries in the case of there being no associated file
   descriptor, from Mimi Zohar.

 - Add ability to IMA to specify a policy at build-time, rather than
   just via command line params or by loading a custom policy, from
   Mimi.

 - Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if
   using signed firmware), from Mimi.

 - Allow IMA to deny loading of kexec kernel images, as they cannot be
   measured by IMA, from Mimi.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: check for kstrdup() failure in lsm_append()
  security: export security_kernel_load_data function
  ima: based on policy warn about loading firmware (pre-allocated buffer)
  module: replace the existing LSM hook in init_module
  ima: add build time policy
  ima: based on policy require signed firmware (sysfs fallback)
  firmware: add call to LSM hook before firmware sysfs fallback
  ima: based on policy require signed kexec kernel images
  kexec: add call to LSM hook in original kexec_load syscall
  security: define new LSM hook named security_kernel_load_data
  MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead</title>
<updated>2018-07-28T14:03:11+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.vnet.ibm.com</email>
</author>
<published>2018-06-26T19:09:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ec403d8ed08c8272cfeeeea154fdebcd289988c8'/>
<id>ec403d8ed08c8272cfeeeea154fdebcd289988c8</id>
<content type='text'>
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.

Signed-off-by: Stefan Berger &lt;stefanb@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.

Signed-off-by: Stefan Berger &lt;stefanb@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: Use tpm_default_chip() and call TPM functions with a tpm_chip</title>
<updated>2018-07-28T14:03:11+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.vnet.ibm.com</email>
</author>
<published>2018-06-26T19:09:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5c2a640aff73914e11ac0db310b32d3b7a1b87ad'/>
<id>5c2a640aff73914e11ac0db310b32d3b7a1b87ad</id>
<content type='text'>
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.

Signed-off-by: Stefan Berger &lt;stefanb@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.

Signed-off-by: Stefan Berger &lt;stefanb@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Reviewed-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
Signed-off-by: Jarkko Sakkinen &lt;jarkko.sakkinen@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: based on policy require signed kexec kernel images</title>
<updated>2018-07-16T19:31:57+00:00</updated>
<author>
<name>Mimi Zohar</name>
<email>zohar@linux.vnet.ibm.com</email>
</author>
<published>2018-07-13T18:05:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=16c267aac86b463b1fcccd43c89f4c8e5c5c86fa'/>
<id>16c267aac86b463b1fcccd43c89f4c8e5c5c86fa</id>
<content type='text'>
The original kexec_load syscall can not verify file signatures, nor can
the kexec image be measured.  Based on policy, deny the kexec_load
syscall.

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Cc: Eric Biederman &lt;ebiederm@xmission.com&gt;
Cc: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: James Morris &lt;james.morris@microsoft.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The original kexec_load syscall can not verify file signatures, nor can
the kexec image be measured.  Based on policy, deny the kexec_load
syscall.

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Cc: Eric Biederman &lt;ebiederm@xmission.com&gt;
Cc: Kees Cook &lt;keescook@chromium.org&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: James Morris &lt;james.morris@microsoft.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>IMA: don't propagate opened through the entire thing</title>
<updated>2018-07-12T14:04:19+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2018-06-08T17:40:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6035a27b25ab9dadc8c3d5c5df5eae3fca62fc95'/>
<id>6035a27b25ab9dadc8c3d5c5df5eae3fca62fc95</id>
<content type='text'>
just check -&gt;f_mode in ima_appraise_measurement()

Acked-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
just check -&gt;f_mode in ima_appraise_measurement()

Acked-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: Remove unused variable ima_initialized</title>
<updated>2018-05-17T12:03:06+00:00</updated>
<author>
<name>Petr Vorel</name>
<email>pvorel@suse.cz</email>
</author>
<published>2018-05-10T15:15:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4ecd9934ba1c2edf95588a364d49ddfd85c61bd1'/>
<id>4ecd9934ba1c2edf95588a364d49ddfd85c61bd1</id>
<content type='text'>
Commit a756024 ("ima: added ima_policy_flag variable") replaced
ima_initialized with ima_policy_flag, but didn't remove ima_initialized.
This patch removes it.

Signed-off-by: Petr Vorel &lt;pvorel@suse.cz&gt;
Reviewed-by: James Morris &lt;james.morris@microsoft.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit a756024 ("ima: added ima_policy_flag variable") replaced
ima_initialized with ima_policy_flag, but didn't remove ima_initialized.
This patch removes it.

Signed-off-by: Petr Vorel &lt;pvorel@suse.cz&gt;
Reviewed-by: James Morris &lt;james.morris@microsoft.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>IMA: Support using new creds in appraisal policy</title>
<updated>2018-03-23T10:31:11+00:00</updated>
<author>
<name>Matthew Garrett</name>
<email>mjg59@google.com</email>
</author>
<published>2018-01-08T21:36:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d906c10d8a31654cb9167c9a2ebc7d3e43820bad'/>
<id>d906c10d8a31654cb9167c9a2ebc7d3e43820bad</id>
<content type='text'>
The existing BPRM_CHECK functionality in IMA validates against the
credentials of the existing process, not any new credentials that the
child process may transition to. Add an additional CREDS_CHECK target
and refactor IMA to pass the appropriate creds structure. In
ima_bprm_check(), check with both the existing process credentials and
the credentials that will be committed when the new process is started.
This will not change behaviour unless the system policy is extended to
include CREDS_CHECK targets - BPRM_CHECK will continue to check the same
credentials that it did previously.

After this patch, an IMA policy rule along the lines of:

measure func=CREDS_CHECK subj_type=unconfined_t

will trigger if a process is executed and runs as unconfined_t, ignoring
the context of the parent process. This is in contrast to:

measure func=BPRM_CHECK subj_type=unconfined_t

which will trigger if the process that calls exec() is already executing
in unconfined_t, ignoring the context that the child process executes
into.

Signed-off-by: Matthew Garrett &lt;mjg59@google.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;

Changelog:
- initialize ima_creds_status
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The existing BPRM_CHECK functionality in IMA validates against the
credentials of the existing process, not any new credentials that the
child process may transition to. Add an additional CREDS_CHECK target
and refactor IMA to pass the appropriate creds structure. In
ima_bprm_check(), check with both the existing process credentials and
the credentials that will be committed when the new process is started.
This will not change behaviour unless the system policy is extended to
include CREDS_CHECK targets - BPRM_CHECK will continue to check the same
credentials that it did previously.

After this patch, an IMA policy rule along the lines of:

measure func=CREDS_CHECK subj_type=unconfined_t

will trigger if a process is executed and runs as unconfined_t, ignoring
the context of the parent process. This is in contrast to:

measure func=BPRM_CHECK subj_type=unconfined_t

which will trigger if the process that calls exec() is already executing
in unconfined_t, ignoring the context that the child process executes
into.

Signed-off-by: Matthew Garrett &lt;mjg59@google.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;

Changelog:
- initialize ima_creds_status
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: Simplify policy_func_show.</title>
<updated>2017-06-21T18:37:12+00:00</updated>
<author>
<name>Thiago Jung Bauermann</name>
<email>bauerman@linux.vnet.ibm.com</email>
</author>
<published>2017-06-08T01:49:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2663218ba6e3dd6f27df9664e00fa3eb63be3a3f'/>
<id>2663218ba6e3dd6f27df9664e00fa3eb63be3a3f</id>
<content type='text'>
If the func_tokens array uses the same indices as enum ima_hooks,
policy_func_show can be a lot simpler, and the func_* enum becomes
unnecessary.

Also, if we use the same macro trick used by kernel_read_file_id_str we can
use one hooks list for both the enum and the string array, making sure they
are always in sync (suggested by Mimi Zohar).

Finally, by using the printf pattern for the function token directly
instead of using the pt macro we can simplify policy_func_show even further
and avoid needing a temporary buffer.

Signed-off-by: Thiago Jung Bauermann &lt;bauerman@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If the func_tokens array uses the same indices as enum ima_hooks,
policy_func_show can be a lot simpler, and the func_* enum becomes
unnecessary.

Also, if we use the same macro trick used by kernel_read_file_id_str we can
use one hooks list for both the enum and the string array, making sure they
are always in sync (suggested by Mimi Zohar).

Finally, by using the printf pattern for the function token directly
instead of using the pt macro we can simplify policy_func_show even further
and avoid needing a temporary buffer.

Signed-off-by: Thiago Jung Bauermann &lt;bauerman@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>integrity: Small code improvements</title>
<updated>2017-06-21T18:37:12+00:00</updated>
<author>
<name>Thiago Jung Bauermann</name>
<email>bauerman@linux.vnet.ibm.com</email>
</author>
<published>2017-06-08T01:49:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bb543e3959b5909e7b5db4a216018c634a9d9898'/>
<id>bb543e3959b5909e7b5db4a216018c634a9d9898</id>
<content type='text'>
These changes are too small to warrant their own patches:

The keyid and sig_size members of struct signature_v2_hdr are in BE format,
so use a type that makes this assumption explicit. Also, use beXX_to_cpu
instead of __beXX_to_cpu to read them.

Change integrity_kernel_read to take a void * buffer instead of char *
buffer, so that callers don't have to use a cast if they provide a buffer
that isn't a char *.

Add missing #endif comment in ima.h pointing out which macro it refers to.

Add missing fall through comment in ima_appraise.c.

Constify mask_tokens and func_tokens arrays.

Signed-off-by: Thiago Jung Bauermann &lt;bauerman@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
These changes are too small to warrant their own patches:

The keyid and sig_size members of struct signature_v2_hdr are in BE format,
so use a type that makes this assumption explicit. Also, use beXX_to_cpu
instead of __beXX_to_cpu to read them.

Change integrity_kernel_read to take a void * buffer instead of char *
buffer, so that callers don't have to use a cast if they provide a buffer
that isn't a char *.

Add missing #endif comment in ima.h pointing out which macro it refers to.

Add missing fall through comment in ima_appraise.c.

Constify mask_tokens and func_tokens arrays.

Signed-off-by: Thiago Jung Bauermann &lt;bauerman@linux.vnet.ibm.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
