* [GIT] Security subsystem updates for 3.9
@ 2013-02-21 14:03 James Morris
2013-02-21 16:26 ` Linus Torvalds
0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2013-02-21 14:03 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, linux-security-module
This is basically a maintenance update for the TPM driver and EVM/IMA.
Please pull.
The following changes since commit 19f949f52599ba7c3f67a5897ac6be14bfcb1200:
Linus Torvalds (1):
Linux 3.8
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Andy Shevchenko (1):
mpilib: use DIV_ROUND_UP and remove unused macros
Dmitry Kasatkin (14):
evm: remove unused cleanup functions
ima: set appraise status in fix mode only when xattr is fixed
ima: remove enforce checking duplication
ima: remove security.ima hexdump
integrity: reduce storage size for ima_status and evm_status
ima: move full pathname resolution to separate function
ima: forbid write access to files with digital signatures
ima: added policy support for 'security.ima' type
digsig: remove unnecessary memory allocation and copying
evm: add file system uuid to EVM hmac
ima: add policy support for file system uuid
ima: use new crypto_shash API instead of old crypto_hash
ima: rename hash calculation functions
ima: digital signature verification using asymmetric keys
James Morris (1):
Merge tag 'v3.8-rc2' into next
Jason Gunthorpe (4):
TPM: Issue TPM_STARTUP at driver load if the TPM has not been started
TPM: Switch to __packed instead of __attribute__((packed))
TPM: Work around buggy TPMs that block during continue self test
TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup
Kent Yoder (8):
tpm: add documentation for sysfs interfaces
tpm: rename vendor data to priv and provide an accessor
tpm: STM i2c driver fixes
tpm: rename STM driver to match other i2c drivers
tpm_i2c_stm_st33: fix oops when i2c client is unavailable
tpm_i2c_stm_st33: removed unused variables/code
tpm_tis: check pnp_acpi_device return code
tpm/ibmvtpm: build only when IBM pseries is configured
Mathias Leblanc (2):
TPM: STMicroelectronics ST33 I2C KERNEL 3.x
TPM: STMicroelectronics ST33 I2C BUILD STUFF
Mimi Zohar (5):
ima: re-initialize IMA policy LSM info
ima: rename FILE_MMAP to MMAP_CHECK
ima: increase iint flag size
ima: per hook cache integrity appraisal status
ima: differentiate appraise status only for hook specific rules
Peter Huewe (8):
char/tpm: Remove duplicated lookup table
char/tpm: simplify duration calculation and eliminate smatch warning.
char/tpm: Use true and false for bools
char/tpm: Use struct dev_pm_ops for power management
char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment
char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute
char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe
char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value
Stefan Berger (3):
tpm: Store TPM vendor ID
tpm: Fix cancellation of TPM commands (polling mode)
tpm: Fix cancellation of TPM commands (interrupt mode)
Documentation/ABI/stable/sysfs-class-tpm | 185 +++++++
Documentation/ABI/testing/ima_policy | 10 +-
drivers/char/tpm/Kconfig | 12 +-
drivers/char/tpm/Makefile | 1 +
drivers/char/tpm/tpm.c | 114 ++--
drivers/char/tpm/tpm.h | 52 +-
drivers/char/tpm/tpm_acpi.c | 8 +-
drivers/char/tpm/tpm_atmel.c | 7 +-
drivers/char/tpm/tpm_i2c_infineon.c | 7 +-
drivers/char/tpm/tpm_i2c_stm_st33.c | 887 ++++++++++++++++++++++++++++++
drivers/char/tpm/tpm_i2c_stm_st33.h | 61 ++
drivers/char/tpm/tpm_ibmvtpm.c | 15 +-
drivers/char/tpm/tpm_nsc.c | 7 +-
drivers/char/tpm/tpm_tis.c | 64 ++-
lib/digsig.c | 41 +-
lib/mpi/mpi-internal.h | 4 -
lib/mpi/mpicoder.c | 8 +-
security/integrity/Kconfig | 12 +
security/integrity/Makefile | 1 +
security/integrity/digsig.c | 11 +-
security/integrity/digsig_asymmetric.c | 115 ++++
security/integrity/evm/Kconfig | 13 +
security/integrity/evm/evm.h | 2 +-
security/integrity/evm/evm_crypto.c | 3 +
security/integrity/evm/evm_main.c | 10 +-
security/integrity/evm/evm_secfs.c | 6 -
security/integrity/iint.c | 10 +-
security/integrity/ima/ima.h | 21 +-
security/integrity/ima/ima_api.c | 27 +-
security/integrity/ima/ima_appraise.c | 92 +++-
security/integrity/ima/ima_crypto.c | 81 ++-
security/integrity/ima/ima_init.c | 3 +
security/integrity/ima/ima_main.c | 133 ++---
security/integrity/ima/ima_policy.c | 138 ++++-
security/integrity/integrity.h | 62 ++-
35 files changed, 1914 insertions(+), 309 deletions(-)
create mode 100644 Documentation/ABI/stable/sysfs-class-tpm
create mode 100644 drivers/char/tpm/tpm_i2c_stm_st33.c
create mode 100644 drivers/char/tpm/tpm_i2c_stm_st33.h
create mode 100644 security/integrity/digsig_asymmetric.c
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9
2013-02-21 14:03 [GIT] Security subsystem updates for 3.9 James Morris
@ 2013-02-21 16:26 ` Linus Torvalds
2013-02-21 18:06 ` Mimi Zohar
0 siblings, 1 reply; 5+ messages in thread
From: Linus Torvalds @ 2013-02-21 16:26 UTC (permalink / raw)
To: James Morris, Mimi Zohar; +Cc: Linux Kernel Mailing List, LSM List
On Thu, Feb 21, 2013 at 6:03 AM, James Morris <jmorris@namei.org> wrote:
> This is basically a maintenance update for the TPM driver and EVM/IMA.
Hmm. There were conflicts in lib/digsig.c and ima_main.c. The digsig
one was pretty trivial, but I'd like people to take a look at the IMA
one.
And that's not because the conflict itself was all that complex - I'm
pretty sure I resolved it correctly. But I do want to make sure that
everybody agrees on the whole module integrity checking thing. I
resolved it to be like the semantics in Mimi's commit a7f2a366f623,
which means that for non-file modules, IMA does:
Only fail the non-file module if
(a) IMA_APPRAISE_MODULES was set
*and*
(b) CONFIG_MODULE_SIG_FORCE is not set.
If CONFIG_MODULE_SIG_FORCE it ignores IMA_APPRAISE_MODULES entirely,
and the module signature checking overrides everything. And if
IMA_APPRAISE_MODULES is not set, we say "whatever". So it makes sense,
but I wanted people to just be aware of it and agree on it, since the
security tree modified this part without apparently being aware of the
changed semantics.
Linus
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9
2013-02-21 16:26 ` Linus Torvalds
@ 2013-02-21 18:06 ` Mimi Zohar
2013-02-21 18:21 ` Linus Torvalds
0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2013-02-21 18:06 UTC (permalink / raw)
To: Linus Torvalds; +Cc: James Morris, Linux Kernel Mailing List, LSM List
On Thu, 2013-02-21 at 08:26 -0800, Linus Torvalds wrote:
> On Thu, Feb 21, 2013 at 6:03 AM, James Morris <jmorris@namei.org> wrote:
> > This is basically a maintenance update for the TPM driver and EVM/IMA.
>
> Hmm. There were conflicts in lib/digsig.c and ima_main.c. The digsig
> one was pretty trivial, but I'd like people to take a look at the IMA
> one.
>
> And that's not because the conflict itself was all that complex - I'm
> pretty sure I resolved it correctly. But I do want to make sure that
> everybody agrees on the whole module integrity checking thing. I
> resolved it to be like the semantics in Mimi's commit a7f2a366f623,
> which means that for non-file modules, IMA does:
>
> Only fail the non-file module if
> (a) IMA_APPRAISE_MODULES was set
Almost, and enforcing file integrity is enabled. The merged result
should look like what's contained in
linux-integrity/next-upstreamed-patches:
int ima_module_check(struct file *file)
{
if (!file) {
if ((ima_appraise & IMA_APPRAISE_MODULES) &&
(ima_appraise & IMA_APPRAISE_ENFORCE)) {
#ifndef CONFIG_MODULE_SIG_FORCE
return -EACCES; /* INTEGRITY_UNKNOWN */
#endif
}
return 0;
}
return process_measurement(file, file->f_dentry->d_name.name,
MAY_EXEC, MODULE_CHECK);
}
thanks,
Mimi
> *and*
> (b) CONFIG_MODULE_SIG_FORCE is not set.
> If CONFIG_MODULE_SIG_FORCE it ignores IMA_APPRAISE_MODULES entirely,
> and the module signature checking overrides everything. And if
> IMA_APPRAISE_MODULES is not set, we say "whatever". So it makes sense,
> but I wanted people to just be aware of it and agree on it, since the
> security tree modified this part without apparently being aware of the
> changed semantics.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9
2013-02-21 18:06 ` Mimi Zohar
@ 2013-02-21 18:21 ` Linus Torvalds
2013-02-21 19:03 ` Mimi Zohar
0 siblings, 1 reply; 5+ messages in thread
From: Linus Torvalds @ 2013-02-21 18:21 UTC (permalink / raw)
To: Mimi Zohar; +Cc: James Morris, Linux Kernel Mailing List, LSM List
On Thu, Feb 21, 2013 at 10:06 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> Almost, and enforcing file integrity is enabled. The merged result
> should look like what's contained in
> linux-integrity/next-upstreamed-patches:
>
> int ima_module_check(struct file *file)
> {
> if (!file) {
> if ((ima_appraise & IMA_APPRAISE_MODULES) &&
> (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> #ifndef CONFIG_MODULE_SIG_FORCE
> return -EACCES; /* INTEGRITY_UNKNOWN */
> #endif
> }
> return 0;
Ugh. The placement of that #ifndef is just horrible, please don't do
that. Just add it around the whole if-statement rather than around
just the return. Not because the compiler can't optimize away the
tests, but because it's much more obvious to a *human* what the ifndef
actually does.
Anyway, I don't have the IMA_APPRAISE_ENFORCE bit checking, it wasn't
obvious from the conflict, so somebody will need to add that.
Linus
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9
2013-02-21 18:21 ` Linus Torvalds
@ 2013-02-21 19:03 ` Mimi Zohar
0 siblings, 0 replies; 5+ messages in thread
From: Mimi Zohar @ 2013-02-21 19:03 UTC (permalink / raw)
To: Linus Torvalds; +Cc: James Morris, Linux Kernel Mailing List, LSM List
On Thu, 2013-02-21 at 10:21 -0800, Linus Torvalds wrote:
> On Thu, Feb 21, 2013 at 10:06 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> >
> > Almost, and enforcing file integrity is enabled. The merged result
> > should look like what's contained in
> > linux-integrity/next-upstreamed-patches:
> >
> > int ima_module_check(struct file *file)
> > {
> > if (!file) {
> > if ((ima_appraise & IMA_APPRAISE_MODULES) &&
> > (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> > #ifndef CONFIG_MODULE_SIG_FORCE
> > return -EACCES; /* INTEGRITY_UNKNOWN */
> > #endif
> > }
> > return 0;
>
> Ugh. The placement of that #ifndef is just horrible, please don't do
> that. Just add it around the whole if-statement rather than around
> just the return. Not because the compiler can't optimize away the
> tests, but because it's much more obvious to a *human* what the ifndef
> actually does.
Having the 'ifndef' is ugly. Thanks for the suggestion on making it
less ugly.
> Anyway, I don't have the IMA_APPRAISE_ENFORCE bit checking, it wasn't
> obvious from the conflict, so somebody will need to add that.
Commit "750943a ima: remove enforce checking duplication" moved the test
to process_measurement().
Because commit "a7f2a36 ima: fallback to MODULE_SIG_ENFORCE for existing
kernel module syscall" never went into linux-security/next, subsequent
patches resulted in this merge conflict.
I'll post an additional patch.
thanks,
Mimi
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-02-21 19:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-21 14:03 [GIT] Security subsystem updates for 3.9 James Morris
2013-02-21 16:26 ` Linus Torvalds
2013-02-21 18:06 ` Mimi Zohar
2013-02-21 18:21 ` Linus Torvalds
2013-02-21 19:03 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox