* [GIT] Security subsystem updates for 3.9
@ 2013-02-21 14:03 James Morris
2013-02-21 16:26 ` Linus Torvalds
0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2013-02-21 14:03 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, linux-security-module
This is basically a maintenance update for the TPM driver and EVM/IMA.
Please pull.
The following changes since commit 19f949f52599ba7c3f67a5897ac6be14bfcb1200:
Linus Torvalds (1):
Linux 3.8
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Andy Shevchenko (1):
mpilib: use DIV_ROUND_UP and remove unused macros
Dmitry Kasatkin (14):
evm: remove unused cleanup functions
ima: set appraise status in fix mode only when xattr is fixed
ima: remove enforce checking duplication
ima: remove security.ima hexdump
integrity: reduce storage size for ima_status and evm_status
ima: move full pathname resolution to separate function
ima: forbid write access to files with digital signatures
ima: added policy support for 'security.ima' type
digsig: remove unnecessary memory allocation and copying
evm: add file system uuid to EVM hmac
ima: add policy support for file system uuid
ima: use new crypto_shash API instead of old crypto_hash
ima: rename hash calculation functions
ima: digital signature verification using asymmetric keys
James Morris (1):
Merge tag 'v3.8-rc2' into next
Jason Gunthorpe (4):
TPM: Issue TPM_STARTUP at driver load if the TPM has not been started
TPM: Switch to __packed instead of __attribute__((packed))
TPM: Work around buggy TPMs that block during continue self test
TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup
Kent Yoder (8):
tpm: add documentation for sysfs interfaces
tpm: rename vendor data to priv and provide an accessor
tpm: STM i2c driver fixes
tpm: rename STM driver to match other i2c drivers
tpm_i2c_stm_st33: fix oops when i2c client is unavailable
tpm_i2c_stm_st33: removed unused variables/code
tpm_tis: check pnp_acpi_device return code
tpm/ibmvtpm: build only when IBM pseries is configured
Mathias Leblanc (2):
TPM: STMicroelectronics ST33 I2C KERNEL 3.x
TPM: STMicroelectronics ST33 I2C BUILD STUFF
Mimi Zohar (5):
ima: re-initialize IMA policy LSM info
ima: rename FILE_MMAP to MMAP_CHECK
ima: increase iint flag size
ima: per hook cache integrity appraisal status
ima: differentiate appraise status only for hook specific rules
Peter Huewe (8):
char/tpm: Remove duplicated lookup table
char/tpm: simplify duration calculation and eliminate smatch warning.
char/tpm: Use true and false for bools
char/tpm: Use struct dev_pm_ops for power management
char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment
char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute
char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe
char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value
Stefan Berger (3):
tpm: Store TPM vendor ID
tpm: Fix cancellation of TPM commands (polling mode)
tpm: Fix cancellation of TPM commands (interrupt mode)
Documentation/ABI/stable/sysfs-class-tpm | 185 +++++++
Documentation/ABI/testing/ima_policy | 10 +-
drivers/char/tpm/Kconfig | 12 +-
drivers/char/tpm/Makefile | 1 +
drivers/char/tpm/tpm.c | 114 ++--
drivers/char/tpm/tpm.h | 52 +-
drivers/char/tpm/tpm_acpi.c | 8 +-
drivers/char/tpm/tpm_atmel.c | 7 +-
drivers/char/tpm/tpm_i2c_infineon.c | 7 +-
drivers/char/tpm/tpm_i2c_stm_st33.c | 887 ++++++++++++++++++++++++++++++
drivers/char/tpm/tpm_i2c_stm_st33.h | 61 ++
drivers/char/tpm/tpm_ibmvtpm.c | 15 +-
drivers/char/tpm/tpm_nsc.c | 7 +-
drivers/char/tpm/tpm_tis.c | 64 ++-
lib/digsig.c | 41 +-
lib/mpi/mpi-internal.h | 4 -
lib/mpi/mpicoder.c | 8 +-
security/integrity/Kconfig | 12 +
security/integrity/Makefile | 1 +
security/integrity/digsig.c | 11 +-
security/integrity/digsig_asymmetric.c | 115 ++++
security/integrity/evm/Kconfig | 13 +
security/integrity/evm/evm.h | 2 +-
security/integrity/evm/evm_crypto.c | 3 +
security/integrity/evm/evm_main.c | 10 +-
security/integrity/evm/evm_secfs.c | 6 -
security/integrity/iint.c | 10 +-
security/integrity/ima/ima.h | 21 +-
security/integrity/ima/ima_api.c | 27 +-
security/integrity/ima/ima_appraise.c | 92 +++-
security/integrity/ima/ima_crypto.c | 81 ++-
security/integrity/ima/ima_init.c | 3 +
security/integrity/ima/ima_main.c | 133 ++---
security/integrity/ima/ima_policy.c | 138 ++++-
security/integrity/integrity.h | 62 ++-
35 files changed, 1914 insertions(+), 309 deletions(-)
create mode 100644 Documentation/ABI/stable/sysfs-class-tpm
create mode 100644 drivers/char/tpm/tpm_i2c_stm_st33.c
create mode 100644 drivers/char/tpm/tpm_i2c_stm_st33.h
create mode 100644 security/integrity/digsig_asymmetric.c
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [GIT] Security subsystem updates for 3.9 2013-02-21 14:03 [GIT] Security subsystem updates for 3.9 James Morris @ 2013-02-21 16:26 ` Linus Torvalds 2013-02-21 18:06 ` Mimi Zohar 0 siblings, 1 reply; 5+ messages in thread From: Linus Torvalds @ 2013-02-21 16:26 UTC (permalink / raw) To: James Morris, Mimi Zohar; +Cc: Linux Kernel Mailing List, LSM List On Thu, Feb 21, 2013 at 6:03 AM, James Morris <jmorris@namei.org> wrote: > This is basically a maintenance update for the TPM driver and EVM/IMA. Hmm. There were conflicts in lib/digsig.c and ima_main.c. The digsig one was pretty trivial, but I'd like people to take a look at the IMA one. And that's not because the conflict itself was all that complex - I'm pretty sure I resolved it correctly. But I do want to make sure that everybody agrees on the whole module integrity checking thing. I resolved it to be like the semantics in Mimi's commit a7f2a366f623, which means that for non-file modules, IMA does: Only fail the non-file module if (a) IMA_APPRAISE_MODULES was set *and* (b) CONFIG_MODULE_SIG_FORCE is not set. If CONFIG_MODULE_SIG_FORCE it ignores IMA_APPRAISE_MODULES entirely, and the module signature checking overrides everything. And if IMA_APPRAISE_MODULES is not set, we say "whatever". So it makes sense, but I wanted people to just be aware of it and agree on it, since the security tree modified this part without apparently being aware of the changed semantics. Linus ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9 2013-02-21 16:26 ` Linus Torvalds @ 2013-02-21 18:06 ` Mimi Zohar 2013-02-21 18:21 ` Linus Torvalds 0 siblings, 1 reply; 5+ messages in thread From: Mimi Zohar @ 2013-02-21 18:06 UTC (permalink / raw) To: Linus Torvalds; +Cc: James Morris, Linux Kernel Mailing List, LSM List On Thu, 2013-02-21 at 08:26 -0800, Linus Torvalds wrote: > On Thu, Feb 21, 2013 at 6:03 AM, James Morris <jmorris@namei.org> wrote: > > This is basically a maintenance update for the TPM driver and EVM/IMA. > > Hmm. There were conflicts in lib/digsig.c and ima_main.c. The digsig > one was pretty trivial, but I'd like people to take a look at the IMA > one. > > And that's not because the conflict itself was all that complex - I'm > pretty sure I resolved it correctly. But I do want to make sure that > everybody agrees on the whole module integrity checking thing. I > resolved it to be like the semantics in Mimi's commit a7f2a366f623, > which means that for non-file modules, IMA does: > > Only fail the non-file module if > (a) IMA_APPRAISE_MODULES was set Almost, and enforcing file integrity is enabled. The merged result should look like what's contained in linux-integrity/next-upstreamed-patches: int ima_module_check(struct file *file) { if (!file) { if ((ima_appraise & IMA_APPRAISE_MODULES) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { #ifndef CONFIG_MODULE_SIG_FORCE return -EACCES; /* INTEGRITY_UNKNOWN */ #endif } return 0; } return process_measurement(file, file->f_dentry->d_name.name, MAY_EXEC, MODULE_CHECK); } thanks, Mimi > *and* > (b) CONFIG_MODULE_SIG_FORCE is not set. > If CONFIG_MODULE_SIG_FORCE it ignores IMA_APPRAISE_MODULES entirely, > and the module signature checking overrides everything. And if > IMA_APPRAISE_MODULES is not set, we say "whatever". So it makes sense, > but I wanted people to just be aware of it and agree on it, since the > security tree modified this part without apparently being aware of the > changed semantics. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9 2013-02-21 18:06 ` Mimi Zohar @ 2013-02-21 18:21 ` Linus Torvalds 2013-02-21 19:03 ` Mimi Zohar 0 siblings, 1 reply; 5+ messages in thread From: Linus Torvalds @ 2013-02-21 18:21 UTC (permalink / raw) To: Mimi Zohar; +Cc: James Morris, Linux Kernel Mailing List, LSM List On Thu, Feb 21, 2013 at 10:06 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > Almost, and enforcing file integrity is enabled. The merged result > should look like what's contained in > linux-integrity/next-upstreamed-patches: > > int ima_module_check(struct file *file) > { > if (!file) { > if ((ima_appraise & IMA_APPRAISE_MODULES) && > (ima_appraise & IMA_APPRAISE_ENFORCE)) { > #ifndef CONFIG_MODULE_SIG_FORCE > return -EACCES; /* INTEGRITY_UNKNOWN */ > #endif > } > return 0; Ugh. The placement of that #ifndef is just horrible, please don't do that. Just add it around the whole if-statement rather than around just the return. Not because the compiler can't optimize away the tests, but because it's much more obvious to a *human* what the ifndef actually does. Anyway, I don't have the IMA_APPRAISE_ENFORCE bit checking, it wasn't obvious from the conflict, so somebody will need to add that. Linus ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT] Security subsystem updates for 3.9 2013-02-21 18:21 ` Linus Torvalds @ 2013-02-21 19:03 ` Mimi Zohar 0 siblings, 0 replies; 5+ messages in thread From: Mimi Zohar @ 2013-02-21 19:03 UTC (permalink / raw) To: Linus Torvalds; +Cc: James Morris, Linux Kernel Mailing List, LSM List On Thu, 2013-02-21 at 10:21 -0800, Linus Torvalds wrote: > On Thu, Feb 21, 2013 at 10:06 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > > Almost, and enforcing file integrity is enabled. The merged result > > should look like what's contained in > > linux-integrity/next-upstreamed-patches: > > > > int ima_module_check(struct file *file) > > { > > if (!file) { > > if ((ima_appraise & IMA_APPRAISE_MODULES) && > > (ima_appraise & IMA_APPRAISE_ENFORCE)) { > > #ifndef CONFIG_MODULE_SIG_FORCE > > return -EACCES; /* INTEGRITY_UNKNOWN */ > > #endif > > } > > return 0; > > Ugh. The placement of that #ifndef is just horrible, please don't do > that. Just add it around the whole if-statement rather than around > just the return. Not because the compiler can't optimize away the > tests, but because it's much more obvious to a *human* what the ifndef > actually does. Having the 'ifndef' is ugly. Thanks for the suggestion on making it less ugly. > Anyway, I don't have the IMA_APPRAISE_ENFORCE bit checking, it wasn't > obvious from the conflict, so somebody will need to add that. Commit "750943a ima: remove enforce checking duplication" moved the test to process_measurement(). Because commit "a7f2a36 ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall" never went into linux-security/next, subsequent patches resulted in this merge conflict. I'll post an additional patch. thanks, Mimi ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-02-21 19:04 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-02-21 14:03 [GIT] Security subsystem updates for 3.9 James Morris 2013-02-21 16:26 ` Linus Torvalds 2013-02-21 18:06 ` Mimi Zohar 2013-02-21 18:21 ` Linus Torvalds 2013-02-21 19:03 ` Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox